Play interactive tour

Edit tour

Windows Analysis Report DRAFT BL-DOCS-20211510-VP-KMC022021.scr

Overview

General Information

Sample Name:	DRAFT BL-DOCS-20211510-VP-KMC022021.scr (renamed file extension from scr to exe)
Analysis ID:	508138
MD5:	bc87c171c5e5c075ebcb336ca4518452
SHA1:	29854b8268bb99a6f26df87229107fcfbf815d87
SHA256:	bb08e42bfb63552a1af7ab0e24bb040c9f2854f2521fda176e80c80dd17beec7
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Sigma detected: Powershell Defender Exclusion

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

DRAFT BL-DOCS-20211510-VP-KMC022021.exe (PID: 6544 cmdline: 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe' MD5: BC87C171C5E5C075EBCB336CA4518452)

powershell.exe (PID: 956 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 2916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5540 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vlzcRkmDiOmdD' /XML 'C:\Users\user\AppData\Local\Temp\tmpE11E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 2600 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)

schtasks.exe (PID: 7064 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp719C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 7124 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp767F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 2296 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 1972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 6456 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 1256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 7024 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 3416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "75237636-ccfc-402a-827d-5ad01371", "Group": "Default", "Domain1": "185.140.53.75", "Domain2": "", "Port": 97, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.594029123.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.594029123.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.594029123.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000007.00000002.598709424.0000000005D20000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000007.00000002.598709424.0000000005D20000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000002.335271528.0000000003C2B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10815:$x1: NanoCore.ClientPluginHost 0x10852:$x2: IClientNetworkHost 0x14385:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.335271528.0000000003C2B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.335271528.0000000003C2B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1057d:$a: NanoCore 0x1058d:$a: NanoCore 0x107c1:$a: NanoCore 0x107d5:$a: NanoCore 0x10815:$a: NanoCore 0x105dc:$b: ClientPlugin 0x107de:$b: ClientPlugin 0x1081e:$b: ClientPlugin 0x10703:$c: ProjectData 0x1110a:$d: DESCrypto 0x18ad6:$e: KeepAlive 0x16ac4:$g: LogClientMessage 0x12cbf:$i: get_Connected 0x11440:$j: #=q 0x11470:$j: #=q 0x1148c:$j: #=q 0x114bc:$j: #=q 0x114d8:$j: #=q 0x114f4:$j: #=q 0x11524:$j: #=q 0x11540:$j: #=q
00000000.00000002.334888957.0000000002C31000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000002.598109701.00000000043F7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.598109701.00000000043F7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3a55:$a: NanoCore 0x3aae:$a: NanoCore 0x3aeb:$a: NanoCore 0x3b64:$a: NanoCore 0x1720f:$a: NanoCore 0x17224:$a: NanoCore 0x17259:$a: NanoCore 0x301e3:$a: NanoCore 0x301f8:$a: NanoCore 0x3022d:$a: NanoCore 0x3ab7:$b: ClientPlugin 0x3af4:$b: ClientPlugin 0x43f2:$b: ClientPlugin 0x43ff:$b: ClientPlugin 0x16fcb:$b: ClientPlugin 0x16fe6:$b: ClientPlugin 0x17016:$b: ClientPlugin 0x1722d:$b: ClientPlugin 0x17262:$b: ClientPlugin 0x2ff9f:$b: ClientPlugin 0x2ffba:$b: ClientPlugin
00000000.00000002.335330785.0000000003CB2000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16cd2d:$x1: NanoCore.ClientPluginHost 0x16cd6a:$x2: IClientNetworkHost 0x17089d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.335330785.0000000003CB2000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.335330785.0000000003CB2000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x16ca95:$a: NanoCore 0x16caa5:$a: NanoCore 0x16ccd9:$a: NanoCore 0x16cced:$a: NanoCore 0x16cd2d:$a: NanoCore 0x16caf4:$b: ClientPlugin 0x16ccf6:$b: ClientPlugin 0x16cd36:$b: ClientPlugin 0x3493d:$c: ProjectData 0x8875d:$c: ProjectData 0x16cc1b:$c: ProjectData 0x16d622:$d: DESCrypto 0x174fee:$e: KeepAlive 0x172fdc:$g: LogClientMessage 0x16f1d7:$i: get_Connected 0x16d958:$j: #=q 0x16d988:$j: #=q 0x16d9a4:$j: #=q 0x16d9d4:$j: #=q 0x16d9f0:$j: #=q 0x16da0c:$j: #=q
00000007.00000002.598769356.0000000005FB0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000007.00000002.598769356.0000000005FB0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000007.00000002.598769356.0000000005FB0000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.334779670.0000000002B81000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DRAFT BL-DOCS-20211510-VP-KMC022021.exe PID: 6544	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x273ec:$x1: NanoCore.ClientPluginHost 0x27429:$x2: IClientNetworkHost 0x2a812:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x354a1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x53413:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: DRAFT BL-DOCS-20211510-VP-KMC022021.exe PID: 6544	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DRAFT BL-DOCS-20211510-VP-KMC022021.exe PID: 6544	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: DRAFT BL-DOCS-20211510-VP-KMC022021.exe PID: 6544	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x27191:$a: NanoCore 0x271a1:$a: NanoCore 0x271fc:$a: NanoCore 0x2720b:$a: NanoCore 0x27398:$a: NanoCore 0x273ac:$a: NanoCore 0x273ec:$a: NanoCore 0x31b0b:$a: NanoCore 0x31b1d:$a: NanoCore 0x31b59:$a: NanoCore 0x4fa7d:$a: NanoCore 0x4fa8f:$a: NanoCore 0x4facb:$a: NanoCore 0x271b5:$b: ClientPlugin 0x27255:$b: ClientPlugin 0x273b5:$b: ClientPlugin 0x273f5:$b: ClientPlugin 0x31b26:$b: ClientPlugin 0x31b62:$b: ClientPlugin 0x4fa98:$b: ClientPlugin 0x4fad4:$b: ClientPlugin
Process Memory Space: RegSvcs.exe PID: 2600	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10812:$x1: NanoCore.ClientPluginHost 0x1084f:$x2: IClientNetworkHost 0x14324:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1f3aa:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 2600	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 2600	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x104e8:$a: NanoCore 0x104f8:$a: NanoCore 0x105b7:$a: NanoCore 0x105c6:$a: NanoCore 0x107be:$a: NanoCore 0x107d2:$a: NanoCore 0x10812:$a: NanoCore 0x1ba14:$a: NanoCore 0x1ba26:$a: NanoCore 0x1ba62:$a: NanoCore 0x269fc:$a: NanoCore 0x26c7c:$a: NanoCore 0x26ccf:$a: NanoCore 0x26d08:$a: NanoCore 0x26d7b:$a: NanoCore 0x356f3:$a: NanoCore 0x35706:$a: NanoCore 0x35738:$a: NanoCore 0x3b3e9:$a: NanoCore 0x3b3fc:$a: NanoCore 0x3b42e:$a: NanoCore
Click to see the 20 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.RegSvcs.exe.5d20000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5d20000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5fb0000.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5fb0000.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5fb0000.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.43feaac.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28781:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287ae:$x2: IClientNetworkHost
7.2.RegSvcs.exe.43feaac.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28781:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2985c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2879b:$s5: IClientLoggingHost
7.2.RegSvcs.exe.43feaac.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.5fb0000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5fb0000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5fb0000.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.RegSvcs.exe.44030d5.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24158:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x24185:$x2: IClientNetworkHost
7.2.RegSvcs.exe.44030d5.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24158:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25233:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24172:$s5: IClientLoggingHost
7.2.RegSvcs.exe.44030d5.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.2b867fc.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.RegSvcs.exe.43feaac.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.RegSvcs.exe.43feaac.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.43feaac.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.5fb4629.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5fb4629.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5fb4629.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.33c16e0.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.RegSvcs.exe.33c16e0.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.RegSvcs.exe.43f9c76.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5b7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5e4:$x2: IClientNetworkHost
7.2.RegSvcs.exe.43f9c76.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5b7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e692:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5d1:$s5: IClientLoggingHost
7.2.RegSvcs.exe.43f9c76.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.43f9c76.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d56d:$a: NanoCore 0x2d582:$a: NanoCore 0x2d5b7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d329:$b: ClientPlugin 0x2d344:$b: ClientPlugin
0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3d228f0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfc43d:$x1: NanoCore.ClientPluginHost 0xfc47a:$x2: IClientNetworkHost 0xfffad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3d228f0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3d228f0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfc1a5:$a: NanoCore 0xfc1b5:$a: NanoCore 0xfc3e9:$a: NanoCore 0xfc3fd:$a: NanoCore 0xfc43d:$a: NanoCore 0xfc204:$b: ClientPlugin 0xfc406:$b: ClientPlugin 0xfc446:$b: ClientPlugin 0x17e6d:$c: ProjectData 0xfc32b:$c: ProjectData 0xfcd32:$d: DESCrypto 0x1046fe:$e: KeepAlive 0x1026ec:$g: LogClientMessage 0xfe8e7:$i: get_Connected 0xfd068:$j: #=q 0xfd098:$j: #=q 0xfd0b4:$j: #=q 0xfd0e4:$j: #=q 0xfd100:$j: #=q 0xfd11c:$j: #=q 0xfd14c:$j: #=q
0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3ccead0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x15025d:$x1: NanoCore.ClientPluginHost 0x15029a:$x2: IClientNetworkHost 0x153dcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3ccead0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3ccead0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14ffc5:$a: NanoCore 0x14ffd5:$a: NanoCore 0x150209:$a: NanoCore 0x15021d:$a: NanoCore 0x15025d:$a: NanoCore 0x150024:$b: ClientPlugin 0x150226:$b: ClientPlugin 0x150266:$b: ClientPlugin 0x17e6d:$c: ProjectData 0x6bc8d:$c: ProjectData 0x15014b:$c: ProjectData 0x150b52:$d: DESCrypto 0x15851e:$e: KeepAlive 0x15650c:$g: LogClientMessage 0x152707:$i: get_Connected 0x150e88:$j: #=q 0x150eb8:$j: #=q 0x150ed4:$j: #=q 0x150f04:$j: #=q 0x150f20:$j: #=q 0x150f3c:$j: #=q
Click to see the 40 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe' , ParentImage: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe, ParentProcessId: 6544, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600

Sigma detected: Powershell Defender Exclusion

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe' , ParentImage: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe, ParentProcessId: 6544, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe', ProcessId: 956

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe' , ParentImage: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe, ParentProcessId: 6544, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe' , ParentImage: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe, ParentProcessId: 6544, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe', ProcessId: 956

Sigma detected: T1086 PowerShell Execution

Show sources

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132795235180478149.956.DefaultAppDomain.powershell

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000007.00000002.598109701.00000000043F7000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "75237636-ccfc-402a-827d-5ad01371", "Group": "Default", "Domain1": "185.140.53.75", "Domain2": "", "Port": 97, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Show sources

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Virustotal: Detection: 55%	Perma Link
Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Metadefender: Detection: 37%	Perma Link
Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe	ReversingLabs: Detection: 57%

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\vlzcRkmDiOmdD.exe	Metadefender: Detection: 37%			Perma Link
Source: C:\Users\user\AppData\Roaming\vlzcRkmDiOmdD.exe	ReversingLabs: Detection: 57%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 7.2.RegSvcs.exe.5fb0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.43feaac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5fb0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44030d5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.43feaac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5fb4629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.43f9c76.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3d228f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3ccead0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.594029123.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335271528.0000000003C2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.598109701.00000000043F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335330785.0000000003CB2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.598769356.0000000005FB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DRAFT BL-DOCS-20211510-VP-KMC022021.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2600, type: MEMORYSTR

Source: 7.2.RegSvcs.exe.5fb0000.7.unpack	Avira: Label: TR/NanoCore.fadte
Source: 7.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.7.dr

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: 185.140.53.75

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: global traffic

TCP traffic: 192.168.2.6:49756 -> 185.140.53.75:97

Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.75

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe, 00000000.00000002.335813403.0000000004F30000.00000004.00020000.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe	String found in binary or memory: https://bruhov.com/WinThumbsPreloader
Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe	String found in binary or memory: https://bruhov.com/WinThumbsPreloader%WinThumbsPreloader
Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe	String found in binary or memory: https://github.com/bruhov/WinThumbsPreloader

Source: RegSvcs.exe, 00000007.00000002.598109701.00000000043F7000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 7.2.RegSvcs.exe.5fb0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.43feaac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5fb0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44030d5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.43feaac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5fb4629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.43f9c76.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3d228f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3ccead0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.594029123.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335271528.0000000003C2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.598109701.00000000043F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335330785.0000000003CB2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.598769356.0000000005FB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DRAFT BL-DOCS-20211510-VP-KMC022021.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2600, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 7.2.RegSvcs.exe.5d20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5fb0000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.43feaac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5fb0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.44030d5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.43feaac.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5fb4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.33c16e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.43f9c76.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.43f9c76.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3d228f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3d228f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3ccead0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3ccead0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.594029123.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.594029123.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.598709424.0000000005D20000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.335271528.0000000003C2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.335271528.0000000003C2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.598109701.00000000043F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.335330785.0000000003CB2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.335330785.0000000003CB2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.598769356.0000000005FB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: DRAFT BL-DOCS-20211510-VP-KMC022021.exe PID: 6544, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: DRAFT BL-DOCS-20211510-VP-KMC022021.exe PID: 6544, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 2600, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 2600, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 7.2.RegSvcs.exe.5d20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5d20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5fb0000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5fb0000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.43feaac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.43feaac.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5fb0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5fb0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.44030d5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.44030d5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.43feaac.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.43feaac.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5fb4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5fb4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.33c16e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.33c16e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.43f9c76.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.43f9c76.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.43f9c76.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3d228f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3d228f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3ccead0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3ccead0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.594029123.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.594029123.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.598709424.0000000005D20000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.598709424.0000000005D20000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.335271528.0000000003C2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.335271528.0000000003C2B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.598109701.00000000043F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.335330785.0000000003CB2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.335330785.0000000003CB2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.598769356.0000000005FB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.598769356.0000000005FB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: DRAFT BL-DOCS-20211510-VP-KMC022021.exe PID: 6544, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: DRAFT BL-DOCS-20211510-VP-KMC022021.exe PID: 6544, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 2600, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 2600, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_04DA82D8	0_2_04DA82D8
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_04DA0358	0_2_04DA0358
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_04DA2CB0	0_2_04DA2CB0
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_04DA2CA0	0_2_04DA2CA0
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_04DA3D0F	0_2_04DA3D0F
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_04DA2A58	0_2_04DA2A58
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_04DA2A68	0_2_04DA2A68
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_04DA7796	0_2_04DA7796
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_04DA0349	0_2_04DA0349
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02FDB2A8	7_2_02FDB2A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02FD2FA8	7_2_02FD2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02FD23A0	7_2_02FD23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02FD3850	7_2_02FD3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02FD89D8	7_2_02FD89D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02FD969F	7_2_02FD969F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02FD306F	7_2_02FD306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02FD95D8	7_2_02FD95D8

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_05530666 NtQuerySystemInformation,	0_2_05530666
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_05530635 NtQuerySystemInformation,	0_2_05530635
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_030416DA NtQuerySystemInformation,	7_2_030416DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_0304169F NtQuerySystemInformation,	7_2_0304169F

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe, 00000000.00000000.325232737.00000000005D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameLazyHelpe.exeF vs DRAFT BL-DOCS-20211510-VP-KMC022021.exe
Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe, 00000000.00000002.336112693.0000000005390000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs DRAFT BL-DOCS-20211510-VP-KMC022021.exe
Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Binary or memory string: OriginalFilenameLazyHelpe.exeF vs DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vlzcRkmDiOmdD.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Virustotal: Detection: 55%
Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Metadefender: Detection: 37%
Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

File read: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Jump to behavior

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe'
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vlzcRkmDiOmdD' /XML 'C:\Users\user\AppData\Local\Temp\tmpE11E.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp719C.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp767F.tmp'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vlzcRkmDiOmdD' /XML 'C:\Users\user\AppData\Local\Temp\tmpE11E.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp719C.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp767F.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_05530436 AdjustTokenPrivileges,	0_2_05530436
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_055303FF AdjustTokenPrivileges,	0_2_055303FF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_0304149A AdjustTokenPrivileges,	7_2_0304149A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_03041463 AdjustTokenPrivileges,	7_2_03041463

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

File created: C:\Users\user\AppData\Roaming\vlzcRkmDiOmdD.exe

Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE11E.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@21/18@0/1

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.scr

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{75237636-ccfc-402a-827d-5ad01371659e}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2384:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3684:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3416:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1256:120:WilError_01
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Mutant created: \Sessions\1\BaseNamedObjects\uNKNxULnS
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1972:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.7.dr

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe, AboutForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: vlzcRkmDiOmdD.exe.0.dr, AboutForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.570000.0.unpack, AboutForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.570000.0.unpack, AboutForm.cs	.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_005761D1 push es; ret	0_2_00576244
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_0057616F push es; ret	0_2_005761A8
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Code function: 0_2_026974D0 push ebp; ret	0_2_026974D1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 12_2_02DB0638 pushad ; ret	12_2_02DB0639

Source: initial sample	Static PE information: section name: .text entropy: 7.89920675727
Source: initial sample	Static PE information: section name: .text entropy: 7.89920675727

Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	File created: C:\Users\user\AppData\Roaming\vlzcRkmDiOmdD.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vlzcRkmDiOmdD' /XML 'C:\Users\user\AppData\Local\Temp\tmpE11E.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.2b867fc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.334888957.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.334779670.0000000002B81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DRAFT BL-DOCS-20211510-VP-KMC022021.exe PID: 6544, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe, 00000000.00000002.334888957.0000000002C31000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe, 00000000.00000002.334888957.0000000002C31000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe TID: 6564	Thread sleep time: -31312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe TID: 4280	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7008	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7132	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6756	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5285	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3380	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Window / User API: foregroundWindowGot 874	Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 7_2_030411C2 GetSystemInfo,

7_2_030411C2

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Thread delayed: delay time: 31312	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe, 00000000.00000002.334888957.0000000002C31000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe, 00000000.00000002.334888957.0000000002C31000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe, 00000000.00000002.334888957.0000000002C31000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000007.00000002.595114779.00000000013C3000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlllM
Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe, 00000000.00000002.334888957.0000000002C31000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: ED3008	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Adds a directory exclusion to Windows Defender

Show sources

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe'
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe'			Jump to behavior

Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vlzcRkmDiOmdD' /XML 'C:\Users\user\AppData\Local\Temp\tmpE11E.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp719C.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp767F.tmp'	Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.594951531.0000000001372000.00000004.00000020.sdmp	Binary or memory string: Program ManagerH
Source: RegSvcs.exe, 00000007.00000002.595114779.00000000013C3000.00000004.00000020.sdmp	Binary or memory string: GrProgram Manager
Source: RegSvcs.exe, 00000007.00000002.595114779.00000000013C3000.00000004.00000020.sdmp	Binary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exegSvcs.exe
Source: RegSvcs.exe, 00000007.00000002.596198376.0000000003472000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000007.00000002.595527437.0000000001AC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000007.00000002.595527437.0000000001AC0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000007.00000002.595527437.0000000001AC0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: RegSvcs.exe, 00000007.00000002.595527437.0000000001AC0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 7.2.RegSvcs.exe.5fb0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.43feaac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5fb0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44030d5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.43feaac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5fb4629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.43f9c76.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3d228f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3ccead0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.594029123.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335271528.0000000003C2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.598109701.00000000043F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335330785.0000000003CB2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.598769356.0000000005FB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DRAFT BL-DOCS-20211510-VP-KMC022021.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2600, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: DRAFT BL-DOCS-20211510-VP-KMC022021.exe, 00000000.00000002.335271528.0000000003C2B000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000007.00000002.594029123.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000007.00000002.598709424.0000000005D20000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 7.2.RegSvcs.exe.5fb0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.43feaac.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5fb0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44030d5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3e0eba0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.43feaac.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5fb4629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.43f9c76.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3d228f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DRAFT BL-DOCS-20211510-VP-KMC022021.exe.3ccead0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.594029123.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335271528.0000000003C2B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.598109701.00000000043F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.335330785.0000000003CB2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.598769356.0000000005FB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DRAFT BL-DOCS-20211510-VP-KMC022021.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2600, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_0304292E bind,		7_2_0304292E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_030428FB bind,		7_2_030428FB

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading2	Input Capture11	Query Registry1	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection312	Disable or Modify Tools11	LSASS Memory	Security Software Discovery21	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Virtualization/Sandbox Evasion21	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Virtualization/Sandbox Evasion21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection312	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information2	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing13	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DRAFT BL-DOCS-20211510-VP-KMC022021.exe	56%	Virustotal		Browse
DRAFT BL-DOCS-20211510-VP-KMC022021.exe	37%	Metadefender		Browse
DRAFT BL-DOCS-20211510-VP-KMC022021.exe	57%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\vlzcRkmDiOmdD.exe	37%	Metadefender		Browse
C:\Users\user\AppData\Roaming\vlzcRkmDiOmdD.exe	57%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.2.RegSvcs.exe.5fb0000.7.unpack	100%	Avira	TR/NanoCore.fadte		Download File
7.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
	0%	Avira URL Cloud	safe
185.140.53.75	1%	Virustotal		Browse
185.140.53.75	0%	Avira URL Cloud	safe
https://bruhov.com/WinThumbsPreloader%WinThumbsPreloader	0%	Avira URL Cloud	safe
http://www.collada.org/2005/11/COLLADASchema9Done	0%	URL Reputation	safe
https://bruhov.com/WinThumbsPreloader	0%	Virustotal		Browse
https://bruhov.com/WinThumbsPreloader	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
185.140.53.75	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/bruhov/WinThumbsPreloader	DRAFT BL-DOCS-20211510-VP-KMC022021.exe	false		high
https://bruhov.com/WinThumbsPreloader%WinThumbsPreloader	DRAFT BL-DOCS-20211510-VP-KMC022021.exe	false	Avira URL Cloud: safe	unknown
http://www.collada.org/2005/11/COLLADASchema9Done	DRAFT BL-DOCS-20211510-VP-KMC022021.exe, 00000000.00000002.335813403.0000000004F30000.00000004.00020000.sdmp	false	URL Reputation: safe	unknown
https://bruhov.com/WinThumbsPreloader	DRAFT BL-DOCS-20211510-VP-KMC022021.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.75	unknown	Sweden		209623	DAVID_CRAIGGG	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	508138
Start date:	23.10.2021
Start time:	21:31:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DRAFT BL-DOCS-20211510-VP-KMC022021.scr (renamed file extension from scr to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@21/18@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.1% (good quality ratio 1.9%) Quality average: 39.1% Quality standard deviation: 35.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 448 Number of non-executed functions: 7
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.210.154, 173.222.108.226, 173.222.108.210, 40.91.112.76, 40.112.88.60, 20.54.110.249, 80.67.82.211, 80.67.82.235, 23.211.4.86 Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:31:57	API Interceptor	1x Sleep call for process: DRAFT BL-DOCS-20211510-VP-KMC022021.exe modified
21:32:00	API Interceptor	33x Sleep call for process: powershell.exe modified
21:32:02	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" s>$(Arg0)
21:32:03	API Interceptor	922x Sleep call for process: RegSvcs.exe modified
21:32:05	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
21:32:05	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.140.53.75	tEdxwnE4lw.exe	Get hash	malicious	Browse
185.140.53.75	invo.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	H1GC5Z4C39PAYMENTRECEIPT.exe	Get hash	malicious	Browse	185.140.53.3
	DHL_119040 documento de recibo de la compra,pdf.exe	Get hash	malicious	Browse	185.244.30.22
	ValorantLogin.exe	Get hash	malicious	Browse	185.140.53.3
	PI-23456776544567.exe	Get hash	malicious	Browse	91.193.75.132
	DHL_119040 receipt document,pdf.exe	Get hash	malicious	Browse	185.244.30.22
	PI20200206AP,pdf.exe	Get hash	malicious	Browse	185.140.53.137
	0438,pdf.exe	Get hash	malicious	Browse	185.140.53.136
	DHL_119040 al#U0131#U015f irsaliyesi belgesi,pdf.exe	Get hash	malicious	Browse	185.244.30.22
	Scan_Documentsfile00384740599HFH4.exe	Get hash	malicious	Browse	185.140.53.230
	wBM4H0fahl.exe	Get hash	malicious	Browse	185.140.53.199
	DHL_102021 al#U0131#U015f irsaliyesi belgesi,pdf.exe	Get hash	malicious	Browse	185.140.53.136
	DHL_102021#U6587#U4ef6#U91cd#U65b0#U6458#U8981,pdf.exe	Get hash	malicious	Browse	185.140.53.136
	2jGcHzqrog.exe	Get hash	malicious	Browse	185.140.53.189
	tEdxwnE4lw.exe	Get hash	malicious	Browse	185.140.53.75
	0438,pdf.exe	Get hash	malicious	Browse	185.140.53.136
	DHL_119040 kvitteringsdokument,pdf.exe	Get hash	malicious	Browse	185.140.53.136
	DHL_119040 #U0631#U0633#U06cc#U062f ,pdf.#U062f#U0633#U062a#U0627#U0648#U06cc#U0632.exe	Get hash	malicious	Browse	185.140.53.136
	Documento lettera di vettura Dhl,pdf.exe	Get hash	malicious	Browse	185.140.53.5
	dokumendi sissetuleku DHL_119040,pdf.exe	Get hash	malicious	Browse	185.140.53.136
	Oxqfxohrjqryauuonybvsdergonzrywtkp.exe	Get hash	malicious	Browse	185.244.30.7

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	b2ZeLApyX2.exe	Get hash	malicious	Browse
	YKr3m9a7C3.exe	Get hash	malicious	Browse
	tEdxwnE4lw.exe	Get hash	malicious	Browse
	87R65JT93I.exe	Get hash	malicious	Browse
	invo.exe	Get hash	malicious	Browse
	U5s97oQj9A.exe	Get hash	malicious	Browse
	hAmgDpjdg5.exe	Get hash	malicious	Browse
	PO00174Quotations.exe	Get hash	malicious	Browse
	mNgTZMYBA8.exe	Get hash	malicious	Browse
	xvE67cxGKh.exe	Get hash	malicious	Browse
	C9UKyFaVBg.exe	Get hash	malicious	Browse
	IzopQnj0od.exe	Get hash	malicious	Browse
	khmU580OCp.exe	Get hash	malicious	Browse
	eKLFu9iX5X.exe	Get hash	malicious	Browse
	HXMhjytc4v.exe	Get hash	malicious	Browse
	ID3xMSKdE5.exe	Get hash	malicious	Browse
	bzPdZR1ZMh.exe	Get hash	malicious	Browse
	IyAJkrCCbT.exe	Get hash	malicious	Browse
	V672IT45op.exe	Get hash	malicious	Browse
	268d27dALu.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7515815714465193
Encrypted:	false
SSDEEP:	384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
MD5:	71369277D09DA0830C8C59F9E22BB23A
SHA1:	37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
SHA-256:	D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
SHA-512:	2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: b2ZeLApyX2.exe, Detection: malicious, Browse Filename: YKr3m9a7C3.exe, Detection: malicious, Browse Filename: tEdxwnE4lw.exe, Detection: malicious, Browse Filename: 87R65JT93I.exe, Detection: malicious, Browse Filename: invo.exe, Detection: malicious, Browse Filename: U5s97oQj9A.exe, Detection: malicious, Browse Filename: hAmgDpjdg5.exe, Detection: malicious, Browse Filename: PO00174Quotations.exe, Detection: malicious, Browse Filename: mNgTZMYBA8.exe, Detection: malicious, Browse Filename: xvE67cxGKh.exe, Detection: malicious, Browse Filename: C9UKyFaVBg.exe, Detection: malicious, Browse Filename: IzopQnj0od.exe, Detection: malicious, Browse Filename: khmU580OCp.exe, Detection: malicious, Browse Filename: eKLFu9iX5X.exe, Detection: malicious, Browse Filename: HXMhjytc4v.exe, Detection: malicious, Browse Filename: ID3xMSKdE5.exe, Detection: malicious, Browse Filename: bzPdZR1ZMh.exe, Detection: malicious, Browse Filename: IyAJkrCCbT.exe, Detection: malicious, Browse Filename: V672IT45op.exe, Detection: malicious, Browse Filename: 268d27dALu.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\DRAFT BL-DOCS-20211510-VP-KMC022021.exe.log Download File
Process:	C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	20528
Entropy (8bit):	5.576722720203307
Encrypted:	false
SSDEEP:	384:ZtAD67boWp0PRISBKnIjultI2bTY9gtSJ3xuT1Ma7ZlXzxCldM:HPp4KIClt5ftcMCKfjP
MD5:	39B8D871954C57B0C1B3CD5B745AD888
SHA1:	9C93C1F13CFA765A9895942D28D34245726E9DFE
SHA-256:	1DE57B0C8AF1E5A6318E98728B272FF86B7E30D1E5641A04AB22FD3DEC53CAC9
SHA-512:	7B471AEEFBE6994B0CFAA5D50858CC329D2568B006D5B8F64D27E1C67FBEC48F6BDBA233ED7F9115B66BF5E37E77669C061786FEA33E65B174F095EDD9AFE2D4
Malicious:	false
Preview:	@...e...................h.................J..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)_.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1h0ncl35.cdw.psm1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1houbac.oki.ps1 Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp719C.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.135021273392143
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mn4xtn:cbk4oL600QydbQxIYODOLedq3Z4j
MD5:	40B11EF601FB28F9B2E69D36857BF2EC
SHA1:	B6454020AD2CEED193F4792B77001D0BD741B370
SHA-256:	C51E12D18CC664425F6711D8AE2507068884C7057092CFA11884100E1E9D49E1
SHA-512:	E3C5BCC714CBFCA4B8058DDCDDF231DCEFA69C15881CE3F8123E59ED45CFB5DA052B56E1945DCF8DC7F800D62F9A4EECB82BCA69A66A1530787AEFFEB15E2BD5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp767F.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpE11E.tmp Download File
Process:	C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1658
Entropy (8bit):	5.1601761481712485
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3Htn:cbha7JlNQV/rydbz9I3YODOLNdq3f
MD5:	D0E1FFE85595A45433BC85B27F9CE650
SHA1:	5FAFB8D0ACCDEC75B42915F0D5A1B183A23A8163
SHA-256:	9F2C3E78905D3DECBF031E8F2398C71D4EE2501F7D94ECBD9458321AEA450F20
SHA-512:	469AA8643068DD53FBB49306EF1756D811720CE2350ACFB6C0AB8630A8D09CCA613B9675CF668A10CBA41269412890399165928315CC10434B6B66C68F209805
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Lz8:H8
MD5:	A2BAD67ED9E38C8C4015ADED2B89653A
SHA1:	276E3B4438187531E4602FC74A9882057F7FB4F9
SHA-256:	869585424B90581D32692E7778550D9B7A2D537B11B626C172BC8135081B2156
SHA-512:	9BE3360053FE61A0311C4E5E792780B6A235CA712B03A91DAA33C25921362835301D8C0079828E6939CA42476E56EBC1DD1DDF96885BE30DCBECECDF727A28AA
Malicious:	true
Preview:	...9...H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.795707286467131
Encrypted:	false
SSDEEP:	3:oMty8WbSX/MNn:oMLWus
MD5:	D685103573539B7E9FDBF5F1D7DD96CE
SHA1:	4B2FE6B5C0B37954B314FCAEE1F12237A9B02D07
SHA-256:	D78BC23B0CA3EDDF52D56AB85CDC30A71B3756569CB32AA2F6C28DBC23C76E8E
SHA-512:	17769A5944E8929323A34269ABEEF0861D5C6799B0A27F5545FBFADC80E5AB684A471AD6F6A7FC623002385154EA89DE94013051E09120AB94362E542AB0F1DD
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

C:\Users\user\AppData\Roaming\vlzcRkmDiOmdD.exe Download File
Process:	C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	391680
Entropy (8bit):	7.882226926694419
Encrypted:	false
SSDEEP:	6144:s5sdZMkhBwFvM6I7Qqpvp4w5uVaZ8yi6JcHWhitE4opE59yin1qYKb6qjjTwcoUx:s3SBwFvM6Ta4YF7sWhitBwEztn15KmqA
MD5:	BC87C171C5E5C075EBCB336CA4518452
SHA1:	29854B8268BB99A6F26DF87229107FCFBF815D87
SHA-256:	BB08E42BFB63552A1AF7AB0E24BB040C9F2854F2521FDA176E80C80DD17BEEC7
SHA-512:	85509F5E3EEBBECD909DA16102A9183484D1C88D269CF541BD20CCA6DD6FD9FFDDDA27F84F441F2EC07DD91B3DB600524DEDD59886D8F4543D5CCB6F2F68DBAE
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 37%, Browse Antivirus: ReversingLabs, Detection: 57%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ha..............0.................. ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........E...X..........p...@m...........................................0.................%...%...%....+...0..4..........=......r...p...r{..p.......,.......+.........+..".(&....^.(&.......}......}....>..sj...%.}@...>..st...%.}H...>..s\|...%.}N...>..s....%.}Y...>..s....%.}a...>..s....%.}f...^..}.....('......(.......".((......()...o...(+...r...p(,...(-...&:..o....(-...&...0..&.........{....o/...(\...(0.....,.r...p(-...&*...0..+.........,..{.......+....,...{....o

C:\Users\user\AppData\Roaming\vlzcRkmDiOmdD.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20211023\PowerShell_transcript.932923.eZdTXog+.20211023213159.txt Download File
Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3705
Entropy (8bit):	5.373222376894195
Encrypted:	false
SSDEEP:	96:BZPTLoN+qDo1ZL+Zg2TLoN+qDo1Z3qSW0cW0cW0nZg:3SSR
MD5:	73B7694A76AF07002DC6553D1B91BDC1
SHA1:	F2DB91610A1816D73D0BA1DBD35174C46F23A125
SHA-256:	02F84307CDE3ABADFA8BDF844C788361F7F0DF680721D2230593489DF5881732
SHA-512:	87D66514423BA67BBCB676623587A20025D1E8A8B1818BA5A1C5F6C809DD5185A71EDDE2A6A41F82E893AD60EA53E646E5D48B52DBB33EA08F8F6703BEFDA466
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20211023213200..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 932923 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe..Process ID: 956..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20211023213200..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe..******************..Command start time: 20211023213457..********************..PS>TerminatingError(Add-M

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.462201512373672
Encrypted:	false
SSDEEP:	24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
MD5:	46EBEB88876A00A52CC37B1F8E0D0438
SHA1:	5E5DB352F964E5F398301662FF558BD905798A65
SHA-256:	D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
SHA-512:	E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.882226926694419
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	DRAFT BL-DOCS-20211510-VP-KMC022021.exe
File size:	391680
MD5:	bc87c171c5e5c075ebcb336ca4518452
SHA1:	29854b8268bb99a6f26df87229107fcfbf815d87
SHA256:	bb08e42bfb63552a1af7ab0e24bb040c9f2854f2521fda176e80c80dd17beec7
SHA512:	85509f5e3eebbecd909da16102a9183484d1c88d269cf541bd20cca6dd6fd9ffddda27f84f441f2ec07dd91b3db600524dedd59886d8f4543d5ccb6f2f68dbae
SSDEEP:	6144:s5sdZMkhBwFvM6I7Qqpvp4w5uVaZ8yi6JcHWhitE4opE59yin1qYKb6qjjTwcoUx:s3SBwFvM6Ta4YF7sWhitBwEztn15KmqA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ha..............0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x460c02
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6168E90C [Fri Oct 15 02:35:56 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x60bb0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x62000	0x698	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5ec08	0x5ee00	False	0.919131875823	data	7.89920675727	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x62000	0x698	0x800	False	0.3662109375	data	3.62558970417	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x62090	0x408	data
RT_MANIFEST	0x624a8	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018 Dmitry Bruhov
Assembly Version	1.0.1.0
InternalName	LazyHelpe.exe
FileVersion	1.0.1
CompanyName
LegalTrademarks
Comments	Automatically preload Windows thumbnails for a directory and (optionally) subdirectories
ProductName	WinThumbsPreloader
ProductVersion	1.0.1
FileDescription	WinThumbsPreloader
OriginalFilename	LazyHelpe.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 23, 2021 21:32:05.638972998 CEST	49756	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:05.662326097 CEST	97	49756	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:06.233788013 CEST	49756	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:06.256966114 CEST	97	49756	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:06.843197107 CEST	49756	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:06.866535902 CEST	97	49756	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:11.122548103 CEST	49757	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:11.145659924 CEST	97	49757	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:11.656099081 CEST	49757	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:11.679390907 CEST	97	49757	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:12.187405109 CEST	49757	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:12.210671902 CEST	97	49757	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:16.221297026 CEST	49758	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:16.244004965 CEST	97	49758	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:16.750298023 CEST	49758	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:16.773277044 CEST	97	49758	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:17.281657934 CEST	49758	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:17.304608107 CEST	97	49758	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:21.503145933 CEST	49759	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:21.526295900 CEST	97	49759	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:22.032181978 CEST	49759	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:22.054908991 CEST	97	49759	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:22.563287973 CEST	49759	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:22.586052895 CEST	97	49759	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:26.595999956 CEST	49762	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:26.619214058 CEST	97	49762	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:27.126199961 CEST	49762	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:27.149476051 CEST	97	49762	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:27.657511950 CEST	49762	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:27.680901051 CEST	97	49762	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:31.890288115 CEST	49763	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:31.913429976 CEST	97	49763	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:32.423494101 CEST	49763	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:32.448456049 CEST	97	49763	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:32.954766989 CEST	49763	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:32.978106022 CEST	97	49763	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:37.119874954 CEST	49764	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:37.143579006 CEST	97	49764	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:37.658785105 CEST	49764	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:37.681849003 CEST	97	49764	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:38.189716101 CEST	49764	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:38.212687969 CEST	97	49764	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:42.270384073 CEST	49765	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:42.293510914 CEST	97	49765	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:42.799432039 CEST	49765	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:42.822715998 CEST	97	49765	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:43.330677032 CEST	49765	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:43.353914976 CEST	97	49765	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:47.793678999 CEST	49767	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:47.816507101 CEST	97	49767	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:48.331221104 CEST	49767	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:48.354192972 CEST	97	49767	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:48.862396955 CEST	49767	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:48.885265112 CEST	97	49767	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:53.036426067 CEST	49768	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:53.059467077 CEST	97	49768	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:53.565893888 CEST	49768	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:53.588567972 CEST	97	49768	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:54.097371101 CEST	49768	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:54.120100021 CEST	97	49768	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:58.429191113 CEST	49770	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:58.452241898 CEST	97	49770	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:59.066404104 CEST	49770	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:59.089632988 CEST	97	49770	185.140.53.75	192.168.2.6
Oct 23, 2021 21:32:59.675868988 CEST	49770	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:32:59.698935032 CEST	97	49770	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:03.709084988 CEST	49798	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:03.732206106 CEST	97	49798	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:04.238713980 CEST	49798	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:04.261744022 CEST	97	49798	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:04.788127899 CEST	49798	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:04.813357115 CEST	97	49798	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:08.862494946 CEST	49814	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:08.885740042 CEST	97	49814	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:09.395359039 CEST	49814	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:09.418729067 CEST	97	49814	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:09.926666975 CEST	49814	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:09.949924946 CEST	97	49814	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:13.960490942 CEST	49815	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:13.983556986 CEST	97	49815	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:14.489574909 CEST	49815	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:14.513034105 CEST	97	49815	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:15.021922112 CEST	49815	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:15.045293093 CEST	97	49815	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:19.054943085 CEST	49817	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:19.077975035 CEST	97	49817	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:19.583724976 CEST	49817	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:19.606583118 CEST	97	49817	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:20.115062952 CEST	49817	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:20.138063908 CEST	97	49817	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:24.179680109 CEST	49818	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:24.202810049 CEST	97	49818	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:24.709213018 CEST	49818	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:24.732309103 CEST	97	49818	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:25.240437984 CEST	49818	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:25.263448954 CEST	97	49818	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:29.274403095 CEST	49838	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:29.297522068 CEST	97	49838	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:29.803410053 CEST	49838	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:29.829569101 CEST	97	49838	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:30.334707975 CEST	49838	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:30.357624054 CEST	97	49838	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:34.367679119 CEST	49849	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:34.390729904 CEST	97	49849	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:34.897578955 CEST	49849	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:34.923248053 CEST	97	49849	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:35.428806067 CEST	49849	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:35.452040911 CEST	97	49849	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:39.469691038 CEST	49853	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:39.493024111 CEST	97	49853	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:40.007436991 CEST	49853	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:40.030591965 CEST	97	49853	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:40.538764954 CEST	49853	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:40.562283039 CEST	97	49853	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:44.571628094 CEST	49854	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:44.594954014 CEST	97	49854	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:45.101504087 CEST	49854	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:45.124787092 CEST	97	49854	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:45.632927895 CEST	49854	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:45.656107903 CEST	97	49854	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:49.665904045 CEST	49855	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:49.689224958 CEST	97	49855	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:50.212142944 CEST	49855	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:50.250109911 CEST	97	49855	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:50.758270025 CEST	49855	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:50.781615973 CEST	97	49855	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:54.824444056 CEST	49856	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:54.847795010 CEST	97	49856	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:55.365715981 CEST	49856	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:55.388881922 CEST	97	49856	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:55.901115894 CEST	49856	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:55.924279928 CEST	97	49856	185.140.53.75	192.168.2.6
Oct 23, 2021 21:33:59.945415974 CEST	49857	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:33:59.968312979 CEST	97	49857	185.140.53.75	192.168.2.6
Oct 23, 2021 21:34:00.481482029 CEST	49857	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:34:00.512203932 CEST	97	49857	185.140.53.75	192.168.2.6
Oct 23, 2021 21:34:01.024061918 CEST	49857	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:34:01.046911955 CEST	97	49857	185.140.53.75	192.168.2.6
Oct 23, 2021 21:34:05.056411982 CEST	49858	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:34:05.079638958 CEST	97	49858	185.140.53.75	192.168.2.6
Oct 23, 2021 21:34:05.586951017 CEST	49858	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:34:05.609982967 CEST	97	49858	185.140.53.75	192.168.2.6
Oct 23, 2021 21:34:06.118278980 CEST	49858	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:34:06.141227007 CEST	97	49858	185.140.53.75	192.168.2.6
Oct 23, 2021 21:34:10.151814938 CEST	49859	97	192.168.2.6	185.140.53.75
Oct 23, 2021 21:34:10.174879074 CEST	97	49859	185.140.53.75	192.168.2.6

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: DRAFT BL-DOCS-20211510-VP-KMC022021.exe PID: 6544 Parent PID: 5092

General

Start time:	21:31:56
Start date:	23/10/2021
Path:	C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe'
Imagebase:	0x570000
File size:	391680 bytes
MD5 hash:	BC87C171C5E5C075EBCB336CA4518452
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.335271528.0000000003C2B000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.335271528.0000000003C2B000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.335271528.0000000003C2B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.334888957.0000000002C31000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.335330785.0000000003CB2000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.335330785.0000000003CB2000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.335330785.0000000003CB2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.334779670.0000000002B81000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: powershell.exe PID: 956 Parent PID: 6544

General

Start time:	21:31:58
Start date:	23/10/2021
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\DRAFT BL-DOCS-20211510-VP-KMC022021.exe'
Imagebase:	0xd30000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 2916 Parent PID: 956

General

Start time:	21:31:58
Start date:	23/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 5540 Parent PID: 6544

General

Start time:	21:31:59
Start date:	23/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vlzcRkmDiOmdD' /XML 'C:\Users\user\AppData\Local\Temp\tmpE11E.tmp'
Imagebase:	0x11e0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5608 Parent PID: 5540

General

Start time:	21:31:59
Start date:	23/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 2600 Parent PID: 6544

General

Start time:	21:31:59
Start date:	23/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Imagebase:	0xcf0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.594029123.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.594029123.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.594029123.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.598709424.0000000005D20000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.598709424.0000000005D20000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.598109701.00000000043F7000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.598109701.00000000043F7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.598769356.0000000005FB0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.598769356.0000000005FB0000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.598769356.0000000005FB0000.00000004.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 7064 Parent PID: 2600

General

Start time:	21:32:01
Start date:	23/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp719C.tmp'
Imagebase:	0x11e0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3684 Parent PID: 7064

General

Start time:	21:32:02
Start date:	23/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 7124 Parent PID: 2600

General

Start time:	21:32:03
Start date:	23/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp767F.tmp'
Imagebase:	0x11e0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 2296 Parent PID: 936

General

Start time:	21:32:03
Start date:	23/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Imagebase:	0xba0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 2384 Parent PID: 7124

General

Start time:	21:32:03
Start date:	23/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 1972 Parent PID: 2296

General

Start time:	21:32:03
Start date:	23/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6456 Parent PID: 936

General

Start time:	21:32:05
Start date:	23/10/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x7ff6b7590000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Chronological Activities

Analysis Process: conhost.exe PID: 1256 Parent PID: 6456

General

Start time:	21:32:06
Start date:	23/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: dhcpmon.exe PID: 7024 Parent PID: 3440

General

Start time:	21:32:14
Start date:	23/10/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0xd90000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 3416 Parent PID: 7024

General

Start time:	21:32:14
Start date:	23/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: DRAFT BL-DOCS-20211510-VP-KMC022021.exe PID: 6544 Parent PID: 5092 DRAFT BL-DOCS-20211510-VP-KMC022021.exeCOMMON

Executed Functions

Function 055303FF, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0553047F

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: f53d90a70f26730e92746dd8fd68132cd4780b40cd68116ea345d4099847328b
Instruction ID: b2833ac758e3ec8aced2011d79e0f0bbdbffa2d27296d40dbca5aaa56bd06bc4
Opcode Fuzzy Hash: f53d90a70f26730e92746dd8fd68132cd4780b40cd68116ea345d4099847328b
Instruction Fuzzy Hash: 4421BF75509784AFDB128F25DC45B52BFF4FF06210F0885DAE9898B1A3D275D908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05530635, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 055306A1

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: f23879ad1cb47225bcbb6c40ec0d893119d9380b223a4003dda325de75e8f1fc
Instruction ID: 050855e1d147dfb7eebde043813be46b458c46cf837854cab4ba9cc01ad20127
Opcode Fuzzy Hash: f23879ad1cb47225bcbb6c40ec0d893119d9380b223a4003dda325de75e8f1fc
Instruction Fuzzy Hash: 78118E72409780AFDB228B25DC45A52FFB4EF46324F0984DAE9844B163D275A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05530436, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0553047F

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 27990eee96956071df5c8c7859b529809629b4538e9e988e325564a207c6551f
Instruction ID: b4bbad1b5f5da0694058569eb6a784f8a3868b545a1f9716eb94e3061d2a6830
Opcode Fuzzy Hash: 27990eee96956071df5c8c7859b529809629b4538e9e988e325564a207c6551f
Instruction Fuzzy Hash: 04115E315007049FDB21CF55D849B66FFE4FF04320F0885AAED898B661D675E518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 05530666, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 055306A1

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 3283c5e4ebe9a6c69716f35c8ad3483646a0a9514d5320684de15e0ad3e6118a
Instruction ID: 1a69ba944a66c1f978378f71979750da657e4a451af11b74852044ae4f3c6242
Opcode Fuzzy Hash: 3283c5e4ebe9a6c69716f35c8ad3483646a0a9514d5320684de15e0ad3e6118a
Instruction Fuzzy Hash: 34017C354047009FDB20DF16D949B26FFA0FF48320F1884AADE490A666D2B5A418CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DA0358, Relevance: .8, Instructions: 839COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f7fd3ea13a227f7768e112326453c383d53b840b8e452524ac4b2195c7d1258
Instruction ID: f56c51e8536bef03d9adcd5ed8368071fc371688ef8c16df11d1ed64c2108a9d
Opcode Fuzzy Hash: 0f7fd3ea13a227f7768e112326453c383d53b840b8e452524ac4b2195c7d1258
Instruction Fuzzy Hash: 64929034A01218CFCB65DF24C894BE9B7B2BF8A305F5541E9D849AB365CB71AE85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04DA0349, Relevance: .8, Instructions: 772COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17ce02ade6ad1facffcaa76cff290eeacca58e5e5cf94a3305e11703134d7f6d
Instruction ID: e302e9743cfe5424829694fcc7906daa2287f2fa311ed1f0c048b3bfe88e40a6
Opcode Fuzzy Hash: 17ce02ade6ad1facffcaa76cff290eeacca58e5e5cf94a3305e11703134d7f6d
Instruction Fuzzy Hash: 9B82A134A01218CFCB65DF24C894BE9B7B2BF8A305F5541E9D849AB365CB71AE85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04DA82D8, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8da872bff1ecfd46c52a92d8a5f513ce007eb795e470601a34940ec40e3b3b
Instruction ID: da879f5021b924242422656f846cdf73594517761571038aa26ca9078ea34219
Opcode Fuzzy Hash: 0f8da872bff1ecfd46c52a92d8a5f513ce007eb795e470601a34940ec40e3b3b
Instruction Fuzzy Hash: 0E9126B0E05258CFDF00EFAAC4846AEBBF2FF49314F14911AE814AB255D734A952DF54

Uniqueness

Uniqueness Score: -1.00%

Function 04DAB5E5, Relevance: 3.8, Strings: 3, Instructions: 34COMMON

Download Yara Rule

Strings

&, xrefs: 04DAB615
(, xrefs: 04DAB662
(, xrefs: 04DAB65D

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID: &$($(
API String ID: 0-1441811412
Opcode ID: 821d303bb1d4d94b580f6b14e2d3f5144a4b74fedde06292b47205724394c113
Instruction ID: dcb963c20cabdcc672124d0a06ffbbd95de2e845d2b77289a7fb8cebbddb27db
Opcode Fuzzy Hash: 821d303bb1d4d94b580f6b14e2d3f5144a4b74fedde06292b47205724394c113
Instruction Fuzzy Hash: FE01DA70D002189BDB64DF75D994BDCB7B2BB89300F20849AD609BB294DB316E91DF44

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8CC7, Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

!, xrefs: 04DA8CD7
, xrefs: 04DA8CF3

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID: $!
API String ID: 0-2056089098
Opcode ID: fdfbe14931b38aa977ac7f4cbda69f122de58f254c5594b5248ee9c36eecfff4
Instruction ID: 0c98e495d55da6e1ac0be8859ec6b5aa72aad56b8d5a90aec1ac111bb6bc0a93
Opcode Fuzzy Hash: fdfbe14931b38aa977ac7f4cbda69f122de58f254c5594b5248ee9c36eecfff4
Instruction Fuzzy Hash: D1611874D5A208CFDB14EFB1D5987ADBBB4FB06305F10641AE812B32A0DB349598EF44

Uniqueness

Uniqueness Score: -1.00%

Function 04DA1E66, Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

c, xrefs: 04DA1E6F
/, xrefs: 04DA1EC7

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID: /$c
API String ID: 0-3909290379
Opcode ID: 9d0d39311fa72480bfb6bbed3cd2714c48586cd06fb24e7cca85d6811020b517
Instruction ID: 57afef928f81fdf9f250d85fa1e0784c80592233d5149de17284ad9f90e49730
Opcode Fuzzy Hash: 9d0d39311fa72480bfb6bbed3cd2714c48586cd06fb24e7cca85d6811020b517
Instruction Fuzzy Hash: 3F5109B5E042998FCB10CFA9C4809EDFBF1BF49310F24969AE855EB255D730A982CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05530EDE, Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 05530FBE

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 3a689c4424c8b3f6b355c31b37c4db21cae3d567b87bd943f70e5155e41d7ef0
Instruction ID: 7db307c8c4ff198f0059c9ff98dda45a19500b770677c95137efdc43de71d5a8
Opcode Fuzzy Hash: 3a689c4424c8b3f6b355c31b37c4db21cae3d567b87bd943f70e5155e41d7ef0
Instruction Fuzzy Hash: 51418C7240E3C05FD7038B318C65A62BFB4AF47620F0A81DBD8849F1A3D664691AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0268BDA2, Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,F634D2E4,00000000,00000000,00000000,00000000), ref: 0268BE4C

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 60db93ec2a16d35eff2d35397d7add835ea4c0e7f176433ab93b31d307084c92
Instruction ID: 8cbfdc49b7642e061756f84df31550b28b9043bb7f748f232debbf92736b0dcf
Opcode Fuzzy Hash: 60db93ec2a16d35eff2d35397d7add835ea4c0e7f176433ab93b31d307084c92
Instruction Fuzzy Hash: F031B572409384AFEB128F64DC55F97BFB8EF06314F08849BE984DB253D224A509C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0268AC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0268ACD1

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dd628b4cb174c5067724a0803b5c46ed1290119bfb1d1339d90e65ba3cb34e9e
Instruction ID: fa6300e36ae5c066b25de0132c420247be051e3b39ef36cab26940a988b5d8e9
Opcode Fuzzy Hash: dd628b4cb174c5067724a0803b5c46ed1290119bfb1d1339d90e65ba3cb34e9e
Instruction Fuzzy Hash: 9E31A272504384AFE7228B65CC45F67BFACEF06710F0885ABED819B252D665E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05530FF4, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05531095

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: de064f6fd9669c88addb9a59376293227a57e64e0581810f85a9773a69dc2fc4
Instruction ID: bfcdbced9fd889542598a347e4aa8a798b1ac6069007049d9cb5b33ada38e7ef
Opcode Fuzzy Hash: de064f6fd9669c88addb9a59376293227a57e64e0581810f85a9773a69dc2fc4
Instruction Fuzzy Hash: EB315C71504780AFE722CF65DC45F66FFE8EF45610F0884AEE9898B252D365E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0553096E, Relevance: 1.6, APIs: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 055309FA

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 69c2a4d465bbae551435a307ab1171e086ea21bae8c7bd2f6ffe7e21a5c20fe6
Instruction ID: 2ade61ab1ec4f9dbf9e60d0b765ae9177e5cb565e847f52003d16d65d60f19f9
Opcode Fuzzy Hash: 69c2a4d465bbae551435a307ab1171e086ea21bae8c7bd2f6ffe7e21a5c20fe6
Instruction Fuzzy Hash: 3B31507150E3C05FD7138B349C65A62BFB8AF07214F1D84DBD989CF2A3E2659849C762

Uniqueness

Uniqueness Score: -1.00%

Function 0268BBA2, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0268BC49

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: e595d6393b01cd4a26ea2459b7fc354661c71d6ac237bd170e30f12f4cea2ee7
Instruction ID: bc37835b97422e2c82a7c0bfd0d6f99bb365271969904006e6fb8c58070028d4
Opcode Fuzzy Hash: e595d6393b01cd4a26ea2459b7fc354661c71d6ac237bd170e30f12f4cea2ee7
Instruction Fuzzy Hash: 6031B1B1509780AFE712DB25CC84F56FFE8EF06214F08859AE984CF292D765E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0268AD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,F634D2E4,00000000,00000000,00000000,00000000), ref: 0268ADD4

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b2df2b6682529445e66704bb63ce1b4a74e1023c1b84724761707eb9955abf30
Instruction ID: 37cea0b866bc1e225e22f53ef58d46e8d3c0c1df36c9cb343633952477ce9d18
Opcode Fuzzy Hash: b2df2b6682529445e66704bb63ce1b4a74e1023c1b84724761707eb9955abf30
Instruction Fuzzy Hash: AE31C472108384AFD722CB61CC44F92BFF8EF06310F18859BE985CB292D760E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 055310EC, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,F634D2E4,00000000,00000000,00000000,00000000), ref: 05531181

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 390363be3db433e34e153a5d3b562d1676611b50c4c83b08497407149e3d546b
Instruction ID: 117005b710cb2713514dc64922bc6c65516393bd380a1d78e9e5b65c9012e49a
Opcode Fuzzy Hash: 390363be3db433e34e153a5d3b562d1676611b50c4c83b08497407149e3d546b
Instruction Fuzzy Hash: AF21F8B54097806FE7138B25DC41FA2BFA8EF47720F1881D7ED848B293D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 055301A4, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0553022E

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: ee33129fc186ee1d9cf7092f89ccc5b6686730ac8e9ce1c6602d38b8eb10bf47
Instruction ID: f6d24aafabbcaa428766be0c836e94b1805fc880e1bf96d6cbd006529149fefd
Opcode Fuzzy Hash: ee33129fc186ee1d9cf7092f89ccc5b6686730ac8e9ce1c6602d38b8eb10bf47
Instruction Fuzzy Hash: 0C2181715093849FDB128F25DC45B52BFB8EF06610F0884DAED85CF263D665E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0268A2AC, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0268A346

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1debc7670c69c494410150a834d63e7a1ef92386ce2cfda3c88a876eb696e6b9
Instruction ID: c7ebb9e9ac75fdee37e14963f38b3f690bf2b6d3ae05ad2e68c4c9706cc41fee
Opcode Fuzzy Hash: 1debc7670c69c494410150a834d63e7a1ef92386ce2cfda3c88a876eb696e6b9
Instruction Fuzzy Hash: 3521B67144D7C06FD3138B259C51B22BFB4EF87620F1981DBEC84CB653D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05531016, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05531095

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 33a7882c474b309482351f12d4365ae48df3051e928bb1fa3a3d8900314a50ce
Instruction ID: 20ae6dffd4d219e27a61684257ebd813913c87d1b1b5219d446637c3cd8ba73a
Opcode Fuzzy Hash: 33a7882c474b309482351f12d4365ae48df3051e928bb1fa3a3d8900314a50ce
Instruction Fuzzy Hash: DF219A71504A40AFEB21DF65C885F66FBE8FF08310F1488AAEA898B242D771E404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 055311BC, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,F634D2E4,00000000,00000000,00000000,00000000), ref: 0553124D

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4b8b7f5888afaeecab196798b1de4d116cbee8be531f6609bdf8f8b2437a7240
Instruction ID: 446161443b30da1a3ccf8ea756862c5752cdb8bcc85ab2afe0e51db82262f393
Opcode Fuzzy Hash: 4b8b7f5888afaeecab196798b1de4d116cbee8be531f6609bdf8f8b2437a7240
Instruction Fuzzy Hash: A121A471409780AFDB228F65DC45F56FFB8EF46314F0884DBE9449B153C265A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0268AC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0268ACD1

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 138c5ea1746be83d2630f307218ea51ff4e537d55d5274f1d72512cc3cbbede8
Instruction ID: 0535c87b53fa3d4dd2f8abe814af5af0857484280ddae2487331cb070ad54d44
Opcode Fuzzy Hash: 138c5ea1746be83d2630f307218ea51ff4e537d55d5274f1d72512cc3cbbede8
Instruction Fuzzy Hash: 3121DE72500604EFE721AB64CC84F6BFBECEF08710F14855BEE419B241D764E8098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0268BBD6, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0268BC49

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 9ef786a4a16040ed04aaa1a05dd5b06f3651d60fa3c1eb5398e5b075ec6c9d1e
Instruction ID: 0349998d2f93c865f461840fd58d9c7bed0c0252407904ee0cc67167db1592bf
Opcode Fuzzy Hash: 9ef786a4a16040ed04aaa1a05dd5b06f3651d60fa3c1eb5398e5b075ec6c9d1e
Instruction Fuzzy Hash: D0218E71500640EFE721EF25C985B66FBE8EF08614F14856AEE88CB341EBB1E506CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0268BDE2, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E2C,F634D2E4,00000000,00000000,00000000,00000000), ref: 0268BE4C

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 4a9de9df90360e13669c883e0aee8660019a0f62a9c2aa39befe5ac39e8a09ca
Instruction ID: 21bd647536e0f5e17474eb6a97fd95b0da6094625047681496d3ebbb130b9f2d
Opcode Fuzzy Hash: 4a9de9df90360e13669c883e0aee8660019a0f62a9c2aa39befe5ac39e8a09ca
Instruction Fuzzy Hash: C611D972100200AFEB219F24CC88FABFBACEF04320F14856BEA45DB201D660A409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0268AD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,F634D2E4,00000000,00000000,00000000,00000000), ref: 0268ADD4

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 55264172b198f5436cbd481a0e1175351260b5168e8725508e7d7c03d21a867b
Instruction ID: 6be59ab575fc23f9f13f4de78534b27b9558a085524fbee07fdd09449e2702ea
Opcode Fuzzy Hash: 55264172b198f5436cbd481a0e1175351260b5168e8725508e7d7c03d21a867b
Instruction Fuzzy Hash: 2A216F72500604AFE721DE55CC84FA7FBE8EF04711F14855BED45DB291DB60E805CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05531297, Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0553130C

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: f6a6995ad46b7b47216a08a8cb141a4a95d66c5b345faabf0313e038a2771cac
Instruction ID: 3e62b343181f0f49cf6daf8844acaa32862b94a9b9cf76b02a6f581c2e276720
Opcode Fuzzy Hash: f6a6995ad46b7b47216a08a8cb141a4a95d66c5b345faabf0313e038a2771cac
Instruction Fuzzy Hash: C521C0729097C05FDB12CB35DC55B96BFE8AF02220F0980EAE989CF253D6649908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05530587, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 055305EC

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 17520d168362e94dec37413f37ccd81e9a2cf99b2cd4601277a6135271634987
Instruction ID: 4d2fd999bb644a2de8986a4c942a0a65c17610e117b197da332bc48ecac00b07
Opcode Fuzzy Hash: 17520d168362e94dec37413f37ccd81e9a2cf99b2cd4601277a6135271634987
Instruction Fuzzy Hash: 6A21A2754093C09FD7138B25DC95B56BFB8AF46220F0980EBDD858F6A3D2699908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0268BA1F, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0268BA84

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8a17bc14e6e60003396c466043281e5b951872e4c288c1b4ff2faa2b7cd87d57
Instruction ID: 99da0eea6fecc577345c534df6434c237660475f513d790a7f553364cecbfb3a
Opcode Fuzzy Hash: 8a17bc14e6e60003396c466043281e5b951872e4c288c1b4ff2faa2b7cd87d57
Instruction Fuzzy Hash: B811AF714093849FDB128F25DC94752BFB8EF06224F1880EBED85CF653D275A948CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 055313F1, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05531465

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: aa2f9d25a5e0620708c092260f9f0c6b63f01ecaf8bff89cf5815c2e8e3750bc
Instruction ID: c7a0ad71dc1c5c49d390309cd0b811dbdf2f87184534053e4e4747230284ecb3
Opcode Fuzzy Hash: aa2f9d25a5e0620708c092260f9f0c6b63f01ecaf8bff89cf5815c2e8e3750bc
Instruction Fuzzy Hash: 7F218C714097C0AFDB138B25CC44A62FFB4EF07220F0985DBE9848F163D265A819DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0268A5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0268A666

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1aaccf045f3aadc45e652cc76c7778435a171426f9a637631a1ced29b3899b47
Instruction ID: c21c3644f10df6f55fd25ed271816347fad54160223f5d5a2e8b8c1656c6b234
Opcode Fuzzy Hash: 1aaccf045f3aadc45e652cc76c7778435a171426f9a637631a1ced29b3899b47
Instruction Fuzzy Hash: 7111A271409780AFDB228F50DC44B62FFF4EF4A210F0885DAEE858B252D275A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 055311EE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,F634D2E4,00000000,00000000,00000000,00000000), ref: 0553124D

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1f282c61f8afd8c9548c6606fc61617fad25358382861f7ce37f6eaa6f9da3e6
Instruction ID: 09ebe8751ee498aa69cce8ed32a37f0a8037e986a2007975df03e63a0bda8d24
Opcode Fuzzy Hash: 1f282c61f8afd8c9548c6606fc61617fad25358382861f7ce37f6eaa6f9da3e6
Instruction Fuzzy Hash: D911C171400604EFEB21CFA6DC45F66FBACEF45320F14846BEE499B241D674A409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 055301E6, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0553022E

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 34efb1bf789f606ce4765b8acb84b6975d1bd8b506e64329b33dcd45b06204b6
Instruction ID: 0b5a1c3c2f7edfeea0bc4e2bc27ab18835bb6690d01ae0f6d7bc8a48d18160c5
Opcode Fuzzy Hash: 34efb1bf789f606ce4765b8acb84b6975d1bd8b506e64329b33dcd45b06204b6
Instruction Fuzzy Hash: 8D1161716047049FDB50DFA9D88AB66FBD8FF04620F1884AAED49CB692D674E408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05530A88, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 05530AD7

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: edb2b3efa571bf703f6036cdf3480d539e17ac39b6f74674f7b6b7b0b3bc0a98
Instruction ID: c361e688b5b9b088cf7515d1f3ed46d701c32bd9ec23dc92aa4aea43264ac802
Opcode Fuzzy Hash: edb2b3efa571bf703f6036cdf3480d539e17ac39b6f74674f7b6b7b0b3bc0a98
Instruction Fuzzy Hash: AD116172601344AFEB10CF15DC85B67FBE8FB45724F08846AED49DB251D275E804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 055309B2, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 055309FA

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 34efb1bf789f606ce4765b8acb84b6975d1bd8b506e64329b33dcd45b06204b6
Instruction ID: e228eba1e35d82d423cab45fc94e1c64bc833a4a094d591309b09696b4b361f5
Opcode Fuzzy Hash: 34efb1bf789f606ce4765b8acb84b6975d1bd8b506e64329b33dcd45b06204b6
Instruction Fuzzy Hash: E41152726057009FEB10DF69D84AB66FBD8FF04220F1884AADD49DB652E674D444CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0553112E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,F634D2E4,00000000,00000000,00000000,00000000), ref: 05531181

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 7cbf58821d24182690040963fbb2e1e4f5c6972a87d95cc1743a435f9cea2aee
Instruction ID: 47dc771c3b207cdf5df1f04987e913e992e08b2a2d45c84d0414875afe521b3a
Opcode Fuzzy Hash: 7cbf58821d24182690040963fbb2e1e4f5c6972a87d95cc1743a435f9cea2aee
Instruction Fuzzy Hash: 5B01D271500A04AFE720DB25DC85FA7FFA8EF45720F14C497EE499B241D6B4A409CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0268B410, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0268B46D

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 3ec168396832943f6136f9ac35cc56d89ecb0240e0323c2df0579cf68a3862e2
Instruction ID: 989b2736c40b04104a340f1d17bf26cfa610f32c0a67127d4b5b5077a33448b3
Opcode Fuzzy Hash: 3ec168396832943f6136f9ac35cc56d89ecb0240e0323c2df0579cf68a3862e2
Instruction Fuzzy Hash: 23116D72500644AFEB20DE15DC85F63FBE8EB58624F08C559ED499B316D375E808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05530A9A, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 05530AD7

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0d5fc705aeef085a992cec57d79f9dc23c3b4469d3543216eab2b70a41be0f51
Instruction ID: 4ea0a552b43e083547a26affcbd66efcf4fdb81bc07283ed7b4fd1c198c65069
Opcode Fuzzy Hash: 0d5fc705aeef085a992cec57d79f9dc23c3b4469d3543216eab2b70a41be0f51
Instruction Fuzzy Hash: 750192716053449FDB10CF29D889766FBD8FF04320F1884AADD09DB652E6B4D404CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0268AAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0268AB46

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 0767eb3480cb0abb143d30ee28e354e0bcd27813b35aaf970ca5050d2d4d0246
Instruction ID: f2e8c8f930d428de41d51ce4ea6daa02e8c1ad542634e2b0fd8085dc7c0ff981
Opcode Fuzzy Hash: 0767eb3480cb0abb143d30ee28e354e0bcd27813b35aaf970ca5050d2d4d0246
Instruction Fuzzy Hash: D2117C31409784AFD7228F55DC84B52FFF4EF06220F0885DAEE854B262C375A819CB62

Uniqueness

Uniqueness Score: -1.00%

Function 055312D2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0553130C

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: db237292315b4e71e0c7f575dbc4b2a68c3628b669069699e4a40e1b331a2cd8
Instruction ID: 47c21bd14bc20e45a5c053c5e951e8999147b405fe655936d200ed431125e2b9
Opcode Fuzzy Hash: db237292315b4e71e0c7f575dbc4b2a68c3628b669069699e4a40e1b331a2cd8
Instruction Fuzzy Hash: 2B017171A046409FDB10DF79D886766FBD8FF04620F18C4AADD49CF646DA74E404CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05530F6E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 05530FBE

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: e6e39423038d7f0a890efd830970daf43fe5eefb0daf9e50ff307f0950313d21
Instruction ID: 64ab86322967973b7b169e546b60eb3849c29a3ac669e3f7a39ee7a0b363420f
Opcode Fuzzy Hash: e6e39423038d7f0a890efd830970daf43fe5eefb0daf9e50ff307f0950313d21
Instruction Fuzzy Hash: 2E017172500600ABD750DF16DC86F36FBA8FB88B20F14816AED089B741E771F516CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0268A42A, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0268A480

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a6a3fad7690d4b2b9dd47aae9a1901902cc64f6cba1f2f14cff907f044f69d90
Instruction ID: 9571d633a660b6f4fd25ebe82554f89ac0212842e7e7dd2cafe6b01a17b0acd1
Opcode Fuzzy Hash: a6a3fad7690d4b2b9dd47aae9a1901902cc64f6cba1f2f14cff907f044f69d90
Instruction Fuzzy Hash: 42116175409384AFDB128B25DC48B52FFB4DF46220F0980EBDD855F262D279A949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0268B422, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0268B46D

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 281e31f9101e5491d4e79804174f919d96617f2fbf6850aa081cb06da0fe2a1f
Instruction ID: 97561132e459fec4ed5140d7ec31ef88abba4629052248b46287bc307a4f8f81
Opcode Fuzzy Hash: 281e31f9101e5491d4e79804174f919d96617f2fbf6850aa081cb06da0fe2a1f
Instruction Fuzzy Hash: 41018C715006049FEB20EE19D886B22FFE8EF18624F18819ADD49CB316D375E408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0268A622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0268A666

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fc2be682276ac69de8759bee93b81b26b9820961e5337750947a8a44d8cf3c10
Instruction ID: 20859e2096f3ab74d0d6bd61a6c2c40bccf1d5a8d549ca9c3662968c10065d2f
Opcode Fuzzy Hash: fc2be682276ac69de8759bee93b81b26b9820961e5337750947a8a44d8cf3c10
Instruction Fuzzy Hash: B4015B31400600AFDB219F95D944B56FFE4EF08320F1885AADE494A615D275E459DF61

Uniqueness

Uniqueness Score: -1.00%

Function 055305BA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 055305EC

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2a67a55f55e2b4c46a0d337e51f487a95b8910423e1c739ea7ca4ff4d295bc71
Instruction ID: 0c061b21e97217cf522986d0086f1ecd10d476c114eb61bc5a5bcc6b306d1fcb
Opcode Fuzzy Hash: 2a67a55f55e2b4c46a0d337e51f487a95b8910423e1c739ea7ca4ff4d295bc71
Instruction Fuzzy Hash: F801B1715047409FDB10CF1AE889B66FFA4EF44220F18C0ABDD498B655D6B5E408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0268A2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0268A346

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d95ef185ac7a57f4c03dc1ce6a955824e01e167bd50e49e1f3eb0ddefd8c8559
Instruction ID: 0513fc8d134708534e3c38ba93a70d60adf97c83c92bfdffcf2ed7fcd9f5f8ec
Opcode Fuzzy Hash: d95ef185ac7a57f4c03dc1ce6a955824e01e167bd50e49e1f3eb0ddefd8c8559
Instruction Fuzzy Hash: DF018B72500600ABD610DF16DC82B26FBA8EB88A20F14815AED084B741E771F916CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 0268BA52, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0268BA84

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 1b10515aa861457b7765f23b5a8e3f4ea8c6fdd8c9f6f389b5c10f8d6f650f70
Instruction ID: 23ab2d8d7e38328720197f509e62f2437c3e0b54aa37eef648de7e1732544948
Opcode Fuzzy Hash: 1b10515aa861457b7765f23b5a8e3f4ea8c6fdd8c9f6f389b5c10f8d6f650f70
Instruction Fuzzy Hash: E601DB319042049FDB20DF29D885766FFA8EF04224F18C1ABDD49CB342D6B4E408CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0553142A, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05531465

Memory Dump Source

Source File: 00000000.00000002.336665706.0000000005530000.00000040.00000001.sdmp, Offset: 05530000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b6aef299c9749d6a6b5de01ab0e2ae218f442b9336957edf3a24ee166558d2e4
Instruction ID: 05bb37c5cc08ef8a3364ca932d40287d6ab0e7a60ce386496e3b429753c595d7
Opcode Fuzzy Hash: b6aef299c9749d6a6b5de01ab0e2ae218f442b9336957edf3a24ee166558d2e4
Instruction Fuzzy Hash: 6E018B31400A40DFDB21CF25D885B66FFA1FF08320F18C59ADE894B212C2B6E418DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0268AB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0268AB46

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 866a18ab5a37fc43d6b1c4ebdaaec79a3e93e5194265966c9e9973462a156851
Instruction ID: 7a1a7fd73a16e55afc08228bcd6731e904372f41f3e007c3b91ccebf7e511dfc
Opcode Fuzzy Hash: 866a18ab5a37fc43d6b1c4ebdaaec79a3e93e5194265966c9e9973462a156851
Instruction Fuzzy Hash: 01014B35404A449FDB209F55D885B52FFA0EF04720F18C6ABDE4A4B652C2B5A819DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0268A44E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0268A480

Memory Dump Source

Source File: 00000000.00000002.334599152.000000000268A000.00000040.00000001.sdmp, Offset: 0268A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0ad6379a43647c42a4655395c81a1cfb8c4c69d58340db59edcedadce9a7a0f3
Instruction ID: f72418b7ccf00403b8c682d9decf1e938869b2cebde6e026aa606314c1583654
Opcode Fuzzy Hash: 0ad6379a43647c42a4655395c81a1cfb8c4c69d58340db59edcedadce9a7a0f3
Instruction Fuzzy Hash: DEF0AF35804644DFDB109F55D888762FFA4EF04320F18C1ABDE495B316D2B9E809CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9FD0, Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

|mhr, xrefs: 04DAA028

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID: |mhr
API String ID: 0-1401776628
Opcode ID: b9708d7363357724d0e1d0e03c317eaba55345749df4e543e2a0989918151870
Instruction ID: 5cdbc804ac2772a609d5a66c4ec60785dcd891603fdfc5f46e537c19dd87d0cf
Opcode Fuzzy Hash: b9708d7363357724d0e1d0e03c317eaba55345749df4e543e2a0989918151870
Instruction Fuzzy Hash: D0B12870E41248DBEB14DFA4D894BADBBB2FF89704F205129D945BB384DB71A891CF09

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8BB0, Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

, xrefs: 04DA8CF3

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ae7ec9635f38e567232a986d2cfc2d83fd4567018a8a7d22b781416754d5ab4e
Instruction ID: eb3b56b6529343874540703502a36b88ae2dd92be15e9f6967eafffed1a049be
Opcode Fuzzy Hash: ae7ec9635f38e567232a986d2cfc2d83fd4567018a8a7d22b781416754d5ab4e
Instruction Fuzzy Hash: D391F5B0D56208CFDB14DFA1D5987ADBBF0FB05305F10A42AE815B3290DB785698EF54

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8BA1, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

, xrefs: 04DA8CF3

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e819f43e3759d5531b742d96b0e3a0de9b5567e705c5256012fbcbe2af2eed14
Instruction ID: 4e38e116c6a5e8ad39b32af6a73c87a63d8491fb7dbecce8264810a07189849c
Opcode Fuzzy Hash: e819f43e3759d5531b742d96b0e3a0de9b5567e705c5256012fbcbe2af2eed14
Instruction Fuzzy Hash: 638105B0D06208CFEB14DFA1D5987ADBBB0FB0A305F10A46AE411B7290DB785698EF44

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8CA8, Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

, xrefs: 04DA8CF3

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 69e8d78e6954c2c86d614b1e817aafa9d4da6433190cc6d168c4833a31386916
Instruction ID: 515a93c9376483f342146caf61380fd3d13649a0fd6b0ae592a40f577a7b70ed
Opcode Fuzzy Hash: 69e8d78e6954c2c86d614b1e817aafa9d4da6433190cc6d168c4833a31386916
Instruction Fuzzy Hash: 8171F670D56218CFDB14EFB1D5987ADBBB0FB05305F10682AE811B32A0DB789698EF54

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8FDA, Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

, xrefs: 04DA8CF3

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 171447570012a817aa10eed68b5a88e8db51d38cf0b13cb8d5c016e7485422e2
Instruction ID: cb90f85e522102b69009e86d0e929e77e09a016006cbc74ff2f630ea7b0c7bb7
Opcode Fuzzy Hash: 171447570012a817aa10eed68b5a88e8db51d38cf0b13cb8d5c016e7485422e2
Instruction Fuzzy Hash: DC71E370D56218CFDB14EFB1D5887ADBBB0FB09305F10642AE812B32A0DB789598EF54

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8C5A, Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

, xrefs: 04DA8CF3

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 939d9bb8eb865dacdf092bdb42c30168c180bef69067a3e2ea62d6f6c86598d1
Instruction ID: 074769af267092875541f34b83568e97164f3cd9b8121eb9b333984242767bae
Opcode Fuzzy Hash: 939d9bb8eb865dacdf092bdb42c30168c180bef69067a3e2ea62d6f6c86598d1
Instruction Fuzzy Hash: DD610670D5A208CFDB14EFB1D5987ADBBB0FB0A305F10642AE811B3290DB389598EF14

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8F84, Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

, xrefs: 04DA8CF3

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8d98382ccb42bff0a229b215ee93ff5107f2f8f6d59498f01b2c6346585d4021
Instruction ID: 630f57c8f42e51f43fd9b25ae6e24da9eea49c91eb7d5dbe444270d5f02bd906
Opcode Fuzzy Hash: 8d98382ccb42bff0a229b215ee93ff5107f2f8f6d59498f01b2c6346585d4021
Instruction Fuzzy Hash: 0B61F674D5A208CFDB14EFB1D5987ADBBB0BB06305F10641AE811B32A0DB789598EF54

Uniqueness

Uniqueness Score: -1.00%

Function 04DAA45F, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04DAA56A

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 3453ab039c0c4a2bbf904c42fc0eaafd3da2184e1e769fa936dacf881f25ee9d
Instruction ID: ba6c56b1917d69a847694275c28ce1b9d85ddaa12d34f2fcb0f13ebf7d19683c
Opcode Fuzzy Hash: 3453ab039c0c4a2bbf904c42fc0eaafd3da2184e1e769fa936dacf881f25ee9d
Instruction Fuzzy Hash: 01710374E05208DFDB04DFA4D498AADBBB2FF8A304F20956AD805B7350EB356991CF25

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8C47, Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

, xrefs: 04DA8CF3

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9b4b70af9666e5623496a6dba30d392595ae3be4318d280c545a8cced7a71e6d
Instruction ID: d83791939e4959522f146d2ccb2e443194b033ad644fceb0cf5d67c59111f802
Opcode Fuzzy Hash: 9b4b70af9666e5623496a6dba30d392595ae3be4318d280c545a8cced7a71e6d
Instruction Fuzzy Hash: BE610970D56208CFDB14EFB1D5987ADBBB4FB06305F10641AE816B3290DB749598EF44

Uniqueness

Uniqueness Score: -1.00%

Function 04DAA470, Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04DAA56A

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 41180cfbf75abab0ee264e96374f080b9a6054708b043be065a98047927a29a5
Instruction ID: 318753d4d8cb9fa7c0dda4881fe37cfb26470f5a285221228fd65f429e6e98d9
Opcode Fuzzy Hash: 41180cfbf75abab0ee264e96374f080b9a6054708b043be065a98047927a29a5
Instruction Fuzzy Hash: 6961E174E01208DFDB04DFA4D458AADBBB2FF89304F20952AD805B7350EB346991CF25

Uniqueness

Uniqueness Score: -1.00%

Function 04DAB06F, Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

', xrefs: 04DABCC1

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: f8238929b36516073940cfd457b701028183af9416e13c381c4459b7b7f2783c
Instruction ID: 90749a1a0a69fec5e53b99559bef030a651e49b91dcf9c0108a879728f1f609f
Opcode Fuzzy Hash: f8238929b36516073940cfd457b701028183af9416e13c381c4459b7b7f2783c
Instruction Fuzzy Hash: 2A41D2B0E01228CFDB24DF64C945BD9B7F1FB0A304F1084DAD649A7240D7B4AAD68F95

Uniqueness

Uniqueness Score: -1.00%

Function 04DAB9A8, Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

, xrefs: 04DABA12

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a01c5c3fb7462bba882dcbeeaa43e60b1faf2809d86a1bf31deded93d155b587
Instruction ID: c7fbe788e42efa881e168f19de17791972b2cf57e91d2ee7f8d38bb2a0c4a124
Opcode Fuzzy Hash: a01c5c3fb7462bba882dcbeeaa43e60b1faf2809d86a1bf31deded93d155b587
Instruction Fuzzy Hash: 7801E831A01158CFDB24DF64C940BEDB7B2BF8A304F1040DAD249AB295CB35AE92DF42

Uniqueness

Uniqueness Score: -1.00%

Function 04DAB448, Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

-, xrefs: 04DAB439

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 323cd09e8cce317e3bbd561cab53dbd5c8ea46217b7853b4481ff5b39ab9976a
Instruction ID: 21ec609c42d61d1aa71ce36626f9f94ce21097a0279ce21a36bba8aa4f84f1f0
Opcode Fuzzy Hash: 323cd09e8cce317e3bbd561cab53dbd5c8ea46217b7853b4481ff5b39ab9976a
Instruction Fuzzy Hash: 61F04F30A01158CFCB24DF64C940BECB7B1AF46314F1080DAC249AB294CB34AE92DF45

Uniqueness

Uniqueness Score: -1.00%

Function 04DAB3DE, Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

-, xrefs: 04DAB439

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: a3a3e03cb1a89b11cf54cb263b70f59195aa7de8d8e14131bef1e03ad7a4a861
Instruction ID: c31b7c0b1773d34e5f04b47ea27866888b6960729cffa36cf9d8326ac9a315e4
Opcode Fuzzy Hash: a3a3e03cb1a89b11cf54cb263b70f59195aa7de8d8e14131bef1e03ad7a4a861
Instruction Fuzzy Hash: 15F0E7349001689BCB64DF24C950BECB7B1AB85314F5085DAC659AB294CF34AED2DF45

Uniqueness

Uniqueness Score: -1.00%

Function 04DAB216, Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

., xrefs: 04DAB21D

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 718014feaf39ecbfd2f52266791a9fcd719aa58ca1eede4766b1833e35e87f77
Instruction ID: fe0a6060cd80b36722612ee30f17ec9f766154ff911621e0b98c3d6ef5686939
Opcode Fuzzy Hash: 718014feaf39ecbfd2f52266791a9fcd719aa58ca1eede4766b1833e35e87f77
Instruction Fuzzy Hash: 1DC08C30804008CBC7208E30D048AAC33B0FB0B311F10088AE3859A240CB34BDF18F89

Uniqueness

Uniqueness Score: -1.00%

Function 04DAABF9, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7e2ba8aeb781cd90d3b7bf9a6dd0a21ad714db2715bdad55999153520f7ac7
Instruction ID: 65222d5ca0c3946f4f78eaee06f8528c59e8f61cd5036aa89d1dff5c5206f29b
Opcode Fuzzy Hash: 9d7e2ba8aeb781cd90d3b7bf9a6dd0a21ad714db2715bdad55999153520f7ac7
Instruction Fuzzy Hash: 0481CEB4E05208CFDF10DFA9C5847AEBBB1FB49305F20922AD415A7380E7786A95CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9670, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229b5c142b3b168c42a07baff7ecceba88ca36a3a43e87cdb00859a77aabbbd5
Instruction ID: d9259cce6b480f109089ce4d7a9cd8cfaa47179df9dc55c30caf63e7ec69ca1f
Opcode Fuzzy Hash: 229b5c142b3b168c42a07baff7ecceba88ca36a3a43e87cdb00859a77aabbbd5
Instruction Fuzzy Hash: AB71E5B0E05258CBDB04CFA5C8587EDBBF5FF4A304F10A96AD006A7284EB74A895DF15

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8767, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c519173ad5d69c38473bd0545412f84617bb4527005fbc966fa4d15b7566d17a
Instruction ID: 06f76d5180bb30c2192158a8dae90296a4c78b49887ae8b5b05cb51064252ced
Opcode Fuzzy Hash: c519173ad5d69c38473bd0545412f84617bb4527005fbc966fa4d15b7566d17a
Instruction Fuzzy Hash: E67114B0E012188FDB00EFEAD4447ADBBF1BF49314F148519E864A7284EB38A955EF52

Uniqueness

Uniqueness Score: -1.00%

Function 0269AA37, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be955b7e38baa2e5aad1336607e2dc40b0a6ced23c7d61a5e9cc25f41fa6517
Instruction ID: 8837463625f3ef993ae26e3b7ebaf51c3f9635d6e9ee0872c1602b870f607387
Opcode Fuzzy Hash: 2be955b7e38baa2e5aad1336607e2dc40b0a6ced23c7d61a5e9cc25f41fa6517
Instruction Fuzzy Hash: F751A47650D381AFD702CF25DC50A56FFF4EF86620F1888DFE8889B252D275A905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04DA1B32, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039c596659bad3ec5dcd7ac666aca5fdc37dc1e00edcf2aa40c2599fbedb086b
Instruction ID: 74ba49463543cbed3d80881c8cac718f8e79c4a7056cf6608c9abcbafea7c74e
Opcode Fuzzy Hash: 039c596659bad3ec5dcd7ac666aca5fdc37dc1e00edcf2aa40c2599fbedb086b
Instruction Fuzzy Hash: 3F716275E04228CFDF24CFA9C880BADBBB6BB49310F1094A9D559EB251E734A995CF10

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9660, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e61d8811dcc625a76fd912f299d66658ba6ac68d9d0c1683342933fd405e161
Instruction ID: e23b655df7c64d7a188de97ac3a77740b0920e2c55445a1a696ec282fe97463a
Opcode Fuzzy Hash: 9e61d8811dcc625a76fd912f299d66658ba6ac68d9d0c1683342933fd405e161
Instruction Fuzzy Hash: 1B61E3B0E06218CFDB04DFA5C5587EDBBF5BF4A304F10A86AD006A7254EB74A895CF15

Uniqueness

Uniqueness Score: -1.00%

Function 04DA15E1, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb31bba73399116f977d259053b5ea0df93ea4717ff15a672f4213281fa35ef7
Instruction ID: 8450cfbdfeb87c233683a96eea5b39f5a1ecd51fa5027de677b87ffd70a87536
Opcode Fuzzy Hash: fb31bba73399116f977d259053b5ea0df93ea4717ff15a672f4213281fa35ef7
Instruction Fuzzy Hash: 4061A2B4E05258CFDB14DFB9D584AADBBF6BF49300F149869D405EB250E730A991CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0269A5AC, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f48806e4a91ffb22d6bf84c07512a0c0a4899a0cb51acd54bfd4f1ed0a737b9
Instruction ID: 9eaf5718d99139179aeb87ef1599ccaad58f7c76100e5f5cf6032b68b82e98bf
Opcode Fuzzy Hash: 6f48806e4a91ffb22d6bf84c07512a0c0a4899a0cb51acd54bfd4f1ed0a737b9
Instruction Fuzzy Hash: 5651B376509380AFD702CF15DC40957FFF8EF86620F19899BF9889B212D235A904CB72

Uniqueness

Uniqueness Score: -1.00%

Function 04DAAF90, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543b05a22da4f63bc4084812b397ac77aacc23febbe62c7e4d5f21b03561bde4
Instruction ID: 993244016b95c3ab2ac5110f037aaa526316d27d41e29ebdf100fe1f1124b12d
Opcode Fuzzy Hash: 543b05a22da4f63bc4084812b397ac77aacc23febbe62c7e4d5f21b03561bde4
Instruction Fuzzy Hash: 175135B0E40228CFDB24DF65C9447D9BBF1EB49300F0084AAD259A7240E774AAD6CF55

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9880, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af76072313d55ba14489808282367ffe02a115d4bb5bb031a8ccb61bd96fed5
Instruction ID: 2bbc70c3000c77ab8372400e58ade0937d198f423b7a11555755770036386919
Opcode Fuzzy Hash: 4af76072313d55ba14489808282367ffe02a115d4bb5bb031a8ccb61bd96fed5
Instruction Fuzzy Hash: 3F51E5B0E46258CFDB00CFA5D8646EDBBB5FB0A304F10695AD006B7244EB74A895DF15

Uniqueness

Uniqueness Score: -1.00%

Function 04DABE0C, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389287f3a26111272f9499c6dc0975b4303fc82cdf08eb3d7d2360fe878c81b5
Instruction ID: 08730e2807d37dce6d187654b56f1bb09c456ba94551173d36b3fe2f2c278405
Opcode Fuzzy Hash: 389287f3a26111272f9499c6dc0975b4303fc82cdf08eb3d7d2360fe878c81b5
Instruction Fuzzy Hash: 8F51EFB1E012289FDB60DF64C9487DDB7B0EB09304F1084EAD259A7280EB74AAD6CF55

Uniqueness

Uniqueness Score: -1.00%

Function 04DAB037, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07441292bfff178c595afbbcc38645810adb947e936d7b767f87ba5706f83c7
Instruction ID: 816ca584bb0daa4473e36b2030737839d0beaf6a6b2720477954a34e06f7af3f
Opcode Fuzzy Hash: f07441292bfff178c595afbbcc38645810adb947e936d7b767f87ba5706f83c7
Instruction Fuzzy Hash: 3641E071E05228DFEB24CF64C944BD9B7F1EB0A304F0084EAE249A7280D774AAD6CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0269A6EC, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aea2e159f83bc4d87e0d085ca5cde974a4b1f4764f52c8f9ba0183739258c12
Instruction ID: 1092f2f3f8d360ee4fc52314908a77f0d157d9815027ddb1a7d0d8659a4f9f23
Opcode Fuzzy Hash: 1aea2e159f83bc4d87e0d085ca5cde974a4b1f4764f52c8f9ba0183739258c12
Instruction Fuzzy Hash: 76213DB6544304BFD610CF4AEC41E57FBE8EB88A60F14C91EFD4997211D271E9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0269A944, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfcf84c9453e0c42bb7dec0a081e9589b7f1b16f5a10e6e8fd1863d6cc0adc1e
Instruction ID: 1d117e6d0d8d1e82c520c5a56cbaf4c73c65546a06aa39017e454754392b2045
Opcode Fuzzy Hash: dfcf84c9453e0c42bb7dec0a081e9589b7f1b16f5a10e6e8fd1863d6cc0adc1e
Instruction Fuzzy Hash: BC213DB6544304BFD610CF4AEC41E67FBE8EB88A70F14C91EFD4997210D271E9158BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0269A818, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05e0896f6f98b74097919131bc2449588ef507c5c307fd6aa45c70dd6d16b92
Instruction ID: 49fa8e75a67ff6761bddbaaee4bb334c384b2437977de4721092d3ba5acec373
Opcode Fuzzy Hash: e05e0896f6f98b74097919131bc2449588ef507c5c307fd6aa45c70dd6d16b92
Instruction Fuzzy Hash: 47214FB6544304BFD710CF4AEC41E67FBE8EB88A60F14C92EFD4997200D271E9158BA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DA001C, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f514d88e5a48398f2ec2acbf1cfdaecf1297304c9226c30c6aaeff09c5f5bd
Instruction ID: 69574a3df06f13889daf8ab36b805f1dfaacfcf7dcf703401e00bd87ee89b858
Opcode Fuzzy Hash: 63f514d88e5a48398f2ec2acbf1cfdaecf1297304c9226c30c6aaeff09c5f5bd
Instruction Fuzzy Hash: 7C21A170D4A3849FC706DFB484655AEBFB0EF07200F0A84DBC485972A3DA38595ADB62

Uniqueness

Uniqueness Score: -1.00%

Function 0269A3A8, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4406a14f26f698a5b8153243c7e168377281f0aa9baea3d5c52f4ed14b5f79eb
Instruction ID: fe413e12f1a42b07e2bf42191d245c8ee770b8904e27ee4b700d940576f1f4ea
Opcode Fuzzy Hash: 4406a14f26f698a5b8153243c7e168377281f0aa9baea3d5c52f4ed14b5f79eb
Instruction Fuzzy Hash: 29219F76644304BFE6108E4AEC41E67FBECEB88A70F14C91AFD0956210D272B9058AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0269A95A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310cfb538f7e689725c58c867e2e04fcd15342c925a5a7266e071a0b58523c78
Instruction ID: 944d12773a231aaf78aef8efee52fc7a1548ca0ad27e8314fbb7725baa4af353
Opcode Fuzzy Hash: 310cfb538f7e689725c58c867e2e04fcd15342c925a5a7266e071a0b58523c78
Instruction Fuzzy Hash: F5211DB6544304AFD610CF4AEC41A57FBE8EB88630F14C96EFD4897311D275E9158BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0269A82E, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23918155895a7ac520590dd561780a0039ffae3afaf018f0cd038d46cdea9a16
Instruction ID: 5148f7d552de4a65d0c98e2f05fa0e32898c9c96f5ad4e908e3bcf5442df2dfc
Opcode Fuzzy Hash: 23918155895a7ac520590dd561780a0039ffae3afaf018f0cd038d46cdea9a16
Instruction Fuzzy Hash: 5A213AB6648300AFD610CF0AEC41A57FBE8EB88620F14C92EFD4897301D275E9158BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0269A702, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1472851d03a22f8bace6a40e0fbc58fe45a3bb6e6107dbf9529f6cea42fb0a7
Instruction ID: b9ea15efd218168b7df94b40294faf83e6b4754458c47d9761c2424e333dc797
Opcode Fuzzy Hash: f1472851d03a22f8bace6a40e0fbc58fe45a3bb6e6107dbf9529f6cea42fb0a7
Instruction Fuzzy Hash: 9F211AB6648304AFD610CF4AEC41A57FBE8EB88620F14C92EFD4897311D275E9158BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0269A190, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74af5a3a0ecdcb94dae047bc7d4be52f9d7a6bbbb33d8c943bf67a89ebab603f
Instruction ID: 2377cffe449898c937445c88565b380ab829d78e5bfb02ba0881f22460343f99
Opcode Fuzzy Hash: 74af5a3a0ecdcb94dae047bc7d4be52f9d7a6bbbb33d8c943bf67a89ebab603f
Instruction Fuzzy Hash: 7E11D672604304BFE6108E4AAC41E67FFACEB84A70F14C55EFE095A201D672F9048BB5

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9560, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1142a6b2200cc5312d5db366e4c282d404114c4d76f77caf2abac7404820615
Instruction ID: c7cfc543284caa9cd3e553d1bb4ca5835d4a5ba9d3a324a74a637597716099c3
Opcode Fuzzy Hash: c1142a6b2200cc5312d5db366e4c282d404114c4d76f77caf2abac7404820615
Instruction Fuzzy Hash: 4F21D6B4E04218CBDB04DFA9D5946EDBBF5FF49300F1898AAD815A3240E7389A50DF55

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9550, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4813237a167d5ef1e01fc18690eef7b1e97b922f0ae072798e306d87ab5444
Instruction ID: 901c496ffc2550aaf98d2b483aa5dea568a2a1493443d203e5fc08dbd47f015b
Opcode Fuzzy Hash: 7b4813237a167d5ef1e01fc18690eef7b1e97b922f0ae072798e306d87ab5444
Instruction Fuzzy Hash: 6A2119B4E09208CFCB00DFA5D5A82EDBBF5FF49300F18989AC855A7240E7389A51DF65

Uniqueness

Uniqueness Score: -1.00%

Function 0269A5D6, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbdb9ae22fbe541801eb8e7390c02fa3a391fac1c5fdae2f7ff39dd3e059dd9e
Instruction ID: 65d8ac78917f99976919d436bcd8ce9adda3a139f526beff85e7702848768edb
Opcode Fuzzy Hash: bbdb9ae22fbe541801eb8e7390c02fa3a391fac1c5fdae2f7ff39dd3e059dd9e
Instruction Fuzzy Hash: 6A119376644304BFD6108F4AEC41E67FBE8EB88630F14C56AFD085B311D276F9158AA6

Uniqueness

Uniqueness Score: -1.00%

Function 0269A3BE, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c178a9839d24d3b3474c6398509c35b2d7111cd407ba182033979c65261a245
Instruction ID: a5a9c7dffd57a21377b59aa31787e3855676bc860e4c74ae947c987e8351ef8e
Opcode Fuzzy Hash: 9c178a9839d24d3b3474c6398509c35b2d7111cd407ba182033979c65261a245
Instruction Fuzzy Hash: 2011D372644300BFD6108F0AEC41E67FBE8EB88630F14C52AFD085B200D276F9058AA6

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9420, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7003fe8dcf4ae7c13d2cb15c158ba733f9229e10097c9639de722f396d6996
Instruction ID: 4f6bb04d6358a5f4d063ea3f8f09ad2a17fea623f96373921d62e69068915510
Opcode Fuzzy Hash: 1b7003fe8dcf4ae7c13d2cb15c158ba733f9229e10097c9639de722f396d6996
Instruction Fuzzy Hash: 802107B4D45208DFDB04DFA5D5583EEBBB4EB49311F1098A9C806A3240E7B86A50DF99

Uniqueness

Uniqueness Score: -1.00%

Function 04DA0070, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1fdc407eb6dccbf920b79c776de929d847cf540f45abefcf00546b82488c03
Instruction ID: 386fd9f1eb5a9fbd9697bad22191b37aea94aa6f28cc58a05ab6ab4c214efd6c
Opcode Fuzzy Hash: 8c1fdc407eb6dccbf920b79c776de929d847cf540f45abefcf00546b82488c03
Instruction Fuzzy Hash: D5219D74E41249DFCB44EFA8C054ABEFBF4EF49300F0494A9C915A3390CA309A50DF59

Uniqueness

Uniqueness Score: -1.00%

Function 026F0724, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334750164.00000000026F0000.00000040.00000040.sdmp, Offset: 026F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c4a22937c54d19b5a792cd96f11920f44aa85e4c974d65df2885a8074e288d
Instruction ID: 50e1ba49eb981df6a4a7c57fd412bcb084d6a7628f0c0cc307a6ef0f8d74f5b5
Opcode Fuzzy Hash: e4c4a22937c54d19b5a792cd96f11920f44aa85e4c974d65df2885a8074e288d
Instruction Fuzzy Hash: 7221BE3550D7C09FD7038B20D960B51BFB1AF47314F1986DAD8888BAA3D33A9806CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0269A1A6, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440c74e96e8f6b6eab644533695ee2262482ff9b116e4a44e54135e6a600624a
Instruction ID: 3b49b6399383860c3f293d25fd1e5633fb112bc89289da53458a851a329d8c11
Opcode Fuzzy Hash: 440c74e96e8f6b6eab644533695ee2262482ff9b116e4a44e54135e6a600624a
Instruction Fuzzy Hash: DE11E372604204BFD6108E0AAC41E62FBA8EB84A30F18C56BFD085A201D272F9048AA5

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9AB7, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9afff2a58b3424f7af0c6a74c15f9f2df6aa0ad9cf799c625b57396b1e90f8b0
Instruction ID: d5bfa26ad889f27b72bd0bb84828e1f9bdfe59b7ba8451c0b1a4ad4a01fa5a92
Opcode Fuzzy Hash: 9afff2a58b3424f7af0c6a74c15f9f2df6aa0ad9cf799c625b57396b1e90f8b0
Instruction Fuzzy Hash: A01179B0E01249DFCB04EFA4D4A05AEBB72FB86300F2084A9C41663395DB34AD02CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 026F075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334750164.00000000026F0000.00000040.00000040.sdmp, Offset: 026F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b222a7208192c2d5bbc2854dbd9912ffa205e164f5e135aded78fa96e9a3283e
Instruction ID: 09c20b177af37bb719607bcfdf015474b7724cbf977bc9a6484c7df470e9d020
Opcode Fuzzy Hash: b222a7208192c2d5bbc2854dbd9912ffa205e164f5e135aded78fa96e9a3283e
Instruction Fuzzy Hash: CC11B434204244EFDB55CB24C984B26BB95EB89708F24C5DDEA491B757C777D803CE51

Uniqueness

Uniqueness Score: -1.00%

Function 04DAB95C, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85bae8cb4e5cc6490602015dca521f20820a8d2756cf29566ec94d8aaae07436
Instruction ID: 4e8ed8f64128056106283a4b1ecb56a053a531ae70b44c6ee4fd1da5f05119bc
Opcode Fuzzy Hash: 85bae8cb4e5cc6490602015dca521f20820a8d2756cf29566ec94d8aaae07436
Instruction Fuzzy Hash: F621E275900268CFDB24CF60C888BDDBBB5BB09305F1084DADA49A7290D775ABD6CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0269AAF5, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34eb1dbf6c1f6389440521925a1b81d6d0c5d5df6e8d3d1225117e3bd94128d
Instruction ID: e5d68ea733db64c5c523655d54ce8a3c8648c4e5b69d70f7c879fc7235d64b76
Opcode Fuzzy Hash: e34eb1dbf6c1f6389440521925a1b81d6d0c5d5df6e8d3d1225117e3bd94128d
Instruction Fuzzy Hash: D311AAB5508301AFD350CF19D881A5BFBE4FB88664F14895EF998D7311D375E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8AF8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83670c6b449df9eb89894d438cae1807c82118bdbaba2706b69b9679ef9f42f7
Instruction ID: f38ab1d21232ac30ea9cb53c13a7dfb70291b2f8db16680c8318b7739c728b4a
Opcode Fuzzy Hash: 83670c6b449df9eb89894d438cae1807c82118bdbaba2706b69b9679ef9f42f7
Instruction Fuzzy Hash: 7521A4B4E04209DFCB04EF98C585AAEBBF5FF49310F108169E805AB350DB34AA55EF94

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8AEB, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c73c3abea305eeb7bbe752130a148bca84e684b144ba71000a610fb91b92ca
Instruction ID: 47fed2d3fe0b1ca6d4038cafdd2d88a2b8dca3f4456aa322d06d99c2bb94fee6
Opcode Fuzzy Hash: a5c73c3abea305eeb7bbe752130a148bca84e684b144ba71000a610fb91b92ca
Instruction Fuzzy Hash: 69210AB4E04209DFCB04EFA4C5819EEBBB5FF59310F1080AAD845AB350DB30AA55EF94

Uniqueness

Uniqueness Score: -1.00%

Function 04DA1FDD, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c1901a1383f97e75d50f088e8d35503d31ac0ca2ae62cb1c81211d88b394b36
Instruction ID: b89da463cc9cc2aa418908d861bf8330c15a4cb45cf0ecc773f06699758a1bdd
Opcode Fuzzy Hash: 0c1901a1383f97e75d50f088e8d35503d31ac0ca2ae62cb1c81211d88b394b36
Instruction Fuzzy Hash: 02118E79E08298CFCB00CFA1C4846ADFBB4FB15314F14959AD8996B206D730EA95CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04DA940F, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae6aca4456331bb39a24c38021a69ac82d6e4a7c8ef90defe712d14ebb7fdcf
Instruction ID: 31da7c8d795853775022d48bebce69562a61098d25603866921cd7a137a21fbb
Opcode Fuzzy Hash: aae6aca4456331bb39a24c38021a69ac82d6e4a7c8ef90defe712d14ebb7fdcf
Instruction Fuzzy Hash: BC11C0F0D0A208CFDB00DFA491683FDBBB4EB06300F104CEAC445A2241E7B89B60DB99

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9AC8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 336b62fdaf17284571dd8980ab3d7f84e1f00fb065239b94389b2bc367f2ba97
Instruction ID: 6b20e74ebe85e97cbaf83c82bcf380b67840f7718eed3357f2fa93a0652b5553
Opcode Fuzzy Hash: 336b62fdaf17284571dd8980ab3d7f84e1f00fb065239b94389b2bc367f2ba97
Instruction Fuzzy Hash: 8F112E70E40249DBCB04EFA4D4549AEB776FF86301F1084A9C41673394CB35AD41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04DAB47C, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d33051710fab052603619f833d47ac0100d5139f963aed0923f1999c87abf6
Instruction ID: 7fefd84ed3e39140e9826e3d374105e994408b43111551275514f6a4c4c6ae2e
Opcode Fuzzy Hash: 01d33051710fab052603619f833d47ac0100d5139f963aed0923f1999c87abf6
Instruction Fuzzy Hash: B021C075900228CFCB20CF64C984BEDBBB5AB49305F1484DAEA49AB280D774ABD5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8180, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a079f7c129066c5dacbdb9da0911dedf3e2c50efa74fd5d17f9336c3fe826ae
Instruction ID: f3daaa14558b4facc369f38f56a3fa67392caa1ee29dd1c8ab7a18c9348d51a2
Opcode Fuzzy Hash: 4a079f7c129066c5dacbdb9da0911dedf3e2c50efa74fd5d17f9336c3fe826ae
Instruction Fuzzy Hash: 351127B4E04248DFCB04EFA8C4845AEFBB1FF89304F2080AAD815A3341DA345E42DF95

Uniqueness

Uniqueness Score: -1.00%

Function 04DA1358, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff954b41e2f21ef3397451516fb8df962416061c714bbd623590be422adffd11
Instruction ID: 12c687097d2d962dffd0293f8b37c3db85c62c96ca507c7a8342e03b6bbeb930
Opcode Fuzzy Hash: ff954b41e2f21ef3397451516fb8df962416061c714bbd623590be422adffd11
Instruction Fuzzy Hash: 4D1169B4D00209DFCB04DFA8C584AAEBBF1FF4A310F1095AAD814AB361CB306A45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 026F05CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334750164.00000000026F0000.00000040.00000040.sdmp, Offset: 026F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33c45028aced30fda84ccb17fa4f60fd4c09361d7e3d059737740a61f724b94
Instruction ID: 00a612568e73d857c83161a654af464a7e8b610e4aa91efcced3f8e93205b209
Opcode Fuzzy Hash: a33c45028aced30fda84ccb17fa4f60fd4c09361d7e3d059737740a61f724b94
Instruction Fuzzy Hash: 35F0F9765497805FC7018B06EC418A3FFE8DF4623070980ABFD488B612D125B959CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04DA2037, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413805a619c3213290a0bb9db7a1a372cb3016e7dccfdf6ae7c65e66b3bc1f0d
Instruction ID: beb4ebc8f9be53226ca5faba0de43dff4caa010bfbf13b3f29826f3c62a3c9f8
Opcode Fuzzy Hash: 413805a619c3213290a0bb9db7a1a372cb3016e7dccfdf6ae7c65e66b3bc1f0d
Instruction Fuzzy Hash: 0D01A430F00166CBDF01EBB9C8445AEFB66BF84300F2049A9D715AB205DF72AD11CB85

Uniqueness

Uniqueness Score: -1.00%

Function 04DAA3DF, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faff96106ff4548f8c3fb443adff605044aece6a64b74a74b8c4be513b231607
Instruction ID: c3a0f1de14ec1ff5418190ede3f951db9b41b6507fb85381f4627114853ff2a1
Opcode Fuzzy Hash: faff96106ff4548f8c3fb443adff605044aece6a64b74a74b8c4be513b231607
Instruction Fuzzy Hash: B7F02B71945345CBC71ADFA0D5412BC7776EB82304F201ADBC44807392D736BAA7DB80

Uniqueness

Uniqueness Score: -1.00%

Function 04DA153B, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd146e0bd76c820f6ad863ed062cea9243c9ef645089434638ec0fc80629aae
Instruction ID: 9a50448d5faa73eaa5c8d453b60826b7d3d67b113db80d66f246824a73b01aa9
Opcode Fuzzy Hash: 6bd146e0bd76c820f6ad863ed062cea9243c9ef645089434638ec0fc80629aae
Instruction Fuzzy Hash: E101D630504206CFC703EF24E9809AC7F76FB4231CF109A66ED011B269DB316962CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9390, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a44f68130d606f3451f0d67ccbde140f805216fc57dd498302d23f7abe91187
Instruction ID: dbc4174be2a29404f0eb4d501ad8186db759ff84fe96c6023762bdfcbc358b91
Opcode Fuzzy Hash: 2a44f68130d606f3451f0d67ccbde140f805216fc57dd498302d23f7abe91187
Instruction Fuzzy Hash: 04018BB0E49244AFCF05DFB8C6904ADBFB6EF86300B20549BC814A7390CA315A11CB84

Uniqueness

Uniqueness Score: -1.00%

Function 04DA1368, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0bc99adcb2b74becbb348e6bf4a4e5d599e3edd635370f1c453abf27b2ecded
Instruction ID: a5e7da124e4db5caeb18912a37947867042b202e24938fc93b002fbb175243ed
Opcode Fuzzy Hash: c0bc99adcb2b74becbb348e6bf4a4e5d599e3edd635370f1c453abf27b2ecded
Instruction Fuzzy Hash: CB01D6B4D00209DFDB04DFA9C184AAEBBF5FF49310F1485A9D814A7361DB31AA54CF95

Uniqueness

Uniqueness Score: -1.00%

Function 04DAA420, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 593b835a8627c158377487db5e0b4fbc6ba68e296a520017d1fd17ee9de4a096
Instruction ID: 19c546ded994f10f929a23c0c5fccf63e89f576418afa8c31cca78df6604d094
Opcode Fuzzy Hash: 593b835a8627c158377487db5e0b4fbc6ba68e296a520017d1fd17ee9de4a096
Instruction Fuzzy Hash: 94F02470549246DFC706DF60D60456DBF24EB47201F1019CAC44D07253CB366A52DB81

Uniqueness

Uniqueness Score: -1.00%

Function 04DA93A0, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc77b6f7546cf4b64737c1939bf2887af1481e9dd83f14ae95fc7131c17363b6
Instruction ID: 816224bf09586b73f59e7cb8ef6fb49b0b998a02da8e33e931af4103825d9bd7
Opcode Fuzzy Hash: fc77b6f7546cf4b64737c1939bf2887af1481e9dd83f14ae95fc7131c17363b6
Instruction Fuzzy Hash: E1F090B0E05208EBCF44EFB9C55096DBBBAEF85300F2094AEC80567380DE319E50DB89

Uniqueness

Uniqueness Score: -1.00%

Function 04DABB86, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2abc487323a5c2ac40e6e7a86fe2bd6c70ed2ef62d68e26affaa8e871bba9726
Instruction ID: 7c95ef612b788e0a15c8041b797e5618058d9e34dda046121d4661f44c282fa2
Opcode Fuzzy Hash: 2abc487323a5c2ac40e6e7a86fe2bd6c70ed2ef62d68e26affaa8e871bba9726
Instruction Fuzzy Hash: E6015E74900228CFDB60DF24C995BDCB7B1BB4A304F2085EAD64DA7244DB34AE96CF80

Uniqueness

Uniqueness Score: -1.00%

Function 026F0818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334750164.00000000026F0000.00000040.00000040.sdmp, Offset: 026F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 0f0edcb3fde15228ddcf2f85529e7a8afa95aba9c4be2d918e57ce79bb184671
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: CEF01D35108644DFC715CF40D940B15FBA2EB89718F24C6ADE9490B756C337D813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 04DAC088, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1edfa96a2762e16a55e2ab0d819b00b8fd0ca0c34c705d85e283ef74a6669937
Instruction ID: 064066a2165ddd9d652129456145daf28cff4acab0cc5c052da54035e8f5df41
Opcode Fuzzy Hash: 1edfa96a2762e16a55e2ab0d819b00b8fd0ca0c34c705d85e283ef74a6669937
Instruction Fuzzy Hash: 9FF05E75944249EFCB02CF94C940AADBFB1FF4A310F10859AE85897262C7329A62EF45

Uniqueness

Uniqueness Score: -1.00%

Function 04DA262E, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb703f835837d86977b90e4542db1c05425a47edc9821557b5e9f8f3c1b6c99
Instruction ID: e18d339ecf81182fd30608f2dd43e103abb7134b78291eb6fe426ac8984cd407
Opcode Fuzzy Hash: cdb703f835837d86977b90e4542db1c05425a47edc9821557b5e9f8f3c1b6c99
Instruction Fuzzy Hash: C3011270A01248CFDB20DF24E988B9CBBB1FB09301F1489AAD90AA3350CB74AD81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 04DA902E, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d9f880f8454febaf0f9d9add32667a65024fca1aef91e35809319792d196c31
Instruction ID: 0dc20dc13e1ca15cce0cbf30e16dd6fe72cf816a150ae9edc55bd34d4c3a9fbd
Opcode Fuzzy Hash: 4d9f880f8454febaf0f9d9add32667a65024fca1aef91e35809319792d196c31
Instruction Fuzzy Hash: F5016C74E012288FEB60DF28D885B9CBBB1BB49304F4081EAE94DE3341DB305E859F21

Uniqueness

Uniqueness Score: -1.00%

Function 04DAAB91, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842b9a30fdc470877d3bc1f29be7bca6430d0361aabbbee98ff20b755eea5ee0
Instruction ID: 38b4f9ae09afdb6b88942f651a0b3770c938e805d69eb212210dde3a02faa949
Opcode Fuzzy Hash: 842b9a30fdc470877d3bc1f29be7bca6430d0361aabbbee98ff20b755eea5ee0
Instruction Fuzzy Hash: A8F0E530D85248DFC701DFA0D2545ADBB75FB4B300F1066EAC01557391CB306A52CF44

Uniqueness

Uniqueness Score: -1.00%

Function 04DAC1B7, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ac744cafaddc08bb86e711ccbec74904b62f6d8dc5dc45bf583f5f2941265c
Instruction ID: 057fbc3fc69ee3691a9705a495ad5c7ca2874fcbc3809cfc37fefa53c30c1ea8
Opcode Fuzzy Hash: a8ac744cafaddc08bb86e711ccbec74904b62f6d8dc5dc45bf583f5f2941265c
Instruction Fuzzy Hash: D9F082749482499FCB01DF90C5545ACBFF1EF46310F1184DEC88487252C6359B52EF40

Uniqueness

Uniqueness Score: -1.00%

Function 026F05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334750164.00000000026F0000.00000040.00000040.sdmp, Offset: 026F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a0314fb01a997fec3af0ee4640a986daec8734d9295ab180793b4caa9bc92aa
Instruction ID: 723f48fddb6a45b0883ec52b958e83e974ccee486284c632dbdf054d8b24e5b6
Opcode Fuzzy Hash: 6a0314fb01a997fec3af0ee4640a986daec8734d9295ab180793b4caa9bc92aa
Instruction Fuzzy Hash: 8FE09276604A008BD650DF0BEC41452F7D8EB88630B18C07FDC0D8B700E535F505CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 0269A8E7, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deaa7ee1b222a71897d3158b45d7fc67c408fceac662bb95996bdd7692f137db
Instruction ID: f0169d3d523ce20dd3b9370a00070b51436f4f127dc766f0908fca43f222a0e5
Opcode Fuzzy Hash: deaa7ee1b222a71897d3158b45d7fc67c408fceac662bb95996bdd7692f137db
Instruction Fuzzy Hash: 4BE0D872540704A7D2109F069C42F63FB98DB44A30F14C55BED085B301D1B1F5148EE5

Uniqueness

Uniqueness Score: -1.00%

Function 0269A567, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e64a161d411f6b76fba8fa8903bad6974b6e7eb5638a16ff24b163b3bda7549
Instruction ID: 8d090ebcc6b474bf197f021c4c1fe7ed5b63662c6ae6cc4bd7443721e659db76
Opcode Fuzzy Hash: 6e64a161d411f6b76fba8fa8903bad6974b6e7eb5638a16ff24b163b3bda7549
Instruction Fuzzy Hash: FCE0D87164070467D6109E069C82B53FB98EB44930F14C557ED085B301D1B5F5048EE5

Uniqueness

Uniqueness Score: -1.00%

Function 0269A34F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e846b8ef8570f3f5c55cd4c9bf8173dae20467bb893b1a1c0732b7817a35337
Instruction ID: 7d4849126f5bac8cde2fcca45533afd5e99bbbbeef648afcc3af75f23aff1946
Opcode Fuzzy Hash: 4e846b8ef8570f3f5c55cd4c9bf8173dae20467bb893b1a1c0732b7817a35337
Instruction Fuzzy Hash: D6E0207164170067D6509F0ADC42B53FB9CDB44930F14C557ED0C5B301D1B5F5048EE5

Uniqueness

Uniqueness Score: -1.00%

Function 0269AB57, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feadbc8f7a0e510903a5f9055b2e255900e7a23a37dbf35222d41196d73e73b0
Instruction ID: dc70c3b3fc2ba9a18cc1289d285bad0c3d202b7688c61c84779c5fb0a5ae5cf8
Opcode Fuzzy Hash: feadbc8f7a0e510903a5f9055b2e255900e7a23a37dbf35222d41196d73e73b0
Instruction Fuzzy Hash: AEE0D87254070067D2109E069C82B53FB98DB44A30F14C557ED0C5B302D1B5F5148EE5

Uniqueness

Uniqueness Score: -1.00%

Function 0269A138, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c94507230a7ef4018ca2506e8356a0a0be9570968631d8bf8b648bb5f66dee68
Instruction ID: f7dac273c0c3642995cb62b51d10f8a12a01d1bf36b9d026c43d257d191f4464
Opcode Fuzzy Hash: c94507230a7ef4018ca2506e8356a0a0be9570968631d8bf8b648bb5f66dee68
Instruction Fuzzy Hash: F2E02071540700A7D6509F06EC46B53FB9CDB44930F14C557ED0C5B301E1B5F5048EE5

Uniqueness

Uniqueness Score: -1.00%

Function 0269A7BB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f2725ddc4b872565c3fafb5b1c9d1a047e443278a80fd244bd079755bf0865
Instruction ID: b76a7c35c289a97a2c2b537bed584e757ae5b9c2f024c4d564d1f44529b001d8
Opcode Fuzzy Hash: 40f2725ddc4b872565c3fafb5b1c9d1a047e443278a80fd244bd079755bf0865
Instruction Fuzzy Hash: 70E0D872540700A7D2109F069C42F63FB98DB54A30F14C56BED085B301D1B1F5048EE5

Uniqueness

Uniqueness Score: -1.00%

Function 0269A68F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334610163.0000000002692000.00000040.00000001.sdmp, Offset: 02692000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3e824db6be26f455cfc315e3c208fc9fd2f32e1b250fe5b3aef2dea6550778
Instruction ID: 3bdb07a368be71f02c15e8e42f3d3e820bf376793c2f19c8e31a8ff7a0dcba40
Opcode Fuzzy Hash: fb3e824db6be26f455cfc315e3c208fc9fd2f32e1b250fe5b3aef2dea6550778
Instruction Fuzzy Hash: 96E0D872540700A7D2109F069C82F53FB9CDB44A30F14C55BED085B301D1B1F5048EE5

Uniqueness

Uniqueness Score: -1.00%

Function 04DAB8BD, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4140203e5fb1447cf2eedf65c8e4527cb077417a728bf53be9a6d564b0c73a5
Instruction ID: eed8c95f5dd920a23d94eb8a888ab259b5ea3f1866b8ec6b581f8ae0a6f71f1e
Opcode Fuzzy Hash: b4140203e5fb1447cf2eedf65c8e4527cb077417a728bf53be9a6d564b0c73a5
Instruction Fuzzy Hash: 90F09D35900128DFCB60CFA4D884BE8B7B5BB49304F1484DAE658AB251C731AA96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 04DABCCD, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae76d093539a9aeee4b472d4db3cbd5c92adbbade787c2c8093a17c9e81b02a2
Instruction ID: 2783d0536f4b9c2520321b8cdeb48e4b103d4b7583dc60a45b3efd27a2496163
Opcode Fuzzy Hash: ae76d093539a9aeee4b472d4db3cbd5c92adbbade787c2c8093a17c9e81b02a2
Instruction Fuzzy Hash: D5F0DF759042189FCB50CF64C880BE8B7B5AB49304F14849AE658AB280CB35AE96CF54

Uniqueness

Uniqueness Score: -1.00%

Function 04DAC098, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e57f298100efc49e2450a48455d9eb1040570cdd77349103b9a5d8e9f18cec
Instruction ID: 17020c302e8717a202281631d4f197172483dbd47cff36885f5396ee0ddb8331
Opcode Fuzzy Hash: f7e57f298100efc49e2450a48455d9eb1040570cdd77349103b9a5d8e9f18cec
Instruction Fuzzy Hash: 74F01534A00208EFCB01DF94D940AADBBB5FB48310F1084AAEC0853351D732AA61EF85

Uniqueness

Uniqueness Score: -1.00%

Function 04DA2A17, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591b242611a52e2990606d604f16a96f511a63760c3dc4373f27fb2d5ea4bd1d
Instruction ID: 43f8adc5926ec56736acfdab856f01f7d27196baee3007a8f5beff1dbde69dea
Opcode Fuzzy Hash: 591b242611a52e2990606d604f16a96f511a63760c3dc4373f27fb2d5ea4bd1d
Instruction Fuzzy Hash: 7FE09234A492899FC722DF65D5454687FB0EF47200B1548C9C8C48B263D635A663CB96

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9BEF, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3841ac469082368268a30c9dec7c4ab6d8e4b19263ac6e4cebdc57ef9445e7e2
Instruction ID: a8069ac2df2e7bd28957df2b3d577644179d0c501eae2236434dd511e5f401cb
Opcode Fuzzy Hash: 3841ac469082368268a30c9dec7c4ab6d8e4b19263ac6e4cebdc57ef9445e7e2
Instruction Fuzzy Hash: 52E0D8F0D0D3849FC712AFB0A4A01EC7FB0DF06204F2248EAC48056293EA355AA6DF95

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8728, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcfff7797c1e08b8177000d2aaa4db0a4dea7faaff821c951a56e4c84eea6196
Instruction ID: a898bded22c17db8450a63761b3a51b307fa2254b03b1e7ce2ea81f8639f42fe
Opcode Fuzzy Hash: fcfff7797c1e08b8177000d2aaa4db0a4dea7faaff821c951a56e4c84eea6196
Instruction Fuzzy Hash: F6E0DF326892849FC302EFA8D5914A87F70EF1B200B1644CACC888B263D6346A63DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04DA997B, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de0b697bca0b944abf3b0d48922c4c0f5af9a6d560a0683fe90bb9de9165c3c
Instruction ID: 430fe1df7e0f7a2c11cc33722a68ebc76f723281d9faee6db2de4c821edb8cd2
Opcode Fuzzy Hash: 6de0b697bca0b944abf3b0d48922c4c0f5af9a6d560a0683fe90bb9de9165c3c
Instruction Fuzzy Hash: F5E092B4D09348AFD702DFA0D0901ACBFB4EB46300F2044EAC88457352D6355A56DF42

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9D38, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 649e8a4e311beeb135a6caa476b7c53f1b34ce4d85526d19e713b583c51fb1d2
Instruction ID: a2655426efd1cf901745c20151518d7b6369f4ababfc1c382a5cf922b13dcc78
Opcode Fuzzy Hash: 649e8a4e311beeb135a6caa476b7c53f1b34ce4d85526d19e713b583c51fb1d2
Instruction Fuzzy Hash: CEE092B064E2C5DFCB12DBB496500A9BFB0EF432047151CCAC4C08B1A3C1306662DB41

Uniqueness

Uniqueness Score: -1.00%

Function 04DA813F, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192c29918e48b9ffdeb9c9014f263fef5284f342843fd26c7840a8b556fe61f5
Instruction ID: 8b2c16eff9927206437fd7e380755848f9d4f478ebfabc0ecd2ed5c002ed9069
Opcode Fuzzy Hash: 192c29918e48b9ffdeb9c9014f263fef5284f342843fd26c7840a8b556fe61f5
Instruction Fuzzy Hash: 75E0DF78B89685EFC702EB68E5800987FB4EE4320079405C2C8C6DB263D67069139B40

Uniqueness

Uniqueness Score: -1.00%

Function 04DA7EE3, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb13dd79d2f04d5c643907bef6992f5740a86b5d4f13d1e1292cf8113be4d45
Instruction ID: 42ab2a5467f59aab2300d44196a2ffe8954d461d15fb27f8a2eeed8b31c765f1
Opcode Fuzzy Hash: 1bb13dd79d2f04d5c643907bef6992f5740a86b5d4f13d1e1292cf8113be4d45
Instruction Fuzzy Hash: FCE065B4D0A248EFDB01DFA4D0886ACBBB0EB05300F1440EBD84897352E634AA52DF42

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8298, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d23965e0c3ab3e8674285acff840782aec49ed030d7a0fad5a6bb5fc14d5fee
Instruction ID: c104cab592acd1fd6f17261f71428689f4284bdb7d2a1868be43d2af74a466ab
Opcode Fuzzy Hash: 4d23965e0c3ab3e8674285acff840782aec49ed030d7a0fad5a6bb5fc14d5fee
Instruction Fuzzy Hash: DAE0DF30985208EFCB00DFA0E1842ADBBB2FB8A344F2061A6C81953201C7316691EF81

Uniqueness

Uniqueness Score: -1.00%

Function 04DAAA10, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bccc2c5f6b01ec9fff6fdbe01a9289694747bd2b9e6985aff69f95666324c6
Instruction ID: 30a863370faec15e37dde7892bd1ff99371c4560cf3c710cf77ed4d4bb1afdb9
Opcode Fuzzy Hash: f7bccc2c5f6b01ec9fff6fdbe01a9289694747bd2b9e6985aff69f95666324c6
Instruction Fuzzy Hash: DAE09A746482869FC702DFA8C2504A8BFF0EF06204B1505C9C8C4CF263C635AA67DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04DA23C5, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e9b5dc06dae1dffd30914276fa49f23ffd3453ba96aef2138cb3c0c9fef779
Instruction ID: ef314a48f3642383c042b39f37ff98c6df9267c774864d9fd8cf90f19153f0a7
Opcode Fuzzy Hash: 63e9b5dc06dae1dffd30914276fa49f23ffd3453ba96aef2138cb3c0c9fef779
Instruction Fuzzy Hash: 39F0CA34E8111ACFCB24DF24E994BACBBB5FB49300F0098E8D41AA2654EB309A95DF11

Uniqueness

Uniqueness Score: -1.00%

Function 04DAABA0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532e60d21f7387c5b762932a0aa10ce1c557f42e832c4a79654e80ce134ac95d
Instruction ID: c4bb860c327ef2b45cd9d5343eb1fc8ad89e664d58c317b416f5901e9c9e94d5
Opcode Fuzzy Hash: 532e60d21f7387c5b762932a0aa10ce1c557f42e832c4a79654e80ce134ac95d
Instruction Fuzzy Hash: 34E04F70D45208DFC704EFA4E5486AEBBB9FB49301F2096AED80563344DB306AA4DF89

Uniqueness

Uniqueness Score: -1.00%

Function 04DAAB18, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c11f22cc6562bb7189651fd5a0909466e57757b716873122601a5044569b30a
Instruction ID: 1222b31996d87cc103733b14469c0f12264e266691ec667cb8064d527f5fd8e0
Opcode Fuzzy Hash: 3c11f22cc6562bb7189651fd5a0909466e57757b716873122601a5044569b30a
Instruction Fuzzy Hash: E6E0D830A492C99FC701DFB8C9414A87F70EF0320070509C6C4848F163CA346A27D755

Uniqueness

Uniqueness Score: -1.00%

Function 04DA0301, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7698a1c90a4285d1a643c7fc9e04f77e8c819f22739c3994fbbb866fed73268b
Instruction ID: ded1c34e7a60be354ba75c2055b909474c5c017ce41920c61ad5174690b17220
Opcode Fuzzy Hash: 7698a1c90a4285d1a643c7fc9e04f77e8c819f22739c3994fbbb866fed73268b
Instruction Fuzzy Hash: 76E09A70C02204DFCB08EFA4C6416ACB3B4AF8A300F2020AAC008AB260DE709F40CA89

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9519, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e850ce9e2e417c4960b110daf5622980773e13179efabd2757d8391c0b9cecd
Instruction ID: 2de4132ecd5aa2029e3c916c9d09b639bb9eae5a58a50305f624d5e9d19d0aeb
Opcode Fuzzy Hash: 2e850ce9e2e417c4960b110daf5622980773e13179efabd2757d8391c0b9cecd
Instruction Fuzzy Hash: 2DE02BE2C49344AFE3015BE070AD2F97FB8DB17218F100CD2C94A82102E8A89B53DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04DAC1C8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e5b835d9412349df7f496f580be58ab7f829f9c78f80b2b721bf0a316702ad
Instruction ID: fc3b3d57532c237e4e035dfbb5c8bf92767125c302ee559b791254ccb14a5d1b
Opcode Fuzzy Hash: 68e5b835d9412349df7f496f580be58ab7f829f9c78f80b2b721bf0a316702ad
Instruction Fuzzy Hash: A2E0E574E04208ABCB04DF94D5446ACFBB9EB48310F2080AA984493341D636AA62EF94

Uniqueness

Uniqueness Score: -1.00%

Function 04DA15A0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3dfec4807e8ecd395504e3f2f98d79c628ea56ba3da50874b9e397707870e5
Instruction ID: c9aa75ad8c8c96477abab968df946bfeab916ca0cd9de91c06b2160c6a161048
Opcode Fuzzy Hash: 3b3dfec4807e8ecd395504e3f2f98d79c628ea56ba3da50874b9e397707870e5
Instruction Fuzzy Hash: 21E08670C00208EBC704EF54D5455ACFF75FB46301F109159EC0423340DB309AA0DB94

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9D78, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faba5baad68fd11134afc1e31241b868f19190cf9e1b2273206a0dcaa46a5759
Instruction ID: e94a299466cdc03e1ccc80dd13e9421d85d646512f539486536bfc0af588771c
Opcode Fuzzy Hash: faba5baad68fd11134afc1e31241b868f19190cf9e1b2273206a0dcaa46a5759
Instruction Fuzzy Hash: 83E07DB08893458FC302DF60C7912ACBB34EB43301F101CDAC044530A2CB3056A2E700

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9A80, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5515b8692fa6efe27965b093b7cbf00a3efaedbb27d799972f9c9931c5187a9
Instruction ID: aa60ecd29f04ec9c984a17903e1b0e3780d46510bc016b260feb475867dd444b
Opcode Fuzzy Hash: b5515b8692fa6efe27965b093b7cbf00a3efaedbb27d799972f9c9931c5187a9
Instruction Fuzzy Hash: 32E0C2B048A3889FC3118FA4A4A46A97F78EB03300F2018DFC48857552DB321962DB89

Uniqueness

Uniqueness Score: -1.00%

Function 04DA0310, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0fd8253563427f972e6b90ce277a4549873824fb71b510e72aab482987de02
Instruction ID: aa640c9c488755eac3912f4bb73c425428621c240fb13c84d5b2057fa86f5870
Opcode Fuzzy Hash: ba0fd8253563427f972e6b90ce277a4549873824fb71b510e72aab482987de02
Instruction Fuzzy Hash: F3E0EC70D41208EBCB08DFA9C541BADB3B9EF4A300F5050A9840863250DE716F50DE95

Uniqueness

Uniqueness Score: -1.00%

Function 04DA159E, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd40ebb22e0308ecd293b396f0d6deb6f836a96dcc25e04cce1e327edf2be20
Instruction ID: 3ceed687174e6797bc53c6357eadd61e4c1573ca813944fa65d65dc247b0727d
Opcode Fuzzy Hash: 4bd40ebb22e0308ecd293b396f0d6deb6f836a96dcc25e04cce1e327edf2be20
Instruction Fuzzy Hash: 32E0C230950205EFC71ADF54D245ABCBF76FF57701F10A589EC041B291CB32AAA2CB44

Uniqueness

Uniqueness Score: -1.00%

Function 04DAAA50, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32865f5c09a613e0132fbefa4c806cf782a531b41975057d332c6cd933a83316
Instruction ID: ec334643f6c09d57cf277ad2bc10be2ca2e704c5c83abe7215cd1f77e418e1f8
Opcode Fuzzy Hash: 32865f5c09a613e0132fbefa4c806cf782a531b41975057d332c6cd933a83316
Instruction Fuzzy Hash: 51E0CDB188D2428FC701DF94DB452ADBBF4E746204F100597C004C7152E7346AA7D751

Uniqueness

Uniqueness Score: -1.00%

Function 04DA9F98, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae1fe9a4852d2edaf177fde10b738a4b5f62b88845a1565acc5bea2a64bc0424
Instruction ID: 22dd7a40efb60020c2e6925a7f81003fc9c74f450e6b52a739b18e8e36585d88
Opcode Fuzzy Hash: ae1fe9a4852d2edaf177fde10b738a4b5f62b88845a1565acc5bea2a64bc0424
Instruction Fuzzy Hash: F7E08CB094A351CFCB169F60DB5966CBFB4EB87301F2028DFC0445B0A2CB305A62DB55

Uniqueness

Uniqueness Score: -1.00%

Function 04DAA3A3, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dced70c3c17fc7fd61e741d58b87f275a7b8d5b690bb7cb4d7446b9155fe1e86
Instruction ID: 0ff32708e1509b759359b7da682c5bdbd89b62b6c6c2ee21d3ad80ab21c41b67
Opcode Fuzzy Hash: dced70c3c17fc7fd61e741d58b87f275a7b8d5b690bb7cb4d7446b9155fe1e86
Instruction Fuzzy Hash: 3EE08670949281CFD706CFB4D541669BBB5AB43204B2016DBC4845B393C7365A96C745

Uniqueness

Uniqueness Score: -1.00%

Function 04DAAF58, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf83e6e80212398ec47a7b19f27429dd62e085db4c32dbe8346bd46bb1854a1
Instruction ID: 15bef2ddde15459d4acac095faf60a65e8e57289d4e1d2593e09d8dd64153b3e
Opcode Fuzzy Hash: eaf83e6e80212398ec47a7b19f27429dd62e085db4c32dbe8346bd46bb1854a1
Instruction Fuzzy Hash: 11E0C270AC6246CFC31DEF60D60867D7B68EB4A315F10298AC448572E2CB31A9A2CEC4

Uniqueness

Uniqueness Score: -1.00%

Function 04DA7EF0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e982eb7e92fdef2892fac2966df63273849d251fc7352b148b5400fd22fd1dd
Instruction ID: ea8716e81e95d0aedf47751aa412036eca73b2253873b5096be6d91a4f7b3ab0
Opcode Fuzzy Hash: 4e982eb7e92fdef2892fac2966df63273849d251fc7352b148b5400fd22fd1dd
Instruction Fuzzy Hash: D2E0EC74D05208EFCB05DFA8D144AADBBF8FB48304F2081FAD80857351E631AA55DF85

Uniqueness

Uniqueness Score: -1.00%

Function 04DA82A0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20173b7ab3571b371a8fec9e598cbf1b127cb978190c0bc1cbfebc324ff5d2f1
Instruction ID: 91f5054e6b78a01b21e3edc04031640c95164d6d563a4466fb2f3c4f0904a95f
Opcode Fuzzy Hash: 20173b7ab3571b371a8fec9e598cbf1b127cb978190c0bc1cbfebc324ff5d2f1
Instruction Fuzzy Hash: FEE0EC74D4620CEFCB04EFA4E5496ADBBB9EB49304F1081AADC0963340D7346A94EF85

Uniqueness

Uniqueness Score: -1.00%

Function 04DAC208, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6936ffcb4ab6523fea85f1b34083d82d6d727b9a8301ab6b2a154068e0549fbc
Instruction ID: 6b2884f3c84f6f5b6d405bfb4270bc67dbc053fee1c2d7930dabe5d116ba3c1d
Opcode Fuzzy Hash: 6936ffcb4ab6523fea85f1b34083d82d6d727b9a8301ab6b2a154068e0549fbc
Instruction Fuzzy Hash: 50D05EB109E2C54FCF129F615B6907CBF34DF839247155DCBC0948B0B2D6629224C781

Uniqueness

Uniqueness Score: -1.00%

Function 04DAAB58, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de089df4d929fcbf55b949b141b21476407307415279ae28a638db9d8154411d
Instruction ID: 85c66c426b39385ceb0cdf88ab461607e5df2e11926399acb635bd85c9b27b42
Opcode Fuzzy Hash: de089df4d929fcbf55b949b141b21476407307415279ae28a638db9d8154411d
Instruction Fuzzy Hash: 43E02B709863048BC306EFB4864167C7B24DB43210F101FCB8009171E2DBB16A66DB44

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8150, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f96ed8d4661ae3362e98f8e6e543dcc60fd3f542733d3a843c4e65bb2d01243
Instruction ID: 154ce4825dd2b813ab74aa98b4f5fdd1a89a2034d60b71f42100ff3346934eb8
Opcode Fuzzy Hash: 9f96ed8d4661ae3362e98f8e6e543dcc60fd3f542733d3a843c4e65bb2d01243
Instruction Fuzzy Hash: 57D05E74D4520CDFC700EFA4E5496ADBBF8EB05701F1005BADC4563340EA30AAA0EB95

Uniqueness

Uniqueness Score: -1.00%

Function 04DA2A28, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4ed3810240f2c3e09e6ea67dbbedb3dba0eef1eb86a230d8aabe38871583c8
Instruction ID: 15e4ee0d5cdbd690e7fe448af2dc11ff26fb477e838d8319a0ca55986343e9c3
Opcode Fuzzy Hash: 3d4ed3810240f2c3e09e6ea67dbbedb3dba0eef1eb86a230d8aabe38871583c8
Instruction Fuzzy Hash: FBD05E74D5534CDBC710EFA4E5496ADBBB8EB05301F2000EACC4963340EA34AEA0DB95

Uniqueness

Uniqueness Score: -1.00%

Function 04DA8738, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48b7dfcaea963c14626358fed1b6ef3a3ca23865c5b21156030ac576031aabb1
Instruction ID: 23e28f5bf722ff0589918edf4945865d43971b154d34a352b1fc7c0dd5a4ad64
Opcode Fuzzy Hash: 48b7dfcaea963c14626358fed1b6ef3a3ca23865c5b21156030ac576031aabb1
Instruction Fuzzy Hash: 9CD05E70D5520CDFC704EFA4E5456ACBBB8EB05201F1014AADC0863340EB30AEA0EB95

Uniqueness

Uniqueness Score: -1.00%

Function 026823F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334594525.0000000002682000.00000040.00000001.sdmp, Offset: 02682000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea8f7ea47e5a0b3795523c78c88e9cfd48f2913b5262cb2c6d53226cacf1f21
Instruction ID: 1498f5543158cdbcc17827ac220585ff8bcedee953ee04ca1e0f3d53e4235cf3
Opcode Fuzzy Hash: dea8f7ea47e5a0b3795523c78c88e9cfd48f2913b5262cb2c6d53226cacf1f21
Instruction Fuzzy Hash: D0D05E79215AC18FD3269A1CC1B8B953B94AB51B08F4644FEEC008B763C368D9D1D210

Uniqueness

Uniqueness Score: -1.00%

Function 026823BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.334594525.0000000002682000.00000040.00000001.sdmp, Offset: 02682000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6504a8e7060e471a741961b8edc8ef7e08ec5329082e93063bced4e7d6fadf7c
Instruction ID: 71c00bf9dc3f407a33aea9ffc16842731d827bb4442cab8f7504eb396643146b
Opcode Fuzzy Hash: 6504a8e7060e471a741961b8edc8ef7e08ec5329082e93063bced4e7d6fadf7c
Instruction Fuzzy Hash: 1ED05E342002818BC716EB0CC5B4F5937D4AB41B04F0645E8BC008B762C3A4D981C600

Uniqueness

Uniqueness Score: -1.00%

Function 04DA5EC9, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9466aab47f5482ce90b5cdb8f663185ba5241d788e2621778aeb9771eae8063
Instruction ID: f91628de4832b219439da0a8dee6c7a5cf664aeb31dc1e9ea1786a963ff09e63
Opcode Fuzzy Hash: d9466aab47f5482ce90b5cdb8f663185ba5241d788e2621778aeb9771eae8063
Instruction Fuzzy Hash: A2E00278E15569DFCB60CF14DC88A98BBB0FB48305F1045D6984DA3710D730AE90CF04

Uniqueness

Uniqueness Score: -1.00%

Function 04DA221B, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f02025dca8c31dd3895015aa38c4708dd992ff7df19669033555861cdc812e6
Instruction ID: 888d8c649767e4896d7c6bd7493d81c4fdd33815ff645116b112646fd283b789
Opcode Fuzzy Hash: 5f02025dca8c31dd3895015aa38c4708dd992ff7df19669033555861cdc812e6
Instruction Fuzzy Hash: 1AD05E30D44108CFCB00CF59E84468C7BB5FB09300F405998D049A7384DB34DA14CF11

Uniqueness

Uniqueness Score: -1.00%

Function 04DAC218, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d7ad6f708eef8ea82db6906c4bef95cf61684ca422b45d46aad2dd97e12295
Instruction ID: 07fe07854efb991b26f8f3d5f8cdea79bd1c1defdefe49db47f295110ce3c415
Opcode Fuzzy Hash: 01d7ad6f708eef8ea82db6906c4bef95cf61684ca422b45d46aad2dd97e12295
Instruction Fuzzy Hash: E9C02B500E630442E11033D03104335728CC343A2CFC03C11040C004514852B0B0C56A

Uniqueness

Uniqueness Score: -1.00%

Function 04DA36E2, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7641df5f84a5e13a38c6df5b24b610c55b52b74be0b5325da636f460a3b830f8
Instruction ID: ccc5e72227df92eff0f80417793eb281809176f640a85387091e9540b0dd5f92
Opcode Fuzzy Hash: 7641df5f84a5e13a38c6df5b24b610c55b52b74be0b5325da636f460a3b830f8
Instruction Fuzzy Hash: EDD09EB4904269CFCB50DF20D99465877B1AB08301F0404D9954AA3341DB30BE80CE14

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04DA2A58, Relevance: 5.1, Strings: 4, Instructions: 142COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04DA2B84
f]Ir, xrefs: 04DA2AB8
`5kr, xrefs: 04DA2C5D
>_Ir, xrefs: 04DA2BA1

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: e772d421ac76af71f3aea7f3f2d53d8e9ea3d4d64cd6f1685e5f4c0a785819af
Instruction ID: fa14f6996ad48ef939f255f652a41d9d76c9c9d7c5005c1ab4e5260863bcd47b
Opcode Fuzzy Hash: e772d421ac76af71f3aea7f3f2d53d8e9ea3d4d64cd6f1685e5f4c0a785819af
Instruction Fuzzy Hash: E5515BB0E00249CFE705EF6ED9507ADBBB6FF84308F249529C6089B298DF706956CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04DA2A68, Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 04DA2B84
f]Ir, xrefs: 04DA2AB8
`5kr, xrefs: 04DA2C5D
>_Ir, xrefs: 04DA2BA1

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$>_Ir$`5kr$f]Ir
API String ID: 0-3492759196
Opcode ID: 9091b488956b0307d0fe477de76493a4c14c928d4fd1f260f8b4924a67614518
Instruction ID: ba85c10f347d28fad9e73f2a7097782c0a8799f247f29b42185c0515d594c770
Opcode Fuzzy Hash: 9091b488956b0307d0fe477de76493a4c14c928d4fd1f260f8b4924a67614518
Instruction Fuzzy Hash: 245159B0E00248CFD705EF6ED9507ADBBB6FF84308F209529C6089B298DF70685ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 04DA2CB0, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

Q, xrefs: 04DA5676

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID: Q
API String ID: 0-3463352047
Opcode ID: 22c973281bbbb4db798368b1c697f09752eec567388d150cffa274fe048e7ea8
Instruction ID: 61cfad82739db3bf23a594abc14f8629124f2d4a82a525b389f39af3b65f7f5c
Opcode Fuzzy Hash: 22c973281bbbb4db798368b1c697f09752eec567388d150cffa274fe048e7ea8
Instruction Fuzzy Hash: AC4123B1E016589BEB5CCF6B8C4069EFAF7AFC8300F18C5BA950DAA215DB3055858F54

Uniqueness

Uniqueness Score: -1.00%

Function 04DA7796, Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bfed2e19dd05493090dab3b047a765594f79787b715b1f02c27053b452b1b9c
Instruction ID: 4a2944bd39dac03749a823d55f7fca6601056c2d0bb690545deed87f82dfe91f
Opcode Fuzzy Hash: 4bfed2e19dd05493090dab3b047a765594f79787b715b1f02c27053b452b1b9c
Instruction Fuzzy Hash: AFD1387041470ADFC7A91F8ED1806D6B376FE9A33CB5A867CC8C149422CF395867EA51

Uniqueness

Uniqueness Score: -1.00%

Function 04DA3D0F, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8cfec10889742cdf2414e4f649199adae52c485194dbee2e04c2edecf7b919
Instruction ID: 0c10b3e34d57f2cc761df55024e7a31e198bf6f020221249cd2dc52bcbb741b6
Opcode Fuzzy Hash: fe8cfec10889742cdf2414e4f649199adae52c485194dbee2e04c2edecf7b919
Instruction Fuzzy Hash: E4A15DB0D15628CBEBA4DF69D884BCCBBF1FB48304F5086D9D15CA6205EB309E999F44

Uniqueness

Uniqueness Score: -1.00%

Function 04DA2CA0, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.335752720.0000000004DA0000.00000040.00000001.sdmp, Offset: 04DA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7edcc38b04872647cec2ea7fc6aac788c69b650bd20b1609b94855f4221d815e
Instruction ID: 951537b8f95f55d0c2c5407194ee6a81f7c65de6c098b080e4aced3ab2f7576c
Opcode Fuzzy Hash: 7edcc38b04872647cec2ea7fc6aac788c69b650bd20b1609b94855f4221d815e
Instruction Fuzzy Hash: 144135B1E016589BEB5CCF6BCC4069EFAF7AFC8300F14C5BA950DAA215DB3045868F54

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 2600 Parent PID: 6544 RegSvcs.exeCOMMON

Executed Functions

Function 02FDB2A8, Relevance: 2.2, Strings: 1, Instructions: 905COMMON

Download Yara Rule

Strings

r, xrefs: 02FDBD5C

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 27fa251a1abc117792e9e7f64b2ff62472741f4bb66a403cabbee34d13aa1498
Instruction ID: c612d3a496b471698d32c33d2bf827a289b2b29ee37421c891c2d9f724aba293
Opcode Fuzzy Hash: 27fa251a1abc117792e9e7f64b2ff62472741f4bb66a403cabbee34d13aa1498
Instruction Fuzzy Hash: 53825870A00605CFCB14CF69C484AADFBB2FF88354F2A8569D51AAB655DB30ED81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02FD3850, Relevance: 2.0, Strings: 1, Instructions: 749COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 02FD3F9D

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: >_Ir
API String ID: 0-3386957151
Opcode ID: cefa65c44f39143ab948344ec6fbaf7967e186a4e6b3a617f5798ec22f9eb9ef
Instruction ID: 40de041176586a678aaa9b11be20c658b6cb2a4b27c60f4079ca0a0a8f5deaa7
Opcode Fuzzy Hash: cefa65c44f39143ab948344ec6fbaf7967e186a4e6b3a617f5798ec22f9eb9ef
Instruction Fuzzy Hash: C152C271A00219CFCB15CF68C89496ABBF7FF84350B1985AADB099B256C771EC41CF92

Uniqueness

Uniqueness Score: -1.00%

Function 030428FB, Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,53AF625E,00000000,00000000,00000000,00000000), ref: 0304298F

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 631fe4dce883ceaecfe0b3eb176d1d7c353882d2fc7a5b47754cecc34fcf67f0
Instruction ID: 24ca2a92496f39b168fdc5ec18100c8cd018f458f350b0bf70800617c2106bae
Opcode Fuzzy Hash: 631fe4dce883ceaecfe0b3eb176d1d7c353882d2fc7a5b47754cecc34fcf67f0
Instruction Fuzzy Hash: 892160B1509384AFE712CB65DC44F96BFFCEF46310F1884EBE9849B252D264A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 03041463, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 030414E3

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: a7086e2d8b6a0a5129cd0af1800607b9958dfbad3f7bb7afc7a404266c65d9a2
Instruction ID: 441d9ec4107b867df962e7ba43145e62c67a0de2f2d5f94e0f8bbbea59312b7b
Opcode Fuzzy Hash: a7086e2d8b6a0a5129cd0af1800607b9958dfbad3f7bb7afc7a404266c65d9a2
Instruction Fuzzy Hash: CC21A076509384AFDB228F25DC40B52BFF8EF06210F0884EAE9858B563D2759908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0304169F, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 03041715

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: bcd8ce102c7de7718ab6bafb3a57c4857d2377a0bff90dfba632ffff87c3e6a6
Instruction ID: 530230a7c3c6fb9f053e002821c5439307843865bd8003b66a5834ca9d84e8f5
Opcode Fuzzy Hash: bcd8ce102c7de7718ab6bafb3a57c4857d2377a0bff90dfba632ffff87c3e6a6
Instruction Fuzzy Hash: 9321A1B54097C0AFDB238B20DC45A52FFB4EF16214F0D80DBED848B163D265A519DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0304292E, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,53AF625E,00000000,00000000,00000000,00000000), ref: 0304298F

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 11fb02655ee439c9e78e92bd7e0ac819aa8c08db4ea8b9ecc730588470d4ed12
Instruction ID: f866c9282cacfa0c31dae4b4f87de238c627c164d5abaf61ef6007a595483805
Opcode Fuzzy Hash: 11fb02655ee439c9e78e92bd7e0ac819aa8c08db4ea8b9ecc730588470d4ed12
Instruction Fuzzy Hash: 7F1190B1501204AEE720DF55DC84F96FBECEF45320F1888ABEE459B241D674E904CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0304149A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 030414E3

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 5cc7699b2d660d3bb6d766c717447eebdf265ff2d35ca0f2326a31a93898c634
Instruction ID: 1776c80193be610139b6bec5748db2ebe5ec051f836bf81febd3f5320d5e3cc8
Opcode Fuzzy Hash: 5cc7699b2d660d3bb6d766c717447eebdf265ff2d35ca0f2326a31a93898c634
Instruction Fuzzy Hash: 0C11EC72500200DFDB20CF25E884B66FBE8EF44320F0884AAEE4A8B612D271E558CF71

Uniqueness

Uniqueness Score: -1.00%

Function 030411C2, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 030411F4

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 8a62e0d5304823ed270c56c0f329bf50a001c634b663095fadf7d8d972923df0
Instruction ID: 1915f1ef13eedc8f843ad38b3d9cc0dbdeb1fa11dd8c909e654d6301eb3e922b
Opcode Fuzzy Hash: 8a62e0d5304823ed270c56c0f329bf50a001c634b663095fadf7d8d972923df0
Instruction Fuzzy Hash: 43018F709012449FDB10DF59E984756FFE4EF44220F18C4EADD488B212D2B5A558CA62

Uniqueness

Uniqueness Score: -1.00%

Function 030416DA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 03041715

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 706ab5f6375b74885af93d7c0fd0dce6f355d10f306947a75bb23f8adcda67a2
Instruction ID: f3b34360d33cbab09962cd8a0384ae77d127c23d834c651d4f4c28361f59b05a
Opcode Fuzzy Hash: 706ab5f6375b74885af93d7c0fd0dce6f355d10f306947a75bb23f8adcda67a2
Instruction Fuzzy Hash: 2D01DB75400644DFDB20CF19D984B26FFE4EF08320F08C4AADE890B212C2B6A558CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02FD23A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5115b8c51e11f1fe8def1d59a730ba17621b5c16da27151698681fffe626435f
Instruction ID: ae26ebc8c86d46a45182ac5201154bbc91d9302963677c89593d7ff9951fe84e
Opcode Fuzzy Hash: 5115b8c51e11f1fe8def1d59a730ba17621b5c16da27151698681fffe626435f
Instruction Fuzzy Hash: D212A931E00215CFDB24CF28D5947ADBBF3FB88385F28816ADA169B246DB759C45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02FD89D8, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec819bb17e6a3daac249718f7bec50825a2dc43dcb5ecdf679f6ec41d0b32676
Instruction ID: eb9b082251416520916e0e23e91d105016937e243e7d2c376c28d158f4c1d585
Opcode Fuzzy Hash: ec819bb17e6a3daac249718f7bec50825a2dc43dcb5ecdf679f6ec41d0b32676
Instruction Fuzzy Hash: 9F12AB31E10215CFDB24DF69D88576DBBF3FB88384F58856AE6169B241DB749C82CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02FD2FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa26a93a5c6d64700fcba06fdaf79eb6303b1f6a6d73ca17d930ec401d41a77
Instruction ID: 5aa0bea818288c5c907ffbf857412d2e2dc79ff341f3a8bce68a097a0e8e11c7
Opcode Fuzzy Hash: 1fa26a93a5c6d64700fcba06fdaf79eb6303b1f6a6d73ca17d930ec401d41a77
Instruction Fuzzy Hash: A1819C32F001159BDB18DB69C884A6EBBE3AFC8754F2A81B5D606DB359DE31DC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02FD09A0, Relevance: 5.1, Strings: 4, Instructions: 137COMMON

Download Yara Rule

Strings

X1kr, xrefs: 02FD0A50
X1kr, xrefs: 02FD0A5A
X1kr, xrefs: 02FD0A98
X1kr, xrefs: 02FD0AA2

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr$X1kr$X1kr
API String ID: 0-2451847431
Opcode ID: 50d79a3eff0baf66ed4c1501c451dc4fe0507cc0e7bafe628c5e45f8d2212f39
Instruction ID: 3c8c19a7ee30eb354ea28443839e7d1ffadb630dcfddda49a2dc61d5117cf705
Opcode Fuzzy Hash: 50d79a3eff0baf66ed4c1501c451dc4fe0507cc0e7bafe628c5e45f8d2212f39
Instruction Fuzzy Hash: 74419531B00205DFCB14DBA8D858ABEB7F2FF84304F258169E6069F254DB75AD12CB80

Uniqueness

Uniqueness Score: -1.00%

Function 030401F4, Relevance: 3.1, APIs: 2, Instructions: 123COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 03040264

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ae728fbf19da72c13d0b1d1f4f872d16f77063a09cf81963034e2c7a31ff963c
Instruction ID: f6fe88353d2eb2f852ad48fa848e67a924c626742bde6f2c1c5c85139217edab
Opcode Fuzzy Hash: ae728fbf19da72c13d0b1d1f4f872d16f77063a09cf81963034e2c7a31ff963c
Instruction Fuzzy Hash: 264117B1505744AFEB21CF14DD85B62FFE8FF45320F0884AAEE449F292D275A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02FD02E8, Relevance: 2.7, Strings: 2, Instructions: 174COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02FD0537
`5kr, xrefs: 02FD03A5

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: :@Dr$`5kr
API String ID: 0-2548079215
Opcode ID: f0e2f92e64a34cc52f421d30ef34f50372883d263cff6bc544f399bb3003bc54
Instruction ID: c25a807cfd76e3648a8ffc4fc3df711dd3c1a418c9007df6992df96362485edd
Opcode Fuzzy Hash: f0e2f92e64a34cc52f421d30ef34f50372883d263cff6bc544f399bb3003bc54
Instruction Fuzzy Hash: C7514731B092058FDB49DB68C454B6D7BF3AF89750F18806EDA06AB3A1DF71AC01CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02FD2D58, Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

>_Ir, xrefs: 02FD2DA5
, xrefs: 02FD2E76

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: $>_Ir
API String ID: 0-1787506450
Opcode ID: 7b620120d24d7dd324e5a07a965250b4242ede4e0d82fd3ca5edf8cb3035c2ef
Instruction ID: 443bd3d1cc92a7324611244e380f9766e0aa8b37d0d6d4102d8e64dfb1ea9e74
Opcode Fuzzy Hash: 7b620120d24d7dd324e5a07a965250b4242ede4e0d82fd3ca5edf8cb3035c2ef
Instruction Fuzzy Hash: 4241B271F042158BCB20CF79C8445AEB7B3ABC1298B2CC57ACA16DB606C731E842CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02FDEF09, Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

X1kr, xrefs: 02FDEFB4
X1kr, xrefs: 02FDEFBE

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: X1kr$X1kr
API String ID: 0-2397868964
Opcode ID: 914b8d324ded39816295e7cd1239730455af2f3248f6caddc33bf81b56c67133
Instruction ID: fdbf8461920513c1dc82f4c67cea3c1711ebbf1051d9cac5c38e28a38aea7555
Opcode Fuzzy Hash: 914b8d324ded39816295e7cd1239730455af2f3248f6caddc33bf81b56c67133
Instruction Fuzzy Hash: 7311662074A7D44FD762A7B8A8240B93FAA9E8308430D45CFE085DF7E3CA218C02C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD12A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$ghr, xrefs: 02FD1349

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: ac9b32ff22578ccc77696517b842c80a74dbee6fc4b22b13c17cd2f6e5cfd1f8
Instruction ID: b38a7f47dcc5d026c1653c6f4f26138c4320e2cc946d4e26855b41dd86a89f61
Opcode Fuzzy Hash: ac9b32ff22578ccc77696517b842c80a74dbee6fc4b22b13c17cd2f6e5cfd1f8
Instruction Fuzzy Hash: 17221534A00605CFCB24DF28C490A6ABBF6FF88380F148699D95A9B755DB34ED85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0304214D, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 0304225D

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 3c807d7609cecc59afd4fc2e745301e24edb1d8e28080f04f0c68d0dcc77a96a
Instruction ID: 146966d238793335e42e8b9cff3af9966b8358449854b75471f9e79fca6e3564
Opcode Fuzzy Hash: 3c807d7609cecc59afd4fc2e745301e24edb1d8e28080f04f0c68d0dcc77a96a
Instruction Fuzzy Hash: 7D41C3715093806FE712CB25DC45F92FFB8EF46220F1884DBEA849F293D265A908C771

Uniqueness

Uniqueness Score: -1.00%

Function 03041950, Relevance: 1.6, APIs: 1, Instructions: 124registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 03041A46

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2e7fc1681d350460dab6596727085ff17ab97114acf67f6b4e6f86bad40f965c
Instruction ID: 9b2ef1aac8eee0c208c1b4e7afccb9e3f9d1ccf1fa694507270ed7c66cbea5c4
Opcode Fuzzy Hash: 2e7fc1681d350460dab6596727085ff17ab97114acf67f6b4e6f86bad40f965c
Instruction Fuzzy Hash: 0441246540E3C06FD3138B318C61A61BFB4AF87614B0E85CBE8C4CF5A3D259690AC772

Uniqueness

Uniqueness Score: -1.00%

Function 03040EB8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 03040F5B

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7fc66589bf7cab79a10387056b4786cecdbe29d8fd31d8024344561addba9856
Instruction ID: a660781ad978bd86070be83ea7cea1879c4af0c68f792f1d1326cf0ff990d38d
Opcode Fuzzy Hash: 7fc66589bf7cab79a10387056b4786cecdbe29d8fd31d8024344561addba9856
Instruction Fuzzy Hash: 6131B571504344AFEB228B65DC44F67BFACEF46310F0884ABF985DB152D224A515CB71

Uniqueness

Uniqueness Score: -1.00%

Function 03042720, Relevance: 1.6, APIs: 1, Instructions: 95timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,53AF625E,00000000,00000000,00000000,00000000), ref: 030427BD

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: d3dc3fef7edc8ae1ce72833ddd2ed77339047b57c3fc58b5e7045f882f011da9
Instruction ID: 764b0758421cf1472d0bbacb3040fea37d23c17677cea340e88adc677d2fb3f8
Opcode Fuzzy Hash: d3dc3fef7edc8ae1ce72833ddd2ed77339047b57c3fc58b5e7045f882f011da9
Instruction Fuzzy Hash: 9831D3B250A380AFE7128F24DD45F56BFB8EF46310F0884EBE9859B192D265A509C771

Uniqueness

Uniqueness Score: -1.00%

Function 03040C58, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 03040D1A

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 0d8a7d52449e3eb82a1a8f62a39bce9bc2a5fc3b3fa74855876fbd0c2738b631
Instruction ID: f0ceecdc4e4331546163fced0e4407f07a259a3daffc2456f26710dddead5741
Opcode Fuzzy Hash: 0d8a7d52449e3eb82a1a8f62a39bce9bc2a5fc3b3fa74855876fbd0c2738b631
Instruction Fuzzy Hash: 5E314B6140D3C06FD7038B658C51B62BFB4EF87610F0E85DBE9848F5A3D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 03040390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0304045E

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 2595a2be80725bde30e30561e739d589a157b6c6c97a3c828807fd8aafbec200
Instruction ID: 3280d608679aa55a591d7a29191f36d8ab7f1845b7a1566b9381eb5fa67ff286
Opcode Fuzzy Hash: 2595a2be80725bde30e30561e739d589a157b6c6c97a3c828807fd8aafbec200
Instruction Fuzzy Hash: 5031A6B2004344AFE7228F21DC41FA6FFA8EF06714F14459EEA859B152D365A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 030407F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 03040899

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 59fdc45de875c521b419121809a1dfb8d31fc3c8d23e2a6d3fae8f070586623c
Instruction ID: 1ca15190da9b720b92b09f0a73252646b1d76b67ef0238beab1cef1f93820540
Opcode Fuzzy Hash: 59fdc45de875c521b419121809a1dfb8d31fc3c8d23e2a6d3fae8f070586623c
Instruction Fuzzy Hash: 74318DB1505380AFE722CB25CD44F66FFE8EF45210F0884AEEA859B252D365E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 030400F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0304019D

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 16b1c008e9a7d93e065a91c77b07ce5d1f1888658fcbcbb91c9a2f775beb3c92
Instruction ID: fa0f73c0cfee3fe35e2a89a777cdb3ec93a6989466ace6e2bc5c7d2fcd04c928
Opcode Fuzzy Hash: 16b1c008e9a7d93e065a91c77b07ce5d1f1888658fcbcbb91c9a2f775beb3c92
Instruction Fuzzy Hash: 623193B15097806FE712CB25DC85F56FFE8EF06210F0884AAE984DB292D375E909C761

Uniqueness

Uniqueness Score: -1.00%

Function 030422B4, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 03042366

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 39d4f8bb29d5f8f2b4a507355654f0210d584fe66955acb6231572b2180cfb94
Instruction ID: f070f5821ad72c814bec5f6f024ea5ad23aa42aabb99435b9552bb100af26ebe
Opcode Fuzzy Hash: 39d4f8bb29d5f8f2b4a507355654f0210d584fe66955acb6231572b2180cfb94
Instruction Fuzzy Hash: 2C31F6B2404380AFE722CB55DC44F96FFF8EF06320F08459EE9848B252D375A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03040FB9, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,53AF625E,00000000,00000000,00000000,00000000), ref: 0304105C

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 63c9c844a1d0367a8fe4436481ce3c12e7171101ce5979ce9290bb4c211fe31b
Instruction ID: 51a0192e96f1e2ba092475d7a688804a4023883a255356b36801c5108ddb2797
Opcode Fuzzy Hash: 63c9c844a1d0367a8fe4436481ce3c12e7171101ce5979ce9290bb4c211fe31b
Instruction Fuzzy Hash: A931E372509380AFEB128B25DC41F96BFB8EF46310F0884DBED849F193D664A949C761

Uniqueness

Uniqueness Score: -1.00%

Function 030404AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,53AF625E,00000000,00000000,00000000,00000000), ref: 0304055C

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cd2f73b872faf498c8fba50cfbf98149edd271db8b3f050c049c5b1b4c2a54be
Instruction ID: 56b74234425766c4af1a8b0f12a6069bee4f10c406658cf8b4543719ea5d5763
Opcode Fuzzy Hash: cd2f73b872faf498c8fba50cfbf98149edd271db8b3f050c049c5b1b4c2a54be
Instruction Fuzzy Hash: E63171B1509780AFD722CB65DC44F52FFF8EF06310F0885DAEA859B162D265A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 03042F0F, Relevance: 1.6, APIs: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 03042FC5

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 31ccc78a495b195b17415819fbc6c5bc9d38d96e8a8ca6a2de1691d8c7dd66df
Instruction ID: dd0ad2fcbb7801a8cc697fbcd99a687f2fc73f27b2f1f5c167347a923ef94033
Opcode Fuzzy Hash: 31ccc78a495b195b17415819fbc6c5bc9d38d96e8a8ca6a2de1691d8c7dd66df
Instruction Fuzzy Hash: F7317F7140D7C06FD7138B318C61B52BFB4EF87610F1A80CBE9848F2A3E6646909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 03040EDE, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 03040F5B

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4d4b7148e2a4115cdbfff2c07dc164ee510e709b136182005747ab8c8e711920
Instruction ID: 6474a29d3b709139e9b8f60d8eee274a2fafd2038a0ccdbb2445a434c0e05a72
Opcode Fuzzy Hash: 4d4b7148e2a4115cdbfff2c07dc164ee510e709b136182005747ab8c8e711920
Instruction Fuzzy Hash: 6221B072500704AFEB21DF64DC44F6BFBACEF44310F04886AEE459B651D670A5198B71

Uniqueness

Uniqueness Score: -1.00%

Function 030408F0, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,53AF625E,00000000,00000000,00000000,00000000), ref: 03040985

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 62afa93d0473794ca8f3bf873a3dff81fcfe99736e29d948f49565272f971e10
Instruction ID: 8161d244344370002733bf7aeac00ddc1f0473f0d81a845ce3caa751993e87cb
Opcode Fuzzy Hash: 62afa93d0473794ca8f3bf873a3dff81fcfe99736e29d948f49565272f971e10
Instruction Fuzzy Hash: F621D6B54093806FE7128B25DC41BA2BFBCEF47720F1880D7EE849B293D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 030402AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 03040353

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 0826a8ee000058969673eb0e94eec283731dcda57873ca943d07e2ecb0308444
Instruction ID: a4d79d2dbca9773d5c21baf513ac5443714af1a7edeb062534e9ac0a068c0654
Opcode Fuzzy Hash: 0826a8ee000058969673eb0e94eec283731dcda57873ca943d07e2ecb0308444
Instruction Fuzzy Hash: 1F21A875009380AFE7228B20DC41FA6FFB8EF46310F1884DAE9845B192D265A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 03041A72, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 03041AFE

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 056e2b2cb54605aac8095b3124824f757e38cd69ac81e98e14ae5f236204fe30
Instruction ID: 8d808bb588692bacf9498a3b9bf7b814e82b631f9719179c831941708d1a618a
Opcode Fuzzy Hash: 056e2b2cb54605aac8095b3124824f757e38cd69ac81e98e14ae5f236204fe30
Instruction Fuzzy Hash: 3C21BC71509380AFE722CF65DC44F96FFF8EF46210F0884AEEA858B252D375A508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0304081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 03040899

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 171b2b1b18b579ff6abde3d4323195f407b0ed4dd55d2fbfee640fcdae7cda32
Instruction ID: e184ee8439274c93b5b6767096be0d206975bed31c18abb3d0b3d603360577e8
Opcode Fuzzy Hash: 171b2b1b18b579ff6abde3d4323195f407b0ed4dd55d2fbfee640fcdae7cda32
Instruction Fuzzy Hash: 92217AB5501600AFEB21DF65CD85F6AFBE8EF08610F18846EEE859B252D371E504CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 03040B79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,53AF625E,00000000,00000000,00000000,00000000), ref: 03040C10

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 81b81672217c4d513d0ed9f22891f43b794ba365413d7aa7a2c164859eaebf01
Instruction ID: 55d7296bb6f0923f0981c7f6cccc2b518094146bad250895f8a3411bbbff712c
Opcode Fuzzy Hash: 81b81672217c4d513d0ed9f22891f43b794ba365413d7aa7a2c164859eaebf01
Instruction Fuzzy Hash: D521ACB2505740AFE721CB25CC80F57FFE8EF45310F0884AAEA859B252D264E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 030409C0, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,53AF625E,00000000,00000000,00000000,00000000), ref: 03040A51

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: c1ce43fb66e346ff3a18f34d57c8156b1df3bc168034f9be774642a4849ac617
Instruction ID: 8fdec11af6e2a8255c97e6fe5683189bc1721cdee651dd6bc7f88735b97b32bd
Opcode Fuzzy Hash: c1ce43fb66e346ff3a18f34d57c8156b1df3bc168034f9be774642a4849ac617
Instruction Fuzzy Hash: 30218E72409380AFE7228B65DD44F56BFB8EF46314F0884EBEA849B153C265A519CB62

Uniqueness

Uniqueness Score: -1.00%

Function 030403CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 0304045E

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fe36c40fd9105f1a1ce37cffdc4fdd08960dfeb4c3dd090020354778fdaabd7e
Instruction ID: f9443937677e4aec21f77cf2e48c7d9107620864ea21ea9a3b6d20a9e506e3a6
Opcode Fuzzy Hash: fe36c40fd9105f1a1ce37cffdc4fdd08960dfeb4c3dd090020354778fdaabd7e
Instruction Fuzzy Hash: 1121D0B2100204AFEB21DF15DC41FA6FBACEF44710F14896AEE459A681D6B5A509CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0304012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0304019D

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 4cbca59e4b6a029f4a01509dda83a0f490e5f9c9ee9904a0b1d54f5e925d3052
Instruction ID: 41ba976b799a68f25a8e989431ac4404a1a026ab896414b8a6ef0aeff6f51b14
Opcode Fuzzy Hash: 4cbca59e4b6a029f4a01509dda83a0f490e5f9c9ee9904a0b1d54f5e925d3052
Instruction Fuzzy Hash: 4721D1B1501200AFE720DF29CD85F6AFBE8EF04310F1884AAEE449B251E771E604CB71

Uniqueness

Uniqueness Score: -1.00%

Function 03040723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0304079F

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: ce4d0ea8982229a100ac90efd66671d0020d3b428852535f6bbbdb9383d2e122
Instruction ID: 8bfd254331c5bf611464628092fcda1c64945b83ed4f6cf5a812368fec4f03b2
Opcode Fuzzy Hash: ce4d0ea8982229a100ac90efd66671d0020d3b428852535f6bbbdb9383d2e122
Instruction Fuzzy Hash: 3621A1B29053809FD751CB25DD44B52FFE8EF06210F0980EAE944DF152E264D908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03040A9B, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 03040B1E

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 585e7014b768362ba80eb877e2fa60a0e8bf68a065bdd9b1514be49ee82d3a2b
Instruction ID: efeb198f52addd5e20680bce124c6e34b07d6c002533c85d9f8697b1e384ed76
Opcode Fuzzy Hash: 585e7014b768362ba80eb877e2fa60a0e8bf68a065bdd9b1514be49ee82d3a2b
Instruction Fuzzy Hash: D42180B15093845FD762CB29DC55B52FFE8AF46218F0C80EAED84DB253D265D908C771

Uniqueness

Uniqueness Score: -1.00%

Function 030410BF, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 0304114B

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: bdb470cd3bdf3a886b5c99bc0ef2977e30155795b5cde457934493623d75f39c
Instruction ID: 1b98f4d210ba895f32c23f7a212406228e96d61c79fc0751f4f04f8024d6609d
Opcode Fuzzy Hash: bdb470cd3bdf3a886b5c99bc0ef2977e30155795b5cde457934493623d75f39c
Instruction Fuzzy Hash: 10210871505380AFE721CB24CC45F66FFA8EF42310F1880AAFD449B192D364A944C761

Uniqueness

Uniqueness Score: -1.00%

Function 03041530, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0304159C

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2ff2b313004a3fd832d2a22a5b0437cbd3fc5465d488eeeae09cc2c687c0c925
Instruction ID: 56600e58ba53befc4a293b0151442c62b22c199e671646a97872f8e37cdb0318
Opcode Fuzzy Hash: 2ff2b313004a3fd832d2a22a5b0437cbd3fc5465d488eeeae09cc2c687c0c925
Instruction Fuzzy Hash: 6F21A1725093C49FDB128B25DC54A92BFA4AF47224F0D80DAED858F663D2659908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 030421F2, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 0304225D

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: da7010740f48c40a74558ab2ce4500d80812da1aabc515e05da462f11127af07
Instruction ID: 30ecc300c7fefdb8298b889c9bb3ae637c27809b1aae5e7630c227036bd9ea40
Opcode Fuzzy Hash: da7010740f48c40a74558ab2ce4500d80812da1aabc515e05da462f11127af07
Instruction Fuzzy Hash: DC21AEB1601204AFEB20DF25CD85F66FBE8EF44320F1888AAEE848B241D375E505CA71

Uniqueness

Uniqueness Score: -1.00%

Function 03041A92, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 03041AFE

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 9e28f2deaf7781bc9d3981803c63002bd12d2bae189a8e4cfd52604b3cd564d6
Instruction ID: bf10e89912ff6f43cdcf3a7e6c3e942a747092213637ced612cf2d2ed556cacb
Opcode Fuzzy Hash: 9e28f2deaf7781bc9d3981803c63002bd12d2bae189a8e4cfd52604b3cd564d6
Instruction Fuzzy Hash: 0421CF71500200AFE721DF65DD44F56FBE8EF44310F14846AEE858B252D3B5A544CB71

Uniqueness

Uniqueness Score: -1.00%

Function 030415E5, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,53AF625E,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 03041656

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 5db762dbdad2430624b3ee447e0a228f6f6f978d66a7e3c33522981b81071e10
Instruction ID: 6593f6f2c5f4e68e9feae8d260e23f337e6d93a5a010521f499b9d28c2ec7121
Opcode Fuzzy Hash: 5db762dbdad2430624b3ee447e0a228f6f6f978d66a7e3c33522981b81071e10
Instruction Fuzzy Hash: 73218E715093849FD716CB25DC84B92BFE8EF06220F0D84EAE984CB263D274A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 030422F2, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 03042366

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: a1b127d5d87dcbddd3d5258a4e4b41f8be3c044ac0d37d7c01a6c4156dc80c4f
Instruction ID: 4d8b0a8a2732c3c603ce7d144c2714c70e24c504801a491073ca5c05b80e9246
Opcode Fuzzy Hash: a1b127d5d87dcbddd3d5258a4e4b41f8be3c044ac0d37d7c01a6c4156dc80c4f
Instruction Fuzzy Hash: 7A21DE71500200AFE721CF25CC44F9AFBECEF08320F04886EEA849B241D371A508CB65

Uniqueness

Uniqueness Score: -1.00%

Function 03040B9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,53AF625E,00000000,00000000,00000000,00000000), ref: 03040C10

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 2f61e2e690bbb9d0c0da2481038e918aa4575e26da11549f27bf6369fb0d5930
Instruction ID: 6e871cb22c26f86bfbbe1b107b9538527da2162b5939a98a62ceacb73b1dc047
Opcode Fuzzy Hash: 2f61e2e690bbb9d0c0da2481038e918aa4575e26da11549f27bf6369fb0d5930
Instruction Fuzzy Hash: DA1181B1500604EFE720DF15DC41F67FBECEF44710F18846AEE45AB251D664E505CA71

Uniqueness

Uniqueness Score: -1.00%

Function 030404EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,53AF625E,00000000,00000000,00000000,00000000), ref: 0304055C

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 283840b9adba018ff0124874ab5518feb6f8ac1a6b0a60f546f3c6d415c1e656
Instruction ID: 8082fd57902485a9f5c46b7b9d43f9a83e230f45a3153c6f5967a0164657750b
Opcode Fuzzy Hash: 283840b9adba018ff0124874ab5518feb6f8ac1a6b0a60f546f3c6d415c1e656
Instruction Fuzzy Hash: 0B117FB2501604AFEB20DF15DC80F67FBECEF04720F18846AEE459B251D665E509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0304275E, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,53AF625E,00000000,00000000,00000000,00000000), ref: 030427BD

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: bfd4dd6a4726294b41ad2f88fb9398f282f8e56a911ccbcce4a9334e8d2f9b82
Instruction ID: efbc4e03b259bcf3f3a55ef4caa88c139a2d707c7de80d14598571f6b914c50e
Opcode Fuzzy Hash: bfd4dd6a4726294b41ad2f88fb9398f282f8e56a911ccbcce4a9334e8d2f9b82
Instruction Fuzzy Hash: 6511D072501200AFEB21CF65DD45F6BFBACEF44320F1888ABEE458B251D674A5188B71

Uniqueness

Uniqueness Score: -1.00%

Function 030412F8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 03041362

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 0f2b4973e923e34c28ecb62526b1c0001684a47311a3e76fd8bcf44851f18d90
Instruction ID: cb572f52a6af236dbe983a1f50c430f5fe43294ac18b7c89dd748017332c32ec
Opcode Fuzzy Hash: 0f2b4973e923e34c28ecb62526b1c0001684a47311a3e76fd8bcf44851f18d90
Instruction Fuzzy Hash: 0A11DFB2505380AFD721CF25CC85B52FFE8EF45220F0C84AAED84CB652E274E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 03041006, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,53AF625E,00000000,00000000,00000000,00000000), ref: 0304105C

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: a9d8656ae68cea64836ab07fc8fcdb36c99b5f8f3f9ca04dadc15803bcdcc62a
Instruction ID: c412b07ac7b100bb86c3b18a4239748fa5ce1e80d27cfc93a3f7278e30aadf1e
Opcode Fuzzy Hash: a9d8656ae68cea64836ab07fc8fcdb36c99b5f8f3f9ca04dadc15803bcdcc62a
Instruction Fuzzy Hash: 8511E3B1500244AFEB10DF29DC85B6BBB9CEF45320F1884ABEE04DB241D6B4A5448B71

Uniqueness

Uniqueness Score: -1.00%

Function 030402DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 03040353

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 02543f16dbfd73526b0e634f67c10409bd9625ee2fb85cc5303f9b64eff11432
Instruction ID: 9ad7d2b024750b0f6339c3f057ec964d88a5f2d9d451664ae65d17e477a982fa
Opcode Fuzzy Hash: 02543f16dbfd73526b0e634f67c10409bd9625ee2fb85cc5303f9b64eff11432
Instruction Fuzzy Hash: 7A11EF71000600EFEB31DF14CC41F6AFFA8EF04710F1884AAFE455A291D2B5A509CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 030410E2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 0304114B

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 158a620f96acc49aae005a518ee520308a89e14b7dd0392b9f791b18f611144d
Instruction ID: 654e018d0a889e289ea08e49fa2961b847314c5566ebcea870c9ae972b753001
Opcode Fuzzy Hash: 158a620f96acc49aae005a518ee520308a89e14b7dd0392b9f791b18f611144d
Instruction Fuzzy Hash: 42113671500200AFF720DB28DC41B66FB98DF40720F14C0AAEE058B291D2A4A9448A61

Uniqueness

Uniqueness Score: -1.00%

Function 030409F2, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,53AF625E,00000000,00000000,00000000,00000000), ref: 03040A51

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 9dd71948d7ef6cce40eb472bf8a61d5535cef6a9214c317f94c5caf982a311ee
Instruction ID: 06c5c41e03b8045360d26a8f8ed8bc7877bee76b412d14b227347959c2c40488
Opcode Fuzzy Hash: 9dd71948d7ef6cce40eb472bf8a61d5535cef6a9214c317f94c5caf982a311ee
Instruction Fuzzy Hash: EB110471400200EFEB21CF54DC40F5AFBE8EF44320F1888ABEE489B201C275A518CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0304118F, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 030411F4

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: b48120ce396fe171eec29f1feb4dd00f6de8d975531bb89f0e7b44ec4c52fd42
Instruction ID: 506ff20f1410631e079b0d3d09bde2392c1d08bedf581592421e9edcf0a6ee0c
Opcode Fuzzy Hash: b48120ce396fe171eec29f1feb4dd00f6de8d975531bb89f0e7b44ec4c52fd42
Instruction Fuzzy Hash: E2118E714093C0AFD7128B24DC44B52BFB4EF46224F0984EBED848F163D279A959CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0304131A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 03041362

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 267814b9ab188a19220f73355045966d01d95b27eec55d46046973cfda831b86
Instruction ID: 892e46d59690a4d1f62b25e425ac663513172aaed010ad0d0084b942e07bf946
Opcode Fuzzy Hash: 267814b9ab188a19220f73355045966d01d95b27eec55d46046973cfda831b86
Instruction Fuzzy Hash: A311A1B1A012009FDB64CF29D885756FBE8EF44621F0CC4BADD49CB642E674E544CB71

Uniqueness

Uniqueness Score: -1.00%

Function 03040AD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 03040B1E

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 267814b9ab188a19220f73355045966d01d95b27eec55d46046973cfda831b86
Instruction ID: 964c09a47aa1eb307866541f54388b73c6f47636c4f33b33e173e2834be5b688
Opcode Fuzzy Hash: 267814b9ab188a19220f73355045966d01d95b27eec55d46046973cfda831b86
Instruction Fuzzy Hash: 5D11A1B16012049FDB60CF29DC85757FBD8EF44228F1884BADE49DB242D675E504CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 03040932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,53AF625E,00000000,00000000,00000000,00000000), ref: 03040985

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 8d777ec5e7b0aa4dc823f146e2f62bccb5646d784a01c3af88dbb806f958d27d
Instruction ID: b88f3f0b30997f495de7404aa8a6f0d8221e68150648df725897bc8bab34093f
Opcode Fuzzy Hash: 8d777ec5e7b0aa4dc823f146e2f62bccb5646d784a01c3af88dbb806f958d27d
Instruction Fuzzy Hash: 7301D671500604EEE710DB19DC45F66FBACEF45720F1884ABEF44AB341C674E904CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0304075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 0304079F

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 296d9eba5c3487459a0f1a19047037c01031ce4cc7ee03532653f34aa79952a1
Instruction ID: 96ba579b45e2affc76a743840a73a3ef30bad3c62be12f74a6b815754bb8f73e
Opcode Fuzzy Hash: 296d9eba5c3487459a0f1a19047037c01031ce4cc7ee03532653f34aa79952a1
Instruction Fuzzy Hash: 4B1182B59012009FD750DF29D984757FBD8EF04210F08C4BADE09DB642D674E504CF62

Uniqueness

Uniqueness Score: -1.00%

Function 03041616, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,53AF625E,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 03041656

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 960f672322de72c72bb11492d427538613e751d71fde573cd3a05b943043b183
Instruction ID: 00b84d363e0268c961a5ca768b835860002024c58524c4799e9aac718413218a
Opcode Fuzzy Hash: 960f672322de72c72bb11492d427538613e751d71fde573cd3a05b943043b183
Instruction Fuzzy Hash: 6111A9B15012449FDB64CF29D884B66FBE8EF04220F1C84BAEE498B252D2B5E558CF61

Uniqueness

Uniqueness Score: -1.00%

Function 03040CCA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 03040D1A

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: dfc2961b1491abc0a97ebdff801f447a738cba5976a1d56c8395d926ae1c7410
Instruction ID: e11ffdc6eeb508f88f8f2279e502f7f700c947294ed82e10330936475810fd39
Opcode Fuzzy Hash: dfc2961b1491abc0a97ebdff801f447a738cba5976a1d56c8395d926ae1c7410
Instruction Fuzzy Hash: 13019E72900200ABD210DF16DC86B26FBA8FB88A20F14816AED088B741E231B915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 03040232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 03040264

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 330e6aca6c79cd49d8137f8a647394bb5c5e5ced7b63b0f0814ddb03d33a5bb6
Instruction ID: dfdf1eabff1de8658fcaae513bfcb3235635c453f4a903f0298cd576f36fec1f
Opcode Fuzzy Hash: 330e6aca6c79cd49d8137f8a647394bb5c5e5ced7b63b0f0814ddb03d33a5bb6
Instruction Fuzzy Hash: F601DFB59012009FDB50CF29DA84766FFD8EF40220F08C4BBDE499B642D6B5E508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0304156A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0304159C

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2b733c95ab529372c58bc3e5b3038bbcb81109d6d30afacc7ab400baa9e954ad
Instruction ID: 8bc2dc8cad2181c0ef297d5029ee21c8e9da43f2f190e13a9635093446a3a468
Opcode Fuzzy Hash: 2b733c95ab529372c58bc3e5b3038bbcb81109d6d30afacc7ab400baa9e954ad
Instruction Fuzzy Hash: 5F01B1B5501244DFD714CF29E984796FBD4EF44220F18C0ABDD4A8B702D675E548CB72

Uniqueness

Uniqueness Score: -1.00%

Function 030419F6, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,?,?), ref: 03041A46

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 54d48caaabd0b905f81e7431c6fdfdcfdd70a81405a74abc6485851ff29a04cd
Instruction ID: ba802b0b0e62a2b2051d400d92ed0dc488495b36fd3c0ee53122a5e8cc3160f8
Opcode Fuzzy Hash: 54d48caaabd0b905f81e7431c6fdfdcfdd70a81405a74abc6485851ff29a04cd
Instruction Fuzzy Hash: 6801A276500600ABD210DF16DC82F26FBA8FBC8B20F14811AED084B741E371F926CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 03042F7A, Relevance: 1.5, APIs: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 03042FC5

Memory Dump Source

Source File: 00000007.00000002.595772747.0000000003040000.00000040.00000001.sdmp, Offset: 03040000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 4605a6fba897ee2aa5fa0fe7f1f8a9f4c4e71e9fbd0907d9eb8d81439b4a35f1
Instruction ID: 0717676222d1de8f9226d8a2fa3b868e3373c9d49ad101caac260f773e06ccd8
Opcode Fuzzy Hash: 4605a6fba897ee2aa5fa0fe7f1f8a9f4c4e71e9fbd0907d9eb8d81439b4a35f1
Instruction Fuzzy Hash: 50014B71900600AFE714DF26CD86F26FBA8EF88B10F14855AED089B741E775F912CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02FD1458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$ghr, xrefs: 02FD14C7

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 27417cb613021fb7a8a39473c5a3f59be43bac84090238b52858c689e8e77f26
Instruction ID: 65765fa6d5680768780b24d96501795fc17faeac06ad862c411241dbbf747a6a
Opcode Fuzzy Hash: 27417cb613021fb7a8a39473c5a3f59be43bac84090238b52858c689e8e77f26
Instruction Fuzzy Hash: 6651F434A00218CFDB14DF64C894BADBBB2FF49340F1441AAD50AAB365CB35AD84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02FD1290, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

$ghr, xrefs: 02FD1349

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: $ghr
API String ID: 0-1352911727
Opcode ID: 750f8115089131e4add91d3cc562e39d7dfede87adaa973d47cf33489095af9f
Instruction ID: 13ebef1dec564a7deaf524fc947a9cfec7c582f25180b4fcf64f47a429787ff1
Opcode Fuzzy Hash: 750f8115089131e4add91d3cc562e39d7dfede87adaa973d47cf33489095af9f
Instruction Fuzzy Hash: 1F41F634A04219DFDB54DF68D890BAEBBB2BB49380F0441AAD50EAB350DB359D84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02FD8830, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 02FD8947

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 4bb58075c92e305044af6eefdadc8b11eb85d2f929892e5db48890798a29606c
Instruction ID: 655940f0ab885a59239eb1a9aa9f8c0b17eef839725959a3fc1ac674e73305a6
Opcode Fuzzy Hash: 4bb58075c92e305044af6eefdadc8b11eb85d2f929892e5db48890798a29606c
Instruction Fuzzy Hash: 9E412B31F04209DFCB58DBA5C555ABEBFB2FF44380F1480AAD602A7264DB355A42CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02FD21F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 02FD230F

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 18ecd167b6be5ba66cf5c180a94ae538f89f8ee8be10886ff4765afaa8c762ba
Instruction ID: de36abfd363e246c4b33723aab8e2ab337bd4364fc3f67f5d95dae39ac38f3b5
Opcode Fuzzy Hash: 18ecd167b6be5ba66cf5c180a94ae538f89f8ee8be10886ff4765afaa8c762ba
Instruction Fuzzy Hash: 61412931E08209CFDB44DBA4C5557BEBBF2FB44341F14806ADA02A7265D7358A05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02FDDEB7, Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

lir, xrefs: 02FDDF73

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: b63382c85a7aab1c9761b346b19eeadf4f17b86cda1a73be32e4b050d0a0b370
Instruction ID: 362bd44330720a86cbc9eea80284620798ae0483978ffa3cf1b1896b96e673ea
Opcode Fuzzy Hash: b63382c85a7aab1c9761b346b19eeadf4f17b86cda1a73be32e4b050d0a0b370
Instruction Fuzzy Hash: 8321F737B04114CBCB15CB68D4403BEBBE7AB88386F18846AE646D7644DB319C41C791

Uniqueness

Uniqueness Score: -1.00%

Function 02FD75D8, Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

Huir, xrefs: 02FD758B

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: 1aa8740eba91af7119493ed3c7fa333e6a429ef8473fe50c876a3aade4d8e3e1
Instruction ID: db4b5a68d68350e63a769b754a0e58de9c714d934fafcfacfde1b1ca5b3d3560
Opcode Fuzzy Hash: 1aa8740eba91af7119493ed3c7fa333e6a429ef8473fe50c876a3aade4d8e3e1
Instruction Fuzzy Hash: 7B11BF33B0821087CB557A6C9C50A7DBB57ABC46A076C462FD70ACF384EE609C02C762

Uniqueness

Uniqueness Score: -1.00%

Function 02FD7559, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Huir, xrefs: 02FD758B

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: 04d469e06f2e654e3afe61256f72b3fda8151234da9f2de1f69189bc184ddf16
Instruction ID: e4a4bf00b050fd9f75b33563caebfca32c045c89d3b0f013ada239401b67b5cc
Opcode Fuzzy Hash: 04d469e06f2e654e3afe61256f72b3fda8151234da9f2de1f69189bc184ddf16
Instruction Fuzzy Hash: EBF0FF7270821087CB417AAC9C807BDAB57ABC52A0368422BD219CF3CAED249C028366

Uniqueness

Uniqueness Score: -1.00%

Function 02FDA260, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Huir, xrefs: 02FDA293

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: 0fc7ac3d6a3c2db846f2d1602c9fe951fdd0f7957f1357502bc82bbd4ef4e121
Instruction ID: 9122cebc88241435a725a89bbabf04da961d2265b72d495a3ac56410e3bf98a7
Opcode Fuzzy Hash: 0fc7ac3d6a3c2db846f2d1602c9fe951fdd0f7957f1357502bc82bbd4ef4e121
Instruction Fuzzy Hash: 5EF0463270821087CB452ABCDC8077D7A836BC12B2778472BD216CB2C4DE6A4C01836A

Uniqueness

Uniqueness Score: -1.00%

Function 02FD4710, Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

X1kr, xrefs: 02FD4747

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: X1kr
API String ID: 0-844551562
Opcode ID: 7c8d32962ec3724fe9e5072e553ebe7da881bac3ea7a2dc7f13669833a91fbd2
Instruction ID: 6a3fdb9cb48a37b48c9e1df4f19fd64977af858df3503970bc01494bea1711e2
Opcode Fuzzy Hash: 7c8d32962ec3724fe9e5072e553ebe7da881bac3ea7a2dc7f13669833a91fbd2
Instruction Fuzzy Hash: AEF090333012649BCB2566B998107BE32DB9BC66E1F58003ED70AC7781DD76D88283A1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD7568, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

Huir, xrefs: 02FD758B

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: Huir
API String ID: 0-669697419
Opcode ID: f56a8f5392d77c9287c61e61a9d90f58a0322b618589e67fbf38a7d5e4106012
Instruction ID: 34d01aaeab6611e31e2d7b92765cb8be961862d9bdfa11f2a66f231b2d36bc8e
Opcode Fuzzy Hash: f56a8f5392d77c9287c61e61a9d90f58a0322b618589e67fbf38a7d5e4106012
Instruction Fuzzy Hash: 2FF0E93230811093C644396C9C80B3EBE4BABC16B0778032EA21ACF3C5DD519C01C3B7

Uniqueness

Uniqueness Score: -1.00%

Function 02FD610C, Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

lir, xrefs: 02FD611E

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: 7934679f5fff3cf240a038c6cc0fa55607ad563d76c2ea60001a0c7b8054cb21
Instruction ID: 1f32985eeccfb41d844449b1f69c43043f4165a551a1a79eab03ca2b8109d992
Opcode Fuzzy Hash: 7934679f5fff3cf240a038c6cc0fa55607ad563d76c2ea60001a0c7b8054cb21
Instruction Fuzzy Hash: 65D05E25F852142B9B54AE79A8146BF378E6EE1A96344842FE506DA384DE114C024399

Uniqueness

Uniqueness Score: -1.00%

Function 02FD6110, Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

lir, xrefs: 02FD611E

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: lir
API String ID: 0-3872640509
Opcode ID: 06860887c727e7c74e99851a80c37355258df3b1db43ef56f7e8806fb2c19afd
Instruction ID: d22449ffe1f3d3748c276c5ff6636a18a2a4e3509ec81ec1d2a287b95ac73b12
Opcode Fuzzy Hash: 06860887c727e7c74e99851a80c37355258df3b1db43ef56f7e8806fb2c19afd
Instruction Fuzzy Hash: 55D0A714B45214175914AE7AE81457F378E5ED0996344441EE505DB3C0DE019C0143DA

Uniqueness

Uniqueness Score: -1.00%

Function 02FDE498, Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb8286ac83605c48accdcda6be14b7e9403f70452d346d3cb4aff5a45331db7
Instruction ID: 43f654d90d5e7812856ac87284b32059b10510b0b0d875710aeea727a6696927
Opcode Fuzzy Hash: 4bb8286ac83605c48accdcda6be14b7e9403f70452d346d3cb4aff5a45331db7
Instruction Fuzzy Hash: 84E16B35E00205DFDB25CF68C494BADBBF3AF48394F188569E616AB291DB31EC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02FD61F8, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2917d47886e3eabfa621542a36a20f7b20d37bd46950c150af1a57b78850a7a
Instruction ID: a11c6a042c44f38e1306a068a5125f541bf899805bc7f2089192c360045ff521
Opcode Fuzzy Hash: d2917d47886e3eabfa621542a36a20f7b20d37bd46950c150af1a57b78850a7a
Instruction Fuzzy Hash: F781A231A00619CFCF15CF14C890ADAB7B7BF85344F098595CA0AAF205DB71AE8ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 02FDACFF, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0676334deefbbadfb69e00616d9cbdc1aec4642a0374d336a950ad4840eadc9
Instruction ID: bdde20775b4630d5cf4c5b66c52ebd2bcf0a74e77854554bac297b9c499b7b7d
Opcode Fuzzy Hash: f0676334deefbbadfb69e00616d9cbdc1aec4642a0374d336a950ad4840eadc9
Instruction Fuzzy Hash: 1481AC30710516CBD704EB78C890B6EBBA7FFC4304F648629D61A9B694DF70AD468B92

Uniqueness

Uniqueness Score: -1.00%

Function 02FDBE89, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c017df15e2f2af1aa3200cf863768c83ee390c58d0d90cd5d6c64948b5e74a22
Instruction ID: c7db50af41e39b24cd0ada65e9bb4b92c9f3ee13248806eca60b3d5c11c7cab6
Opcode Fuzzy Hash: c017df15e2f2af1aa3200cf863768c83ee390c58d0d90cd5d6c64948b5e74a22
Instruction Fuzzy Hash: C77112322043418FD715CF68C8D4A69BBB2FF85358B1E85AAD656CF692C330EC45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02FD4DB8, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56cc2b1733876a3056d96256852ed632661846fa67b4c6656d54c5cad4a5cd32
Instruction ID: 3877117518a7ecc07b943b72bbad970516b72f906c6d95b101c6033013033f63
Opcode Fuzzy Hash: 56cc2b1733876a3056d96256852ed632661846fa67b4c6656d54c5cad4a5cd32
Instruction Fuzzy Hash: 6161A231704205CFCB05EB78D49497EBBF7FB88390B188666D6068B6A5DB34EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02FD76D0, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08e16ae85c84aa0cb81fde2afa1f3bcd63ef74c1ed62ccdcb108837753c4430
Instruction ID: 6f17d7d55673a15afa3d10cd453017471deec32a55bc5b3eaa27f32832ae264e
Opcode Fuzzy Hash: f08e16ae85c84aa0cb81fde2afa1f3bcd63ef74c1ed62ccdcb108837753c4430
Instruction Fuzzy Hash: 2D31F932A00619CBDF11DF14C854ADAFBB2AF85345F5585A4DA09BF205DB706A8ACFD0

Uniqueness

Uniqueness Score: -1.00%

Function 02FD7320, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3a12cd63718ad4ab91ece64e6b6350c68a88405fe1bf0901ed6ba920df97b4
Instruction ID: 6e604162598574bdf915550432a1c6680d61c1617fbe9120096a6b7c5b4cd7b8
Opcode Fuzzy Hash: fb3a12cd63718ad4ab91ece64e6b6350c68a88405fe1bf0901ed6ba920df97b4
Instruction Fuzzy Hash: 78513031B002158BCB05EBB9C5506AEFBF7AF84750B688569C50AAB385DF35AC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02FD7BB8, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c65a9db32ad68ab4a1e7ca6b4dd8dd44b80a4cf94edf9cd2ecc7022673bb6ed8
Instruction ID: dceecb088707a37d2ed55853d0655baca967125a5dcf35905f7b7992af5238bd
Opcode Fuzzy Hash: c65a9db32ad68ab4a1e7ca6b4dd8dd44b80a4cf94edf9cd2ecc7022673bb6ed8
Instruction Fuzzy Hash: CA511775E00618CFCB24DFA8C98469DFBF2FF48350F24866AD95AAB294E7316945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02FD7E89, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb9a3fc0ebb02144cdc79fadf2a743a65a1aec97bd84c2927d59f2abe2c3b874
Instruction ID: bf5df456350e1b1739f5341827d0cca6fa4fa5e49d88927e73243c736d8967bd
Opcode Fuzzy Hash: fb9a3fc0ebb02144cdc79fadf2a743a65a1aec97bd84c2927d59f2abe2c3b874
Instruction Fuzzy Hash: 52514F34A00215CFCB14EB78C494AADBBF2BF85380F6442A9D54ADB395DB309C45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02FDCDF8, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0b6e992f2ade799e284d2a069a2fe0fe11d3a329e8723fa3568cc5d2f4cd6f
Instruction ID: d91f6a30404bc910b4882a5fd7948315c4730af137ec34afc257b10a19991277
Opcode Fuzzy Hash: dd0b6e992f2ade799e284d2a069a2fe0fe11d3a329e8723fa3568cc5d2f4cd6f
Instruction Fuzzy Hash: 0141A271A00601CFD724DB79D8946ABBBE7EF88394F28D62AD65697240DB34E841CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0681, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0681201bae7386c96748eec03f7b397cc24d9bb79260a56193d4ca017597405c
Instruction ID: 78fad2db44057af9cb10f080cdf3feb47cc098949073a55cb291827955d816fe
Opcode Fuzzy Hash: 0681201bae7386c96748eec03f7b397cc24d9bb79260a56193d4ca017597405c
Instruction Fuzzy Hash: 81414831A14205CBC725AB78F81C66D3BA7FF94742B18556AE602CF2A8DF704C01CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0BC0, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c6bf7187b5e6df4356f5cde8660bcb3f1bbe6fd6e5a6836f522e1cb246f11d
Instruction ID: f9e4894ef4c7d7930c7375e1d97561a5e3f022c83c9b5ffb8632c3681b01cf74
Opcode Fuzzy Hash: 89c6bf7187b5e6df4356f5cde8660bcb3f1bbe6fd6e5a6836f522e1cb246f11d
Instruction Fuzzy Hash: 2F417432B04114CFC7159F68D4146AE7BE7AFC5350F15846EEA06EF295CEB29C0AC791

Uniqueness

Uniqueness Score: -1.00%

Function 02FD8508, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb9c6b865770219451adb26c03cf2c62dc60a301631ee5dae2f43bc4428bd9be
Instruction ID: 5c77922e2b18c592dd54d7d15e50ddf2693e71d65d81f4494dc4f94ea2a7cd5b
Opcode Fuzzy Hash: cb9c6b865770219451adb26c03cf2c62dc60a301631ee5dae2f43bc4428bd9be
Instruction Fuzzy Hash: 96417236B0410ACFCB00CF68D984AADBBB2FB443A4F188266D61697751D731EC57CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02FD6EA0, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96fce49520fec1d086e89349ee0d1c256d4409b926184481c39896c2fa30b08
Instruction ID: 257f16c84322e6c8cf83edfc540d140593f19acf22d5ced99726cbf662f567f8
Opcode Fuzzy Hash: f96fce49520fec1d086e89349ee0d1c256d4409b926184481c39896c2fa30b08
Instruction Fuzzy Hash: 9B41AF30A00200CFCB15EF68D46426D7BB7FB8D7517684169EE0ADB386DB35AC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5920, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c3155f4ebea91d0225ab1fae8110f8260910b8dff45f837fa114de098361d8
Instruction ID: 0b12b65cd41976a9feaf7fb001b21f9c0c28a3ed1d7cfa3f099e259b6733b6ca
Opcode Fuzzy Hash: b1c3155f4ebea91d0225ab1fae8110f8260910b8dff45f837fa114de098361d8
Instruction Fuzzy Hash: 2B417331B052118BDB156775A46873E37E75FC86D1B9C4569EA06DB384EF34CC01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0690, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629389a7dacf3d2f15b5469d5020af0ff9a4000b5ae25295147b6bb152443bc4
Instruction ID: bf9e78f0c59192fa535a084df31f34e2f694ca4edad59dfbf2b9927fc8021fc2
Opcode Fuzzy Hash: 629389a7dacf3d2f15b5469d5020af0ff9a4000b5ae25295147b6bb152443bc4
Instruction Fuzzy Hash: 04412531B10205CBC7246B78F81C66D3BEBFF94742B58556AE602CE2A8DF704C018BD6

Uniqueness

Uniqueness Score: -1.00%

Function 02FD2BF8, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc471ff97e0e9f213f9ceee23ebfe25037e566969ce4b3dfa70f94789cc91319
Instruction ID: 644ed8f3db4d4b97df09b1d49cb16530805bbe45f9abaf93812cf9e1b2f623a8
Opcode Fuzzy Hash: cc471ff97e0e9f213f9ceee23ebfe25037e566969ce4b3dfa70f94789cc91319
Instruction Fuzzy Hash: 06410332709355CFC7258724DC98978BBB6AF422A4B1D89ABDA56CF263C7218C41C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD6EB0, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc65e2934f9e959e0a5a989fd72e69370eeb327557fb4937a9ae1ca0f317ab40
Instruction ID: eddf24333fa60bca3c05e00bc46c0625baf2d13762129547d18ca7ed59fba763
Opcode Fuzzy Hash: fc65e2934f9e959e0a5a989fd72e69370eeb327557fb4937a9ae1ca0f317ab40
Instruction Fuzzy Hash: C4417C34A01210CF8B15EB69D46426A7BE7FB8C7517684178EE0ADB386DB35AC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD9228, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a59496899bae3bc6886cdfb9e2872568efcc3d270aa3693c52cc482c86fea4
Instruction ID: c6a0929db2a52d83beadcdabdd161a699ed56530bc4062cf71fca3ee49bd7c65
Opcode Fuzzy Hash: f6a59496899bae3bc6886cdfb9e2872568efcc3d270aa3693c52cc482c86fea4
Instruction Fuzzy Hash: D541063270D2818FC7159BF8C458775BFE6AF02256F0D81ABD696CB992C7B49C04C751

Uniqueness

Uniqueness Score: -1.00%

Function 02FDB0A0, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c387bc3eb310eb5f3a5378529a55d1ded2b88f0d270982483fcdda80ff5e35f
Instruction ID: 85f2e3bfe2e12d982f9adc7f6a8492ef602692aeb6463fee055f8e698b29d8b6
Opcode Fuzzy Hash: 9c387bc3eb310eb5f3a5378529a55d1ded2b88f0d270982483fcdda80ff5e35f
Instruction Fuzzy Hash: 0F31EE71A006658FCB18CFA9D89066EBBF2FF88354B24852AE906D7740DB31EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02FDD380, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d73545d6c8cd29fc924b4a971ff3c0f516d9b868038fb8bc0be605b19f5bb9a3
Instruction ID: 37be6cc3bf45c27d8fb499605683b9e0515575a1088937dfd708fe9fc16bbaa0
Opcode Fuzzy Hash: d73545d6c8cd29fc924b4a971ff3c0f516d9b868038fb8bc0be605b19f5bb9a3
Instruction Fuzzy Hash: EA417C71215204CFCB49DB28D4145697FE2EB4A3093688AAEE605DF356CB36AC0BCBC0

Uniqueness

Uniqueness Score: -1.00%

Function 02FD02D9, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca8a1021f92f561dd1f29ee26c3b08e3685a16b34d375f1476f9e37f55540a2
Instruction ID: d43f25a900aa6be9876c3791a1866d24a1af4877396c101f9dc3dfbd1450f7c6
Opcode Fuzzy Hash: 6ca8a1021f92f561dd1f29ee26c3b08e3685a16b34d375f1476f9e37f55540a2
Instruction Fuzzy Hash: 9F411531E052059FDB58CB68C154BAE7BB3EF89750F18846DDA06AB3A0DF71AC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0006, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2692a373f5a6198c8e03eec944374940cf0962550a26fce0c53ee98cd310b8a0
Instruction ID: 64a3f0d06b1f4bbea6d317c3de2af1a465dd551daab861e635ea3c67b4635505
Opcode Fuzzy Hash: 2692a373f5a6198c8e03eec944374940cf0962550a26fce0c53ee98cd310b8a0
Instruction Fuzzy Hash: CD317E3161E381CFCB02AB74C8681A43FF2FE56360B4944EED581CF662DA795C46DB22

Uniqueness

Uniqueness Score: -1.00%

Function 02FD20D0, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b953cf27e76286e2697a382ebb2196619a9254fdb71daf324767eb71c11b665f
Instruction ID: b902a848ddd1d0fb6dd0ae28555ca89cc1cf0a111e3f7c9b848a5281d21cae7e
Opcode Fuzzy Hash: b953cf27e76286e2697a382ebb2196619a9254fdb71daf324767eb71c11b665f
Instruction Fuzzy Hash: 85316F31B04206DFDB05DF68D89067E7BB6EB84780F198066CA069B256DB74AC41CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD43C0, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 911e2f4282044772626d6c798da3c0a6b7d4754ed23e5df5a85df02370b9525e
Instruction ID: 104a9ebeb579997ab5da6bfd01834c5af5f31da98f15741be4384d80a968a53a
Opcode Fuzzy Hash: 911e2f4282044772626d6c798da3c0a6b7d4754ed23e5df5a85df02370b9525e
Instruction Fuzzy Hash: DD31F432600105CFCF01DF68E8589AD7BF6FF49344B1482A9EA069F269CB35AC56DB80

Uniqueness

Uniqueness Score: -1.00%

Function 02FD45C8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce62240a379f2a3b37b26b73dacd526f07ea2119bee51205766e3d117f96e927
Instruction ID: 72b499b498aa19b75d30948a1ca34834af4d405f7d4fc973f537feeb87394678
Opcode Fuzzy Hash: ce62240a379f2a3b37b26b73dacd526f07ea2119bee51205766e3d117f96e927
Instruction Fuzzy Hash: 34217576F0011A9BDB04DA95D951BFEF3FEEB88280F184126D71AD3240E7705914CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02FDE9F0, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e35cb48fd0d10dc62d67b8466ab575f0c518a52ace07d5d53bf84b48d735ba
Instruction ID: 77018c5015b59ddb6a7d535f90a35c4da42fb948d5b178c9da8851aa9e171732
Opcode Fuzzy Hash: 43e35cb48fd0d10dc62d67b8466ab575f0c518a52ace07d5d53bf84b48d735ba
Instruction Fuzzy Hash: 06411D31A04B52CFD339CB2AC554766BBE2BF85349F18C86EC2974AA90D775F441DB00

Uniqueness

Uniqueness Score: -1.00%

Function 02FDCE60, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9becd449ba6d4bfdc2e331b23e3210785da6b1c44f40f51de1d03fc582565f
Instruction ID: 315509b6438974c1d083d36c3cd4b1ed12bc32b1b79e4b171f6daabb4b6d2b9b
Opcode Fuzzy Hash: 8a9becd449ba6d4bfdc2e331b23e3210785da6b1c44f40f51de1d03fc582565f
Instruction Fuzzy Hash: 18315E71A00205CFDB14DB79D954AAEBBF3EB88380F58952AD6429B244DB349C41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02FD50E0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe71519d88bdc26003376f0a1e5a0be73d159b486b6dfda0ddc87c337a107a1d
Instruction ID: 2fdd5e3e4608cca92adc83ba26307714ce2968124393b501e461e304cbd0c4f0
Opcode Fuzzy Hash: fe71519d88bdc26003376f0a1e5a0be73d159b486b6dfda0ddc87c337a107a1d
Instruction Fuzzy Hash: A1215C31A003099FEF04DFA9C4146AEBBF7AF89340F544529D60AAF355EB70A945CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5B51, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04584b73496ca511c25707deca9569f580a32ce27bf1a581e2d3928e4b58849
Instruction ID: 0d5726ee7a0e2766fa793f0df2f0e1e6180353e5cdb56da3574ed1fc4be67167
Opcode Fuzzy Hash: b04584b73496ca511c25707deca9569f580a32ce27bf1a581e2d3928e4b58849
Instruction Fuzzy Hash: 5A21A372F011048FCB589AB9C8505BEBAE39BC9350B58853EC507EB781ED31CC418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD7311, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c443962ee8bd95348f8818a652e6d9041b69de81566840e0940d55c131d129f
Instruction ID: 1e8882e19a69d272fbd38040b970be2c83084d7118dff66707fc2c83deb1761b
Opcode Fuzzy Hash: 4c443962ee8bd95348f8818a652e6d9041b69de81566840e0940d55c131d129f
Instruction Fuzzy Hash: 1E313E31F002098FCB04DBB9C4545AEFBF3AF88354F14856AC909AF255DB35AD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02FDE178, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1349203d795e140e721a20abda415644c84ed58d98cd99309a54de1f03e547
Instruction ID: 8747aa8f177015f8841c40565bd3c62641abf446ab40fc93fce36a2e5720004e
Opcode Fuzzy Hash: da1349203d795e140e721a20abda415644c84ed58d98cd99309a54de1f03e547
Instruction Fuzzy Hash: 98317F71B00605CFCB15DFA9C5806AEBBF6AF88301F548429D606EB750DB75DD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02FD43D0, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d45fb7730279a5b43dc1005fb065f00aa8d0544214df076ec2c55f3565c9384
Instruction ID: d7b9aa30709f2886bc789b6a4fa1c7db0500b314a7312ba01be06fc20b011a09
Opcode Fuzzy Hash: 4d45fb7730279a5b43dc1005fb065f00aa8d0544214df076ec2c55f3565c9384
Instruction Fuzzy Hash: 6531C032600105CFCF00EF68E8589AD7BF6FF88344B1482A9EA065F269CB35AC55DB80

Uniqueness

Uniqueness Score: -1.00%

Function 02FDE021, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f80cc8b5d4559130bfa8b4e9fb535874ac10904d53557983e293abab8494b9
Instruction ID: 087353f38563d6616973ed20d12aa4cb3af066c19197fb179f9bc2c60ff0533c
Opcode Fuzzy Hash: 39f80cc8b5d4559130bfa8b4e9fb535874ac10904d53557983e293abab8494b9
Instruction Fuzzy Hash: 94313C30310701CFC759A778C46066A7BE3AFC03147A4892CD5469F758DEB6ED038B84

Uniqueness

Uniqueness Score: -1.00%

Function 02FDE188, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8f5fce6d42eb4d3d0051ceea46e24c75ad3c6716fa48c9602b6329dd1cfe51
Instruction ID: b25890069edb8ec43e42bb10522b56d41eca14e9d4c5deb8c3ae346f9dde0257
Opcode Fuzzy Hash: 8a8f5fce6d42eb4d3d0051ceea46e24c75ad3c6716fa48c9602b6329dd1cfe51
Instruction Fuzzy Hash: 85312D31B00605CFCB15DFA9C4446AEBBF6AB88301B54842DD6069B750DB75ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02FD8670, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629e9b6ca04901fcc609d42903396e840ecbe4c40ef10c7c9e797d58395070eb
Instruction ID: 200c27116d0c013162e5075c8dc38c9c04ff11947d989e13169d16320cc97d86
Opcode Fuzzy Hash: 629e9b6ca04901fcc609d42903396e840ecbe4c40ef10c7c9e797d58395070eb
Instruction Fuzzy Hash: 3831AC35B24204CFC758AB78E41593D3FA7EFC4391759846AE602DB2A1DF389C02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02FD55E8, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8085a571b408b08b20c48904f65d03e28b4f8ed6374dc9f5b53ccafd2932fd7
Instruction ID: 1c61ee6515895b0636ac45a3a65767af374206e5009f47d00341fab49565f36c
Opcode Fuzzy Hash: c8085a571b408b08b20c48904f65d03e28b4f8ed6374dc9f5b53ccafd2932fd7
Instruction Fuzzy Hash: 8221D335B102058BDB18AF78C4557BEBAE3AB88750F18006AE602EB3D0DEB58D45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02FDA988, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf06508022282310e9dd5b3425491403ce1b9f8e80fc9f23ca44c4b06a2e538
Instruction ID: ba593aa1375464ebe4ab3ec5db99671a0870d2978624fa4224730704cf7a8531
Opcode Fuzzy Hash: edf06508022282310e9dd5b3425491403ce1b9f8e80fc9f23ca44c4b06a2e538
Instruction Fuzzy Hash: 7121B571B04259DFCB14DF74C950AAEB7F2FF88790F18496AD202AB240DB70AD40CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5B60, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bee366c274eef9418356da3e33b6d4c443db7e67eb6fc0dd8501c437edc26a
Instruction ID: 8eebb5db77bb56d675080a672ef23748f27d820977a1aae8a6b2be6f4965bc67
Opcode Fuzzy Hash: c5bee366c274eef9418356da3e33b6d4c443db7e67eb6fc0dd8501c437edc26a
Instruction Fuzzy Hash: 48218472B001049BCF19AB7984505BEBAE79BC8350F58443AD607E7381ED35DD418BE5

Uniqueness

Uniqueness Score: -1.00%

Function 02FD6CDB, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7083c7f1f2286723858cd704a19d5d9eb658a9913172ab8021123617177ae915
Instruction ID: aec1a0821af457ed34309fe26d3dc0523607695ac3b3e4e277b1358587c7ca14
Opcode Fuzzy Hash: 7083c7f1f2286723858cd704a19d5d9eb658a9913172ab8021123617177ae915
Instruction Fuzzy Hash: 5B318F30610211CBC715EB38D46816C3FA6FF853993A4966CE606CB344DF769C46CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5831, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6323beaf633f0ce6b1a12a9d1a87ca0d9084ac02daeb0f9ee1404dbe56f897d2
Instruction ID: d5b3f540eea3f0a83c867f16b8bc9e6018a89348ee8affe7be53719a0740fbc7
Opcode Fuzzy Hash: 6323beaf633f0ce6b1a12a9d1a87ca0d9084ac02daeb0f9ee1404dbe56f897d2
Instruction Fuzzy Hash: 1021C631B151049FCB08A7BDC85097EBBE7AFC9390B98457AC6039B291ED708C0987A1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5DE8, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3559a24d49a9ce03c24f3b51b2536d7287d4dca165ff253ae613fa03200c4d
Instruction ID: 43ac9b7499e6dd1b03e9819563d390ca91866cc21b87ebc6c79d2b2bbd2056a9
Opcode Fuzzy Hash: 2d3559a24d49a9ce03c24f3b51b2536d7287d4dca165ff253ae613fa03200c4d
Instruction Fuzzy Hash: FF21F232E143148BCF61FFB898911BE7BF7AF80790B99446AD606CB201EB348900C792

Uniqueness

Uniqueness Score: -1.00%

Function 02FD8C16, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52ad4fc08fda4e88e84d74bba2deb04bde87451da546029c57b2a61d38e68468
Instruction ID: 2a478e41c1f16ceca7054e5a791cf14970a0b74acf97917e6e9530e46f23ac4a
Opcode Fuzzy Hash: 52ad4fc08fda4e88e84d74bba2deb04bde87451da546029c57b2a61d38e68468
Instruction Fuzzy Hash: 8731CB30E10249CFEB20DF69D84536EBFB2FF84344F18D529C506AB650CBB4A886CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02FD21E9, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cde063dcc4ee90fd4ae6405336864647faf2f435fca234d37a4fe6779b808bb
Instruction ID: 9d700198a0a7571a71e7c21fd3ee75ff336437fed488d3bf89ae2885e13c019c
Opcode Fuzzy Hash: 7cde063dcc4ee90fd4ae6405336864647faf2f435fca234d37a4fe6779b808bb
Instruction Fuzzy Hash: 85311A31E08209DFDB84DFA4C1457BDBBF2FB45345F1441AAEA0297266D7358A41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02FD25DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd88180b13d50f49eec748fac256ea409c3b2b601cdebb5357e4af51f6954d20
Instruction ID: 6392cd43b1f620297485620f354b155974171850f97e03b9bfe2db176d7ee4ad
Opcode Fuzzy Hash: dd88180b13d50f49eec748fac256ea409c3b2b601cdebb5357e4af51f6954d20
Instruction Fuzzy Hash: DA31AA70E00249CFDB20DF65D45479ABBE2FF84354F28D269C9049F259DBB49889CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02FD8820, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bbfb935c4bfea6f35ac9f531b81fa0df3cfefb9c9177b942eb40413fd7a294d
Instruction ID: 2839198d6a0b3afd428ac547914ebfbba4777c4508b8b01854e9265ef51005d7
Opcode Fuzzy Hash: 4bbfb935c4bfea6f35ac9f531b81fa0df3cfefb9c9177b942eb40413fd7a294d
Instruction Fuzzy Hash: 2E318D70E48249DFCB15CBB4C555ABD7FB2FF41390F1881AAD603AB290D7359A42CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02FDB090, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8227c2f4f92b67fe0d4581f481bec2212b54b75b823c51c22b8a4e0c37020bb5
Instruction ID: 6689449c81cf29e5d6acdab9e8eb9464cd3ca51e021829564c462b6e385ff157
Opcode Fuzzy Hash: 8227c2f4f92b67fe0d4581f481bec2212b54b75b823c51c22b8a4e0c37020bb5
Instruction Fuzzy Hash: 2E21D1B6E042658FCB04CFA9DC944AEFBB2FB8D304B15812AE919E3350D7309D01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02FD50D0, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e14a6eb248b05fde3fdf8fe5164ce5bcc3f1e021a5ed60fa8438b4e358232c6
Instruction ID: 7fbc93c91c349a3ca23a11ad256362f027fd8ead5f71d529718c093f7a5b7987
Opcode Fuzzy Hash: 2e14a6eb248b05fde3fdf8fe5164ce5bcc3f1e021a5ed60fa8438b4e358232c6
Instruction Fuzzy Hash: 02116D71D013099FEF00CFA4D8146EEBBF2AF89350F554529CA09BB250E770AA4ACF80

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5840, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0e5e27d71808794c99fe4a8433c9d2499bcf32a6b3be0e76a3106cdb75c2f1
Instruction ID: 00e1c7cb99e67e127b92ff255326c4cb0046a8f5f939b72a4af9be5f7a0c9524
Opcode Fuzzy Hash: ce0e5e27d71808794c99fe4a8433c9d2499bcf32a6b3be0e76a3106cdb75c2f1
Instruction Fuzzy Hash: 6D11B6317101159BCB08A7BEC850A7FBAEBAFC8394B98453996179B391DD709C0987E1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5000, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb6ee42e126936b6b981a69c7e74efd66e0500e8eab1a77ae76de651a5b6267
Instruction ID: 3439dcab137664e7429a38c43f757c2d9d3854eec30992ce420574854682206c
Opcode Fuzzy Hash: 3eb6ee42e126936b6b981a69c7e74efd66e0500e8eab1a77ae76de651a5b6267
Instruction Fuzzy Hash: C5117231B00116CFCB44EBB9985437E7BE6EB88A90BD84175CA06D7280EF349D01CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 02FDA978, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f310f5903377ce6741e6d155808778520025e206029864d6863976c43e3e17
Instruction ID: 6011dc6c5d62264a25bf0a395722d0aa658abb2a8393fe36818217a8f3ea38a1
Opcode Fuzzy Hash: 71f310f5903377ce6741e6d155808778520025e206029864d6863976c43e3e17
Instruction Fuzzy Hash: A511E171B14259CFCF10DA74C951BAEB7F2BB84780F18456AE202EB280EBB09D00C799

Uniqueness

Uniqueness Score: -1.00%

Function 02FD48C8, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce2364706abbb0bab3e998a7606e01193a260755f13a7f5c6122d2c15a9ac21
Instruction ID: 6186909c3ffd33e4a02718e5dcb1831f46e5dbc41dc9fc0dff57a30959a89cf8
Opcode Fuzzy Hash: 2ce2364706abbb0bab3e998a7606e01193a260755f13a7f5c6122d2c15a9ac21
Instruction Fuzzy Hash: BE11A733F041199BCB08DA69D8609FE7B77BFC4750B084429DA06B7285DD305A06C792

Uniqueness

Uniqueness Score: -1.00%

Function 02FD48B9, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6521f6d2ce0209f19a070d92584664abbf5e7b6613fe30bba13f61c6bf696653
Instruction ID: 55118787a9ef5d4b3d5e53876ab0f3edeb2ae8fd2284ca529bbfa41f32304bba
Opcode Fuzzy Hash: 6521f6d2ce0209f19a070d92584664abbf5e7b6613fe30bba13f61c6bf696653
Instruction Fuzzy Hash: DC110632F052189BCB48DE68D8609FEB7B7BFC5750B09402ADA02B7250DE305E06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03060845, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595781312.0000000003060000.00000040.00000040.sdmp, Offset: 03060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f570573c0e8505f66b5cf2e1b6c144ce507a9b117fb3d3e7c28a328b0b809f3
Instruction ID: 1b2e136722a6b49b05438898c8a4a0c5de0cda4222d6f688e5c0649156a4e6e4
Opcode Fuzzy Hash: 9f570573c0e8505f66b5cf2e1b6c144ce507a9b117fb3d3e7c28a328b0b809f3
Instruction Fuzzy Hash: C2217F3514E3C49FD707CB20C850B11BFB2AB47204F2D85DED4858B6A3C33A9916DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0B18, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91306eef44564ff1363876d8cd591d17528d669d45c9612ce6b4d73532689ca1
Instruction ID: 5606d2731f66b7f6ba3fecf4b62804a55d6a55a362144b09c9b3fb1c5e966edd
Opcode Fuzzy Hash: 91306eef44564ff1363876d8cd591d17528d669d45c9612ce6b4d73532689ca1
Instruction Fuzzy Hash: 80118422FAC256EBCB246674881477E729B9B847DCF58856E9B13EB240FF70D900C791

Uniqueness

Uniqueness Score: -1.00%

Function 02FDC8D8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec19dabd0496e45bd8d2c1d38cce5c2b1b57540c77652eb8b6a13f85c9be387
Instruction ID: e2737b38fcf114202133b1cae60d5eb0d69b255e2d566c43315f93e25435baba
Opcode Fuzzy Hash: 2ec19dabd0496e45bd8d2c1d38cce5c2b1b57540c77652eb8b6a13f85c9be387
Instruction Fuzzy Hash: 0D115131B041119BC748AB69D460B7EBBE7DFC9790718806AE90ADB391CF31EC02C795

Uniqueness

Uniqueness Score: -1.00%

Function 02FD4520, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae26344e41b9103016a6f6fb5af2a9456ab75f28561fd5aa6fddfb391919391
Instruction ID: 9a76c7fb8bf18f1bf8ed3550e69c563826d18331d448b96f255fd8799fd2c904
Opcode Fuzzy Hash: 6ae26344e41b9103016a6f6fb5af2a9456ab75f28561fd5aa6fddfb391919391
Instruction Fuzzy Hash: 68018C33F045148BDF14DA59E4102EFB7A79FCA3A1F08407AAE06AB380DA769D45CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02FDCA08, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7bdb01f0b5f13936722de7c493d466feec38e1c72b7701bbf876608525d4954
Instruction ID: 6cadc1c6c025d12c38971b36a0a76cbeac84d2af5a4e0926b7d11e5e50462763
Opcode Fuzzy Hash: a7bdb01f0b5f13936722de7c493d466feec38e1c72b7701bbf876608525d4954
Instruction Fuzzy Hash: A411C432318241CBC215E778C56413DBBE39BD264439C896E930B9B380DF76AC46C752

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5730, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d141dd41d86bd8751e0bbeb01865d717c87e8ac372d92edfdefdb5de686aa4
Instruction ID: 747112bd612859a3eb5b4de680e99bdb4480d241517c563c65ae4dc92fdfa4fd
Opcode Fuzzy Hash: 41d141dd41d86bd8751e0bbeb01865d717c87e8ac372d92edfdefdb5de686aa4
Instruction Fuzzy Hash: 20118231A4120DCFDB14DF74E451BBE7BB6EB88390F64522AC60197280E7359D01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02FDCC58, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526ea288cb4be682161d8d1f1c828f59d4d0a0fe41c5971afe1a39a1e585590c
Instruction ID: 1c2f15a2baec57d3bc7b961da2caea4ed3e055ed142b9c6c6e063138061a606f
Opcode Fuzzy Hash: 526ea288cb4be682161d8d1f1c828f59d4d0a0fe41c5971afe1a39a1e585590c
Instruction Fuzzy Hash: 67114C35700641EFC724DA59C594A26F7EBFF88254B18C91EEA5A87B60CB71FC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0306087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595781312.0000000003060000.00000040.00000040.sdmp, Offset: 03060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d12326d0f29e54b95153f86fce3e741d46afdb7f8a9a8fc8831b1c611d011034
Instruction ID: 0d8612f40c8e6ac96caf022887ec764853cda640990177def82c7e5d2e6d97ae
Opcode Fuzzy Hash: d12326d0f29e54b95153f86fce3e741d46afdb7f8a9a8fc8831b1c611d011034
Instruction Fuzzy Hash: 62110634249384EFD305CB14C540B2AFBD5AB88708F28C99CE9890B647C777D803CA91

Uniqueness

Uniqueness Score: -1.00%

Function 02FDC9F8, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5211185846ce4f26408a8d5ec3eef5e99b8d388caa52a8f9876a5901752beb5d
Instruction ID: 162a43a53bc57252125e63fac80aa751a449a7325ed3942dcf1131f6fbb2a008
Opcode Fuzzy Hash: 5211185846ce4f26408a8d5ec3eef5e99b8d388caa52a8f9876a5901752beb5d
Instruction Fuzzy Hash: 8211B2713182408FC715E778857413EBBA39B9214839C895FC24A9B241DE769C46C751

Uniqueness

Uniqueness Score: -1.00%

Function 02FD7BA8, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd6065e8641f20f91b66e79857e12cc9e6f65d584833fd8d42b69a4d661757ae
Instruction ID: 28d8e4007752cb4f6473cbdff0a256f434e05d305c7a82ac6faeffe0fdfa9446
Opcode Fuzzy Hash: bd6065e8641f20f91b66e79857e12cc9e6f65d584833fd8d42b69a4d661757ae
Instruction Fuzzy Hash: 6611C432904204DFDB25DF68D4046E9FBF2EF49340F1445BAD602AB1A0D7316D45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02FDDD29, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2998604f9e372b5db3c9a755a6c8ff1ff5ee156ee08c1797558b0655fb6a7280
Instruction ID: a9f3270f2aa11be7a6883ab18a162b0157186499fe4d2f6f5e92e18377c6d8ef
Opcode Fuzzy Hash: 2998604f9e372b5db3c9a755a6c8ff1ff5ee156ee08c1797558b0655fb6a7280
Instruction Fuzzy Hash: 070192327102609FCB142BB9981867F7FEBEFCA294755857AD506CB382DD358C0287A0

Uniqueness

Uniqueness Score: -1.00%

Function 02FDC5F0, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af694027440688a2ae38a5674b3a513b16351281e5d779abbfa8890a0603be0
Instruction ID: 9b6965ebe52ea9adfd63dfbad5a1471ae42e98b186e5060bff2ea889f8168e8e
Opcode Fuzzy Hash: 9af694027440688a2ae38a5674b3a513b16351281e5d779abbfa8890a0603be0
Instruction Fuzzy Hash: FD11CE347142109FC3059B38E059B3E3BABEBD9711F4954A9EA06DB386CE349C42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02FD11DF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdfc01f740f3ea50d0a43e4a17eb070a9ffcce1e10e1ccfe8b5ba8f81980c6a
Instruction ID: 2eb88bacce10aa316820f2942bf66aa6de218a6e5a1f88f46981a87ea8734836
Opcode Fuzzy Hash: 4bdfc01f740f3ea50d0a43e4a17eb070a9ffcce1e10e1ccfe8b5ba8f81980c6a
Instruction Fuzzy Hash: 86115231319280CFC7059B38D468A6A7FF6AF8A35271941EBD64ACB6B1CA664C09CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02FD4FF0, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b970fbe1c2a22239066f6afa51ded41480371e97f9085cf9c65eae2a4ec4f990
Instruction ID: d5da702741872e37a21b5be9581d8332498d8d76fcdce3165142b2c0f512decb
Opcode Fuzzy Hash: b970fbe1c2a22239066f6afa51ded41480371e97f9085cf9c65eae2a4ec4f990
Instruction Fuzzy Hash: E0018872F15206CFCB40DA74D8553BEB7F6EB48A90BD84276CA05D7241EB305901CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 02FD4789, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab6f5c5a28368f0dcb596a60adae516032ca68035e87ca1f72dc5a16112a88d
Instruction ID: 0c351113a0d37d2bcebf64337fe47afcfcd072dbfcfd83aefceb25d700c4bebd
Opcode Fuzzy Hash: eab6f5c5a28368f0dcb596a60adae516032ca68035e87ca1f72dc5a16112a88d
Instruction Fuzzy Hash: 89016D31E012088FCB94EFB8D4542BEBBF6EB99350F20453BC509E7280EA305E468B95

Uniqueness

Uniqueness Score: -1.00%

Function 02FD54F8, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276472473d414adbdd9b2a6ce0ac7a234c303ae159b96b2c2821b6fc249a7b97
Instruction ID: 21c8b57d9cadb0b52c22145aef6e9da6f378891ff8693b5e647ac85472617b65
Opcode Fuzzy Hash: 276472473d414adbdd9b2a6ce0ac7a234c303ae159b96b2c2821b6fc249a7b97
Instruction Fuzzy Hash: DE115E31A112058FCB55DFB8E855BBE7BB6EB8C384F50462AD605D7290DB349D41CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 02FD05B9, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 582e812d02f0298a85b5ecf305140f60c30fd12219d4878b29bfd518dc41c1a5
Instruction ID: 761dc5a77c46c03eae4f0fd9e3c4f2fd5231432973e5ebe14157b5affba83161
Opcode Fuzzy Hash: 582e812d02f0298a85b5ecf305140f60c30fd12219d4878b29bfd518dc41c1a5
Instruction Fuzzy Hash: C901D1327142210BCB496A7C94213BF2BAB9BD6651B98416FD106DF380CD748C0283D6

Uniqueness

Uniqueness Score: -1.00%

Function 02FD4511, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6cbc417d74d215cefabdf3bb841aa3b3915b57e7681f21e17547a803746db4a
Instruction ID: fee3f7f38e60668a6d5f871e05e75b5d9442e0c876bf8bf023dd4d386c95e856
Opcode Fuzzy Hash: b6cbc417d74d215cefabdf3bb841aa3b3915b57e7681f21e17547a803746db4a
Instruction Fuzzy Hash: E601B132F042118BCB149A6894102BEB7E79FC6391B08817E9E06D7381DA759C05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02FD238F, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d9cb2628302363f37129c0b113f1da9212ea531c82f21c6fa138403007c400
Instruction ID: 6c31a253bcbc1ab454102746cba8622ec2ed886351c1d0382b5c317261627cd3
Opcode Fuzzy Hash: d2d9cb2628302363f37129c0b113f1da9212ea531c82f21c6fa138403007c400
Instruction Fuzzy Hash: A1117071E04219CFCB248FA4CA516AEBBB2FF45380F04416EDA02A7742DB711942DFD0

Uniqueness

Uniqueness Score: -1.00%

Function 02FDA8E0, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d889d56ab781e5ddfab1e7edc36f9ded9f1b8d0f289766e59f4e19dc019ced0b
Instruction ID: a7d8ebbdfa9b3870949da394cde7bf9540e5b5de1910207e565d1431f6f8b762
Opcode Fuzzy Hash: d889d56ab781e5ddfab1e7edc36f9ded9f1b8d0f289766e59f4e19dc019ced0b
Instruction Fuzzy Hash: F4012272B146058FDB04DA20C86267E7BF35B45384F0E402DC642E7680CF72AD02CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5740, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ab9812109a8312cd0473080f146774e03b00d7561ef8efd589bc196a59b26e
Instruction ID: ef5d4a969cb35afa088f6fe690ac1fd99ae8022c287bd3d7c7fb44a67a1dda15
Opcode Fuzzy Hash: 80ab9812109a8312cd0473080f146774e03b00d7561ef8efd589bc196a59b26e
Instruction Fuzzy Hash: 07115E31A0020DCFDB14DFB5E950BBE7BB6FB88384FA0422AD605A7284E7359D41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02FD7B20, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a1972496013f420c1e61baae94dc791affcf4e234f431e2e1e15bdb257824b
Instruction ID: c6c842baaf57f2237f751784550b31948d7dddc5e1bc9d2c515c797289502327
Opcode Fuzzy Hash: f9a1972496013f420c1e61baae94dc791affcf4e234f431e2e1e15bdb257824b
Instruction Fuzzy Hash: 07015E32B042089BDB14AA55C891ABFFBB29B84694F18446EC716AF684CF71AD01CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD7B11, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34fb2ccdcff7c576a23f5e73b0b82e52cb7399a38cdbc5292db47c176041815f
Instruction ID: 03bcb73f6f2422e9e08f0398dd1c58edc186017b6bf9fd5ef3b5fe4fe812be9a
Opcode Fuzzy Hash: 34fb2ccdcff7c576a23f5e73b0b82e52cb7399a38cdbc5292db47c176041815f
Instruction Fuzzy Hash: 95018032A04604CFD754AB24C89167FFBB3AB84754F1C446EC606AF684CB71AD02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02FDA8F0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ac7c4658437536c3820bfd0269b8091932d5d393d978ad995383628683de83
Instruction ID: ee2e2cee6bee84753d759d715fc3fb6b5b8d6d7e8167b4d6da409b80689ca88a
Opcode Fuzzy Hash: 93ac7c4658437536c3820bfd0269b8091932d5d393d978ad995383628683de83
Instruction Fuzzy Hash: E201B132B045048BDB149A55C860ABFBBF39B84394F1A446EC247A7240CF71AD02CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 02FDDD38, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1b4e53b0bc7f8506ca714cabf57391a73a0070e11cbb7db855ae80386cc270
Instruction ID: 4abe094e5e3f5805bca9781209c9e55b08c19f8abe562ca80d4a316a00cd8792
Opcode Fuzzy Hash: 3c1b4e53b0bc7f8506ca714cabf57391a73a0070e11cbb7db855ae80386cc270
Instruction Fuzzy Hash: CF01A2327102219BCB142BB9A81862F7AEBEFC97A4B54443AE507CB381DD71CC0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5508, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555cf99d7403183d79e2c70beaf12cbbad531eb805896e33fd446aa4db80cbf6
Instruction ID: 8437778b60297187963d294eade2a5090e21094908250b00444fbf43a15a5282
Opcode Fuzzy Hash: 555cf99d7403183d79e2c70beaf12cbbad531eb805896e33fd446aa4db80cbf6
Instruction Fuzzy Hash: 59115B31A112058BCB15EFB9E855BBE7BBAEB8C384F50452AD205D7280EB349E41CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02FDAAB0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd472a32b299bf8c749d28e7d2860e42a2e144deb4851ca81f3302f8dd981597
Instruction ID: a26ac20d5bd0e7341a967616df3fd07bb9e5570bcf40b099f8743a1e522507ed
Opcode Fuzzy Hash: dd472a32b299bf8c749d28e7d2860e42a2e144deb4851ca81f3302f8dd981597
Instruction Fuzzy Hash: B9018471F002088FCB50EBB9A8057AEBBF5EB88350F104176D708D3241EB305901CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 02FDC5E1, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c0ef442600b7a8cd17f4408af95aa7170b6c2b352b3f77ed7cd65995c129180
Instruction ID: ed5ce59254048a6069f9961e84030cb099a365acf447890a19b974b94945ef6b
Opcode Fuzzy Hash: 4c0ef442600b7a8cd17f4408af95aa7170b6c2b352b3f77ed7cd65995c129180
Instruction Fuzzy Hash: DE01F5347083908FC3029B34D0557393FA7EBC9312F4815EAE506CB2D6CA385C85CB85

Uniqueness

Uniqueness Score: -1.00%

Function 02FD6BE0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4872742ea173bc43cd74848f092586931381efa38c3bf43717e9c49f28dc88d0
Instruction ID: c6230280c1631342a1828700585ffd8d5594b7939839bd90ec49dd8b58f90aa1
Opcode Fuzzy Hash: 4872742ea173bc43cd74848f092586931381efa38c3bf43717e9c49f28dc88d0
Instruction Fuzzy Hash: 28012172E001089FDB50DBB9E8507AEBBF9EB48351F644136D604D3280E7345945CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD6BD0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a63f06c24c5f386e90f795d36262954a746e0faba76ac2162bb1f6ed4a2220
Instruction ID: 77a5ef139b4fd1593fce5b00b214db076ebe58b92576395b3e878eb19a5503a4
Opcode Fuzzy Hash: e2a63f06c24c5f386e90f795d36262954a746e0faba76ac2162bb1f6ed4a2220
Instruction Fuzzy Hash: DE015A71E002088FDB50DF78D8517AEBBF9EB48790F24467AD604E2290E7345D42CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02FD4798, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0625a38a68753d1535fd3f079727eaa182a2ec09cad0a9725a8edd3668c792
Instruction ID: 4d568b5131902b8cbc425e6dbd2f4d081b0a53339c04c9bfcfa644922f8e6a79
Opcode Fuzzy Hash: 4e0625a38a68753d1535fd3f079727eaa182a2ec09cad0a9725a8edd3668c792
Instruction Fuzzy Hash: E1012831F002098FCB54EFBDC4546AEBAE6EB89350F20443AC509E7280EA358A4687E5

Uniqueness

Uniqueness Score: -1.00%

Function 02FD05C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2004473fd8b6bbcdd376015f53a7ee81bfcbf404356bddae9a93996734f955e2
Instruction ID: 62f14fecc754c6c6b9175e84572ee14417ae5f4d66a65f5f1e66af29b77dd6fc
Opcode Fuzzy Hash: 2004473fd8b6bbcdd376015f53a7ee81bfcbf404356bddae9a93996734f955e2
Instruction Fuzzy Hash: 59F0B46271012147CA487A7D941177F66CF9BD9A91B98412ED206DF384DEB48C0343D6

Uniqueness

Uniqueness Score: -1.00%

Function 02FDAAA0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a716474846c1c322d25db31527a64f51ec3715d31b406b6e40f031cad975e4
Instruction ID: 837351cdc6b42358b3095fa0dafc79fa74d0d4444653483a5b0e408ec9782faf
Opcode Fuzzy Hash: 17a716474846c1c322d25db31527a64f51ec3715d31b406b6e40f031cad975e4
Instruction Fuzzy Hash: AC017170E002048FCB50DFB4D94676ABBF6EB44750F14916ADB04E3641EB345911CFD6

Uniqueness

Uniqueness Score: -1.00%

Function 02FDAC20, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259dcf8af44a2f6b5a08c5cc220900ba86d9c229585bd6becc1fadf621f2ea7d
Instruction ID: 12d53d22122916a0a223b0a55a2fb01c2e9e47368798b361752bcbd812ae770a
Opcode Fuzzy Hash: 259dcf8af44a2f6b5a08c5cc220900ba86d9c229585bd6becc1fadf621f2ea7d
Instruction Fuzzy Hash: F401DF32304240CFC705AB38D8255697FA6EB8936171885B9DA0BCB261EF71DC02C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 030605CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595781312.0000000003060000.00000040.00000040.sdmp, Offset: 03060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c5b7fb42b6b5c1f814bfe6226c88de872c8ffbe9b6e86dd447231b22077fd8
Instruction ID: ed7ca01c6670eb116c90988df6149b1340bda3b2522f2ed28b3a0da3b12a9469
Opcode Fuzzy Hash: d6c5b7fb42b6b5c1f814bfe6226c88de872c8ffbe9b6e86dd447231b22077fd8
Instruction Fuzzy Hash: 0701D6765097846FD7128F1AAC41862FFA8DF86620719C09FED498B612D125A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02FD1218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0085e02797579f07b5d83a08cbf07d68a0683fea5529fe4e578b056907886b3
Instruction ID: cd893183db8ab4fd5e7ea6d746b577d64f9a44d16a47f4c1904f638ef7961356
Opcode Fuzzy Hash: f0085e02797579f07b5d83a08cbf07d68a0683fea5529fe4e578b056907886b3
Instruction Fuzzy Hash: 0D011231314010CBC7049B2CD054A6B77EBBFD9751B2841AAE60ACB765CF769C09CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5CD1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f456f14899ab0991cdc5bb0d12e0e95ec2e368932d0417a6356a6b5e43894f
Instruction ID: 363ce3e5bd2e8eea9eeb29c36bf476aba33732a76b57a446b53e5021c1c19a43
Opcode Fuzzy Hash: 85f456f14899ab0991cdc5bb0d12e0e95ec2e368932d0417a6356a6b5e43894f
Instruction Fuzzy Hash: D101AD72E042149FCF41EF78840429EBBF6EF89314F69016AD409E3241EB308A11CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 02FDAA19, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e69e39cf1ad0cf18ff2b862a64e9ba6d4030f84b97697008c79bda7554b172
Instruction ID: 95bf0182f44d4cfe832d2b40da5bd4637c10284ae18b17864093c48bac51990a
Opcode Fuzzy Hash: 00e69e39cf1ad0cf18ff2b862a64e9ba6d4030f84b97697008c79bda7554b172
Instruction Fuzzy Hash: 57F0D130F00269DBCF00EBB4D981AAEB766FB88740F246665D6009B284DFB49D0187E4

Uniqueness

Uniqueness Score: -1.00%

Function 02FDE427, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3fc2cfc1689d63d8ea21e7b9c030cd4bb8c3ed0563dd6a542db5b182334a73
Instruction ID: 4f7133606e92a2a1ff2a484da60a55afc1540db777197b88a7a08f951ea2afb2
Opcode Fuzzy Hash: dd3fc2cfc1689d63d8ea21e7b9c030cd4bb8c3ed0563dd6a542db5b182334a73
Instruction Fuzzy Hash: 0BF0E9ABB092505BE73205645A883E16B579B4F2E5F0D42B6EA4ACF142D5945C09C3B2

Uniqueness

Uniqueness Score: -1.00%

Function 02FD6C81, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617c7cf656b319ab90d3ca233edb54e03aa65eb31dfe80da322ab5c0d92e7b77
Instruction ID: 79d154834a14d5bd2ef6c6fa8c6ee3640d21ef9a025f717b84c67ad7c1db8624
Opcode Fuzzy Hash: 617c7cf656b319ab90d3ca233edb54e03aa65eb31dfe80da322ab5c0d92e7b77
Instruction Fuzzy Hash: DAF0A433A4C3888EDB52C764F4547E47BAEEB813AAF1806ABC645CA091C3794849C791

Uniqueness

Uniqueness Score: -1.00%

Function 02FDAC30, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055b2275d0fc1c01d29caccd3c790107bcbeaea243a638a62419cb4be743c0bd
Instruction ID: 0abbf61fcd76ecb7ac5a5f725f31100af659e33756331da269ba38b47f72639f
Opcode Fuzzy Hash: 055b2275d0fc1c01d29caccd3c790107bcbeaea243a638a62419cb4be743c0bd
Instruction Fuzzy Hash: 75F0AF32300200CBC704AB78D4155297FABEBC83617188979EA0BC7360EF71AC02C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5D5F, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea5f285e4adb44ecd722cf5e3cf252968928062127e4459dd64b9654aa3a5bd
Instruction ID: c8970ef128cf0e8749149c4f3fbb715c9ae47e1a4f972da4572cf35ab63ddc90
Opcode Fuzzy Hash: 1ea5f285e4adb44ecd722cf5e3cf252968928062127e4459dd64b9654aa3a5bd
Instruction Fuzzy Hash: EAF02B216083948FCB716BBC94183697BD71F82684B5D40AFD597DB243EA318C01C775

Uniqueness

Uniqueness Score: -1.00%

Function 02FD6620, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01fcafd39f6dbb7dced2d95917213746a229cccc8f89e4047270d0fb12f5c28
Instruction ID: 9de078201c2a19a4842c4e2ce77904dade552f90034740b190a960b2eb311229
Opcode Fuzzy Hash: d01fcafd39f6dbb7dced2d95917213746a229cccc8f89e4047270d0fb12f5c28
Instruction Fuzzy Hash: 11F0E936B04115978B105278B8206BF77EF97857D4F084077CB06D7680EE345E05CAD6

Uniqueness

Uniqueness Score: -1.00%

Function 02FD6611, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3d3f9a86ddf37d3f69238b5db59255fe693d00bf1ae25ce749a85a88f40b96
Instruction ID: b8de207b5fb617705707466b207116f2ba8f9673f70affd2abcaa5f0d27762eb
Opcode Fuzzy Hash: 1c3d3f9a86ddf37d3f69238b5db59255fe693d00bf1ae25ce749a85a88f40b96
Instruction Fuzzy Hash: 10F0C235F003049BCB509A28A8106FEB7AAEB857A0F0441ABCA06D7281EA355D05CEC1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD84F8, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c50f9a722e152fcc2506bf7a57769b0945d6ae9a73d6b645cf15e31a15e12682
Instruction ID: 05aaa10ea5eb61b598e7aee9d0f710acbeeb1bd46fb623e1bc66d7c95956d037
Opcode Fuzzy Hash: c50f9a722e152fcc2506bf7a57769b0945d6ae9a73d6b645cf15e31a15e12682
Instruction Fuzzy Hash: A1F06D32B08245DFCB51DB64D844AEEBBF3AF812E071845A6D602D7361E6318806CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02FD61EC, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6e94ae8a0e5ec91648ace871a977167b9485c117b7ad8653dca090c84b90e7
Instruction ID: 02753f309363758d2c37f59c3e8589981d6949b189a41fd06b82453863917ae9
Opcode Fuzzy Hash: 3d6e94ae8a0e5ec91648ace871a977167b9485c117b7ad8653dca090c84b90e7
Instruction Fuzzy Hash: 43F0B432B012089BCF509678A8207BEB7FBD7887A1F04017ACE06D3241EB356E02C6C1

Uniqueness

Uniqueness Score: -1.00%

Function 02FDC8CA, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e330bab7474ba6a97e148554ce71f8f7a035d5aec308b41c96cf7acf515ede2d
Instruction ID: ecc6dd1ea39d8bb6cd6dc9ea170f764593f64cd784e4af06bd6582d5d895c540
Opcode Fuzzy Hash: e330bab7474ba6a97e148554ce71f8f7a035d5aec308b41c96cf7acf515ede2d
Instruction Fuzzy Hash: CFF0EC727091A42B835A227D5C2473F7EDB8BC66A035D426BF645D7781CE159C02C3FA

Uniqueness

Uniqueness Score: -1.00%

Function 02FDA1F1, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2157b015b6372236f3cebd0ff515e020b357b7208a1650630e64f625b372a1
Instruction ID: 946f9f9113fbd4bd40ce2ea03ef6c356307d652f40dc27032c75e2c512ad05ca
Opcode Fuzzy Hash: 1e2157b015b6372236f3cebd0ff515e020b357b7208a1650630e64f625b372a1
Instruction Fuzzy Hash: 78F0283270C380CFC3169774A8241283FB39BC222635C85AED14ACB2A1DE3E9C4BC756

Uniqueness

Uniqueness Score: -1.00%

Function 02FDE3A9, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb47f84652859905586d9b5eedf2d14cba3034f0caf2dfa68d9b244b75bd6667
Instruction ID: 7e1860a7a20902e335ff59ba8253b69a2f976074bcbdcbde6bfeb0ffa16c00bb
Opcode Fuzzy Hash: bb47f84652859905586d9b5eedf2d14cba3034f0caf2dfa68d9b244b75bd6667
Instruction Fuzzy Hash: 2EF0A0323156659FC6218668C8608FB7FA6DEC2294358466BD60ACF745EE329C0287D0

Uniqueness

Uniqueness Score: -1.00%

Function 02FD55D9, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2109c4d022e9142a731c47a9db022d5fbe1f394d7070ae04c87e320c94e4643a
Instruction ID: c05b02ee8f261a86b02663a82d77a3dbee997a30a57684f2bade69d9638c3c9e
Opcode Fuzzy Hash: 2109c4d022e9142a731c47a9db022d5fbe1f394d7070ae04c87e320c94e4643a
Instruction Fuzzy Hash: CFF0A032E116089BCB954A78D8415FEFBB6EB85360F08427BDA04D3250FA316C228A90

Uniqueness

Uniqueness Score: -1.00%

Function 02FD45B9, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b5bf5151d8551db14c36e392e05e6acbe697fd3f7e73585c0d9dfc98486403d
Instruction ID: f66dcd014b339b2a09943eb48a3bfe08a96700c9a2d051d286a2fedfce1d1fb6
Opcode Fuzzy Hash: 1b5bf5151d8551db14c36e392e05e6acbe697fd3f7e73585c0d9dfc98486403d
Instruction Fuzzy Hash: 97F08231E403199FCB50DEB89C06ABAFBF8EB89760F15417ED608D7151E2345D158BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5CE0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3216ccc91b32d87066bf96bc6c785dcbff84c673d2cf1c00894e0886319b3309
Instruction ID: d80a4dd4865ace6b2333418c7c82c6a80d07587f39946b6d0e12c79a201ded8f
Opcode Fuzzy Hash: 3216ccc91b32d87066bf96bc6c785dcbff84c673d2cf1c00894e0886319b3309
Instruction Fuzzy Hash: 2BF08271E001145F8B80EBBD581069FBFFAAB88760B55013AD509E3341EA30990187E9

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934a52990642dc021681f4f47b5294ac31d10c399a599b528b65c6280e3f9b79
Instruction ID: 889f3b4c7c1e144f49ec62eecc192fd7f141d94e696244f3a4b6839bf1744ded
Opcode Fuzzy Hash: 934a52990642dc021681f4f47b5294ac31d10c399a599b528b65c6280e3f9b79
Instruction Fuzzy Hash: 73E0E533F152189A9B1069F8D8245AFBBAB97D53E0F08452F9B07A3300DD708801C2D2

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0908, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba967a404899c95884befa8643e45f03cc3e45f83b0963df7cce6d686fac9a3e
Instruction ID: 61a150593d9015b43b2cd5d1fcb84137cd9bdc8ab41006e1e557490eae5bf717
Opcode Fuzzy Hash: ba967a404899c95884befa8643e45f03cc3e45f83b0963df7cce6d686fac9a3e
Instruction Fuzzy Hash: 20F0E231E193488FD750AAB4C4245AF7FB75B92380F09415FAA0397341DD748C01C752

Uniqueness

Uniqueness Score: -1.00%

Function 02FD4700, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 088db934a40e24821d7a7c7a275d60c42a5c055c4a392a11c921b5dcddf42917
Instruction ID: 269527460412596b55a490520dab593059ab4d1e8729b64878cb3ca463f8483b
Opcode Fuzzy Hash: 088db934a40e24821d7a7c7a275d60c42a5c055c4a392a11c921b5dcddf42917
Instruction Fuzzy Hash: A1E022337083988FC7221164A8143B937BB9BC76A0F2D00BFD712C7652D53A4C428750

Uniqueness

Uniqueness Score: -1.00%

Function 03060938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595781312.0000000003060000.00000040.00000040.sdmp, Offset: 03060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 274d08dea6be63531d05fa078d90f9e05a9edc1e9fb9b0c0f6797d38bb4add20
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: E8F01D35148644DFC305DF00D540B25FBE6EB89718F24CAADE9890B756C337D813DA91

Uniqueness

Uniqueness Score: -1.00%

Function 02FDA208, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4817cd32eb8ae9752226042ff37035a0c125c3ea252e4171f01fdb8396de2a
Instruction ID: b3220115b6f2427f580f6601548c75ed7e6f5a112f4aeb6e20c34ac641d34a20
Opcode Fuzzy Hash: af4817cd32eb8ae9752226042ff37035a0c125c3ea252e4171f01fdb8396de2a
Instruction Fuzzy Hash: 43F0A032314200DB8758A66DF41056D7FB7EBC52663A8C93DE20ADB344CE7AAC4A8795

Uniqueness

Uniqueness Score: -1.00%

Function 02FDB1E0, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1289e9ddaf31dbbb4d6c45eaf8b090c73ec18c300ab5aed834517e53d03aecc4
Instruction ID: da3727a895bd7c11d1e56572887302da0c9b604bdae2227671dcb1df57962c0f
Opcode Fuzzy Hash: 1289e9ddaf31dbbb4d6c45eaf8b090c73ec18c300ab5aed834517e53d03aecc4
Instruction Fuzzy Hash: 1CE0E576605B844FC322CF69E800123FBF6FBD022A7098B7FD2A883541C77099098BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02FDCBFE, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ebcafb1ceae1e0a64cbef40ecd43d5e3e3aa038d28dc273a11728d0e450f565
Instruction ID: 57eb3e083851c265455970c0f53a97861461bb71bbc7af4e0d16dfb692104ddf
Opcode Fuzzy Hash: 8ebcafb1ceae1e0a64cbef40ecd43d5e3e3aa038d28dc273a11728d0e450f565
Instruction Fuzzy Hash: BFE022337080C18F871B923D802057EB7A79EDA2A531D88DBC306CF231CD518C05C322

Uniqueness

Uniqueness Score: -1.00%

Function 02FD57A2, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda12dbd13a34c76e8fbb6586088dc572d90483695c8958fb36eada4fecd0f30
Instruction ID: 3a70c0da21f3ebc7541f5b8135fe6df33de9deb80223ba9411a8d329cfeed521
Opcode Fuzzy Hash: fda12dbd13a34c76e8fbb6586088dc572d90483695c8958fb36eada4fecd0f30
Instruction Fuzzy Hash: DDF03031B44108CBDB54A7B9F8107BD77639F84298FB48266D7069B1C0EF244D01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02FDAB5F, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea72aec40ba7800e7bf06b966dd35de2b448b06f9276a4967c3c03593e742dd3
Instruction ID: cd5d0cf6717e3f0aeb8e6a04bcc39fa23718b136eab76badce0ba6d1e18b9e81
Opcode Fuzzy Hash: ea72aec40ba7800e7bf06b966dd35de2b448b06f9276a4967c3c03593e742dd3
Instruction Fuzzy Hash: 45E02B353043408FC74117B4C11D1587FF79F8965030940ABD607CB762DD344D038712

Uniqueness

Uniqueness Score: -1.00%

Function 02FD74F7, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9384c8837eadf753c6fec4a1b9928c5c28579eee38862c23668e5b750e0a692
Instruction ID: 55dd67f1f3f5b5aeaa66b32f062f6a27d76465942320101a895836844e57439b
Opcode Fuzzy Hash: a9384c8837eadf753c6fec4a1b9928c5c28579eee38862c23668e5b750e0a692
Instruction Fuzzy Hash: ADE06D35F012604BCE14F3B9A8243AEB6839FC0A54F880038CA06CF7C5EE208D018BD2

Uniqueness

Uniqueness Score: -1.00%

Function 02FDBE38, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1feac030f0bf5c845064a4447e15cfd6ced65f73404a0ef8650cdbc3b3aed998
Instruction ID: 6748623745ab66769711a35b7e77586d9c0ed99ec00413cf6911a75860fc4979
Opcode Fuzzy Hash: 1feac030f0bf5c845064a4447e15cfd6ced65f73404a0ef8650cdbc3b3aed998
Instruction Fuzzy Hash: 7CF03A36604B40CFC325CF69D580906F7F6AF85620306CA9AD2EAD7A61C730F9088B51

Uniqueness

Uniqueness Score: -1.00%

Function 030605F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595781312.0000000003060000.00000040.00000040.sdmp, Offset: 03060000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f91c1b3dc787872e93fd6f57e5184f1699c8e7b0c9190addd7901b3a675824
Instruction ID: 78c429d91be91d6db782d9898106e173120e1d2f4ccf484358b5c96919dfe781
Opcode Fuzzy Hash: 05f91c1b3dc787872e93fd6f57e5184f1699c8e7b0c9190addd7901b3a675824
Instruction Fuzzy Hash: 94E06D76A006048B9650DF0AEC41452F798EB88630B18C06FDD0D8B711E13AB5158EA5

Uniqueness

Uniqueness Score: -1.00%

Function 02FD46B8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6e3b73dbd9d5e9b46e23e400d1dae7f9ccc68e56c980c35a274fd6734fcb00
Instruction ID: 51003240548533c5de2641501bae9e6c00ef6f2d9126e7b9693b289df9f7c4ec
Opcode Fuzzy Hash: 4d6e3b73dbd9d5e9b46e23e400d1dae7f9ccc68e56c980c35a274fd6734fcb00
Instruction Fuzzy Hash: D2E08C3670002497CA106AFCF0282AE7BCAAF80691B180066F20BCB694DE26CC0187C6

Uniqueness

Uniqueness Score: -1.00%

Function 02FDE3B8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54b731cc8e3602774466db80a57e3ad4ecd43e9cccb4dd4b8636cd512beeee0
Instruction ID: 0d28ec17890d15fe45cfc53676e4a81ec72b3760e481a0fe0679d80c39ec3665
Opcode Fuzzy Hash: c54b731cc8e3602774466db80a57e3ad4ecd43e9cccb4dd4b8636cd512beeee0
Instruction Fuzzy Hash: 99E04F323506219B8624965DD4209BF7FEADBC56A4358892ED61A9F304EF72EC0287D0

Uniqueness

Uniqueness Score: -1.00%

Function 02FD87A8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644684c95aaa626ce7ee274f6b8634e2c9e7905b85e56833a653f7e9f68d1cee
Instruction ID: 80e2c6cb1f6d5a38d18200267326000aba94141d25ef5c4721867866c56bb75e
Opcode Fuzzy Hash: 644684c95aaa626ce7ee274f6b8634e2c9e7905b85e56833a653f7e9f68d1cee
Instruction Fuzzy Hash: CDE09236F001258787605AACA4186387FEFEB8C7E1B24416FEE06D3344DE758C018BD5

Uniqueness

Uniqueness Score: -1.00%

Function 02FD8799, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92b9bb38819eb87569b394cff06c6ceb35654528554b1c1e61d86b0a472f0928
Instruction ID: 6851f25d45b3bdfabd74f7fd76da905e722eb082dfe2ebf6ccd9aed8bcf86bf0
Opcode Fuzzy Hash: 92b9bb38819eb87569b394cff06c6ceb35654528554b1c1e61d86b0a472f0928
Instruction Fuzzy Hash: E2E06539E052958BC7610AB469181247FE7E74D7F171802AFEA42D3291D6784C02CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02FDCC49, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baafda1360e38d6dde47a67def696b2311bfe1ad8a7057b109f36da9deb8209b
Instruction ID: f60e416bfdc287beff339279f588f65758c48c748d0f2b904641c55b7c26b40c
Opcode Fuzzy Hash: baafda1360e38d6dde47a67def696b2311bfe1ad8a7057b109f36da9deb8209b
Instruction Fuzzy Hash: 3CE02231704281AFC315DB18C490932BBB6EFCA264308C9EBE50A8BA52CA30AC02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02FD65C0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403c7435593446d35167a29af73959bf43f0e784eb52cdd20623197c5822b5a3
Instruction ID: 409a1ab7408bfd80152273df29b18bcbe1c07bc406bb0dc0e7bd96174986fa5c
Opcode Fuzzy Hash: 403c7435593446d35167a29af73959bf43f0e784eb52cdd20623197c5822b5a3
Instruction Fuzzy Hash: B2E0D132648305CBDF105A94B0047E533DDA740290F04016ADB05C6354D7A7CC51C795

Uniqueness

Uniqueness Score: -1.00%

Function 02FDCC10, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e95a9cd34c77d9276e59239ae722206e22805253a762535cebba12d17f82424
Instruction ID: 88b3418db8a38f7c34b75f281674e891a2099cf36bd6e2165b0bcd4ed232a1c7
Opcode Fuzzy Hash: 4e95a9cd34c77d9276e59239ae722206e22805253a762535cebba12d17f82424
Instruction Fuzzy Hash: 88E05B33718095D74629655F901097E72CF9BD56F631D446BD307CB370DD529C11C3A6

Uniqueness

Uniqueness Score: -1.00%

Function 02FDE3F8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46b81f8b86f7fac7834f8cfc64a9efdd527c7af71558358a07643ffcc6b81cb6
Instruction ID: 25b0cd894459abb871f2cf3733e267479ddd4d0802c642dfefb4f261e681a983
Opcode Fuzzy Hash: 46b81f8b86f7fac7834f8cfc64a9efdd527c7af71558358a07643ffcc6b81cb6
Instruction Fuzzy Hash: AFE02633209284CFC7114B10A4504F37B32E94B2C93094AABE04A8F801C3267C00C751

Uniqueness

Uniqueness Score: -1.00%

Function 02FD65D0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c0b69b5e3e7fd11560b5137c63ef79c34f91bc28fcfc3307e06104480ca6cb
Instruction ID: e6c5bf3f4fa09016fa41f5bdc58ea29aa1fb1894be4dcd174db5da78f2b2fa34
Opcode Fuzzy Hash: 06c0b69b5e3e7fd11560b5137c63ef79c34f91bc28fcfc3307e06104480ca6cb
Instruction Fuzzy Hash: 71D0123270C155C7EA10269975087A536CE67855D5B480166EB06C6345DE96CC8087DA

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0170, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1251d16d46d1d5b3218893a7098f6db0f013a5771b333544e04afedb971920f2
Instruction ID: 340e2354396d85cbbe882abda9857fb82ad1be09dffd3a8802a2cb3411140f8e
Opcode Fuzzy Hash: 1251d16d46d1d5b3218893a7098f6db0f013a5771b333544e04afedb971920f2
Instruction Fuzzy Hash: 78E0C230249300CFCB669BB0E41D0687BB1EF462107000ABEC806CBA61EA7A8C41CF00

Uniqueness

Uniqueness Score: -1.00%

Function 02FD2D20, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9629a9a39fe6b39d46d169f5a9ac3cd3cc5f434d763961b5dd43bb1745672d
Instruction ID: ff8dd5c2e52ebcdf38b4dc0c9637c7aad787a759a9bc1e244692e41d8cb9bd14
Opcode Fuzzy Hash: 2d9629a9a39fe6b39d46d169f5a9ac3cd3cc5f434d763961b5dd43bb1745672d
Instruction Fuzzy Hash: E8D05E3128E349DFD7950AA498167B0BFB1AB1B761F0D06A3DA4B8D4A7C1652843CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02FD02A0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776120d1dfda639de9d76d4c5538e1fca33b265d78be1c1dadb911f35cef212b
Instruction ID: 8df7e1489c6b9045a334b8d3dca3e9b6e420473700c12042837e2eacb0116f8b
Opcode Fuzzy Hash: 776120d1dfda639de9d76d4c5538e1fca33b265d78be1c1dadb911f35cef212b
Instruction Fuzzy Hash: D2E0C23560AB44CFC3618B64E829499BBF1FF91710748885EC4868AD44CB24AC01C700

Uniqueness

Uniqueness Score: -1.00%

Function 02FD7690, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89999a2ff3adc86fe75e006d68c80d3f80a83eb59bf06488901bb692bf2597ca
Instruction ID: 0deb62e74c5fc7a3240ec013468de05e6c0e21234fd46457e847d292a7a2a814
Opcode Fuzzy Hash: 89999a2ff3adc86fe75e006d68c80d3f80a83eb59bf06488901bb692bf2597ca
Instruction Fuzzy Hash: DCD0C2372093509BC3357A6C9400662FAAB5B42388F0C046FC2460DA00E662E084CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 02FD57F6, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca1eaa23af275e45073b7f9104a5c1d73d70b0c8feeb3c23133866d0ff6da82
Instruction ID: f446babf345ac2276c8e14ec7d4961579723311cb2c7a1adfcb7f78e70439eda
Opcode Fuzzy Hash: fca1eaa23af275e45073b7f9104a5c1d73d70b0c8feeb3c23133866d0ff6da82
Instruction Fuzzy Hash: 44D01232F44104CBCF04A7E8E9155ECBBB29B841697985076C7079A541DF2008459BD1

Uniqueness

Uniqueness Score: -1.00%

Function 02FDEF18, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7193d854b7a8f5aa25cf784424b5e0247b963ad3e508b5a692b59f1c6640f61e
Instruction ID: dd21b2ba9a7f9b8914b251b40983cb99c81660e7f214fe07b251d40410556935
Opcode Fuzzy Hash: 7193d854b7a8f5aa25cf784424b5e0247b963ad3e508b5a692b59f1c6640f61e
Instruction Fuzzy Hash: 80D0A7313541345B9904E6BCC8118BA73CFDFD5514349845FA509DB381CD62DC0243D0

Uniqueness

Uniqueness Score: -1.00%

Function 02FD064F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b92c9dbda20df4320c9e07ad88cd4e708145fa184df052ede394a216afcb5aa5
Instruction ID: afa00e1ec263364e985c42f4d16dd4b9610969c0665b3260ed8f5cd1dc658af2
Opcode Fuzzy Hash: b92c9dbda20df4320c9e07ad88cd4e708145fa184df052ede394a216afcb5aa5
Instruction Fuzzy Hash: F1D0A773989350CFC3954A70681A0F57BE1DFE3356B1484FBC50186822EA7A4A53CF52

Uniqueness

Uniqueness Score: -1.00%

Function 02FD46A9, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a5aacd22c36cec5190074345caed5706b93fa7d42b1927b326b690ba788c678
Instruction ID: d9292f2e7100022d0b636f5a0b2477d6643a55819875c52ec452fafa5a8eba36
Opcode Fuzzy Hash: 9a5aacd22c36cec5190074345caed5706b93fa7d42b1927b326b690ba788c678
Instruction Fuzzy Hash: 9AD0A7319443504FC7A24B70B4142E97BB89F42360B0541AFF805DA476D21D9C428B51

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5DF8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6ad91e6869b1fa3bcc4bc92032af84295850080ce26c4b8e6f21bfb4f23670
Instruction ID: 9115a05bb0ad21a49d5dfbb12e4a6cf2b5d022de1e149a9bc4ced5d9e1af8613
Opcode Fuzzy Hash: 4a6ad91e6869b1fa3bcc4bc92032af84295850080ce26c4b8e6f21bfb4f23670
Instruction Fuzzy Hash: 46C08C33B29124578E1871FE586447F31CF0AC49B23C8093BA60B8B341EC518C1047D1

Uniqueness

Uniqueness Score: -1.00%

Function 02FDE408, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd099ccb569460875225af98deb6dc3a443c0889931b99a4189bcac797f8f1a2
Instruction ID: a6a52a5396fa1f83eb7081336fd717281aec7a4eda614493118684f010fc691c
Opcode Fuzzy Hash: cd099ccb569460875225af98deb6dc3a443c0889931b99a4189bcac797f8f1a2
Instruction Fuzzy Hash: F4D0A937208200CB86248A00E2004A2777AAA0A2AA308882AD20B0FA008B62B800CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02FD7140, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: 3d6935662212bbd9b083b089072e0251e26cae19e86cbe487b361af84ddfe51e
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: 87D0423AA000048FD705DB88D5949D9F7F2EB88325F28C1A6D919AB251C732ED56CA50

Uniqueness

Uniqueness Score: -1.00%

Function 02FD9350, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ee85fe97feebacdbade0e90a92223d304206a9d31b79f2656f9b2e0bcc2f57
Instruction ID: 9f434c48ab7d9ab8d23d6e4d4a04c132f5ccf7d45053ac599b175a19b78e73d9
Opcode Fuzzy Hash: e5ee85fe97feebacdbade0e90a92223d304206a9d31b79f2656f9b2e0bcc2f57
Instruction Fuzzy Hash: F6D0A72114C7C8BBD7120BD04C397903F295709304F0588C3F54D8A8C3C6F98108C311

Uniqueness

Uniqueness Score: -1.00%

Function 02FDE9ED, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e628efa77ec32c30506c6be7a9022a231aca1e4a00a33ed3072c8a0bdb815c
Instruction ID: 895b44eb3dc2157e0ab99277ec787e965b4d4a9ac989b6b563eb55f82ffab41f
Opcode Fuzzy Hash: 49e628efa77ec32c30506c6be7a9022a231aca1e4a00a33ed3072c8a0bdb815c
Instruction Fuzzy Hash: B3C01273E80111C28B2565A46B051E87766990569A74804BADA0996504E621D725D7C1

Uniqueness

Uniqueness Score: -1.00%

Function 02FD7E06, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b439c83e227b35e67660f7252838d60c5c8202e92e6ec7297a61604762859238
Instruction ID: 860f8323b07b986bc5ac683b39ba6bb604c71d712d5b38312fe02129aa38aece
Opcode Fuzzy Hash: b439c83e227b35e67660f7252838d60c5c8202e92e6ec7297a61604762859238
Instruction Fuzzy Hash: FDD05E34A00109CF8B119F71D92809DB7F1EB09290724132AD602AF380E3345C00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5478, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe30f014127aadd83cfe00127481f5e27483ab276e254e98bdcbe48c4afcec9
Instruction ID: f76221e5f79638fd3aecf8f9b5d8f21484cdc3d219d0aaa46accbe2119e30b14
Opcode Fuzzy Hash: efe30f014127aadd83cfe00127481f5e27483ab276e254e98bdcbe48c4afcec9
Instruction Fuzzy Hash: 66D012315042448BD73017A87A2D76E3FE9E70238BF8C40D9D246A8419DB706550DF53

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41eb3e3584ab7a31effed1e9077e87c5afb8a2a0275cf4e630bc6042834dc35
Instruction ID: 369e459d90c787b3f007caab1a13089746c31d344184767d3b1ec73436744a45
Opcode Fuzzy Hash: d41eb3e3584ab7a31effed1e9077e87c5afb8a2a0275cf4e630bc6042834dc35
Instruction Fuzzy Hash: 2AD01230200304CFCF282BB0F02C52833AAAB88346B10087CD9068B744EF3BE880CB44

Uniqueness

Uniqueness Score: -1.00%

Function 02FDC9D9, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d251fe4a3273b3e92454f6c1e36c8e269b124b03857ca705e4cea4a2fdb488b
Instruction ID: 9d5845a6fe3bd052d4b1212ed38f63dd81db338a92c3e708a23cc8df910e9237
Opcode Fuzzy Hash: 9d251fe4a3273b3e92454f6c1e36c8e269b124b03857ca705e4cea4a2fdb488b
Instruction Fuzzy Hash: 13D0123402E7C88FEF234B3044690507F30DE4324D30849CBE4849AA63C0649800D722

Uniqueness

Uniqueness Score: -1.00%

Function 02FD5D70, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c754664fd373ca40f1a52fa7ab2760fb72bb21af0fdbf30009a08db7ca8f090
Instruction ID: df123787f4b1eca1b12d5d67ff931aa8658ef172bd8b6ebfe288a65f4b6ccca7
Opcode Fuzzy Hash: 5c754664fd373ca40f1a52fa7ab2760fb72bb21af0fdbf30009a08db7ca8f090
Instruction Fuzzy Hash: C6C04C21608A068FDE6427B5791D62E7BA95A405853C40155E60B8E114EF24940086A5

Uniqueness

Uniqueness Score: -1.00%

Function 02FD2D30, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114aa4c9f5c1ff1cac4171e46700588a172b69de25d00673a2ccf107d5b9c768
Instruction ID: 235215a2f53ceadbac0e3e6ebd1597967153f7f00fbce28439e519438b91684e
Opcode Fuzzy Hash: 114aa4c9f5c1ff1cac4171e46700588a172b69de25d00673a2ccf107d5b9c768
Instruction Fuzzy Hash: 96C0923738C608E6E9A42184BC5EF74B25A970CB86E1C0803AF0F1C0AB1581A111C1D6

Uniqueness

Uniqueness Score: -1.00%

Function 02FD0660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33f9c7bbf77f8e5cd2d125e6372c2fcf815c71020555a64eacbc0714a1ac6f8
Instruction ID: 2803f29a8fb9fb6523280d50af7815e5ac4e61482c37fda24e83c23dda442a69
Opcode Fuzzy Hash: c33f9c7bbf77f8e5cd2d125e6372c2fcf815c71020555a64eacbc0714a1ac6f8
Instruction Fuzzy Hash: DDC02B36145324CEC21416703808439720BD6C2303B44C439D701040208D32D471CE51

Uniqueness

Uniqueness Score: -1.00%

Function 02FD2EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb02ae6a4082bbbb243dec1641d2cd6657f5492c96e91643864a8ba37557674
Instruction ID: 39dcd769b20e1fc2bbe30b3bac56ef72770976fa5dc2184c01636bc77c242469
Opcode Fuzzy Hash: 2cb02ae6a4082bbbb243dec1641d2cd6657f5492c96e91643864a8ba37557674
Instruction Fuzzy Hash: AEB012302042080B1B6057B1380CB5233CC458044934400659D0CCA001FA10D0D02280

Uniqueness

Uniqueness Score: -1.00%

Function 02FDD3B0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9587688fde903dcaa8db053e33bf8e5630e83928ade7337da4d7981c8669f1
Instruction ID: 6f63a3ae43b1863c0f217bd4f77e33832abbecec9ee9548593b932ee2469aa18
Opcode Fuzzy Hash: da9587688fde903dcaa8db053e33bf8e5630e83928ade7337da4d7981c8669f1
Instruction Fuzzy Hash: 73B09232209308D78254A719E85A96D3B6EF9062D17942225EB0245188DFA93D06C7E6

Uniqueness

Uniqueness Score: -1.00%

Function 02FD9373, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b25fa2148b64b5e76a913697697ad48158f40487698c991fe9acff19cf4807f
Instruction ID: ba7d4bb19b7bb4f3f649f1c8b2c5f6b4f8064f7e8111fa8ec433bda8f56adab0
Opcode Fuzzy Hash: 5b25fa2148b64b5e76a913697697ad48158f40487698c991fe9acff19cf4807f
Instruction Fuzzy Hash: 5EB01233388300F3F52001D02C1AB30391E6304781F084401B31F174C009D1A000C502

Uniqueness

Uniqueness Score: -1.00%

Function 02FDEF60, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a6aeff7640a6ea240c5d91a88deac214d581a925300d6f84af363de2a6168e
Instruction ID: ceb935e8786a25dd4174d0d33d64c24078d7c176f89b0d2af5e68bbb7dc3883b
Opcode Fuzzy Hash: b5a6aeff7640a6ea240c5d91a88deac214d581a925300d6f84af363de2a6168e
Instruction Fuzzy Hash: A3B0122154170C47CD9033F0B40C11CB38E1D8055078404115A0E47200BE74A4004A55

Uniqueness

Uniqueness Score: -1.00%

Function 02FD7164, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction ID: 57322035b813c03954d9e2899f9a7b1fa54a027f41bbf51fde11b38313ef6222
Opcode Fuzzy Hash: 9331830965d72d12fcbefa973c87c0cf332396a92bd300e1243d284f656f33ac
Instruction Fuzzy Hash: 41B092B7A44008C9EB009A84B4413EDFB30E790365F104123C31056140D2320168C691

Uniqueness

Uniqueness Score: -1.00%

Function 02FD65A1, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db038227e0bcbebd3d61088835007a45ad2c5c2c9aa45273680e9573e0dcc93
Instruction ID: 15cba10080b4a6905fe6b11b9a85ca5035fb9b8e2929ce718c93187e663d3f6b
Opcode Fuzzy Hash: 6db038227e0bcbebd3d61088835007a45ad2c5c2c9aa45273680e9573e0dcc93
Instruction Fuzzy Hash: 06C09B7500838455DB01DB24940D7853ED55F5130CFDD40DD989549A42D1BA9305C604

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02FD0D93, Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

,:kr, xrefs: 02FD0E38
0jr, xrefs: 02FD0F8E
:@Dr, xrefs: 02FD10CB
X1kr, xrefs: 02FD0F1C

Memory Dump Source

Source File: 00000007.00000002.595675714.0000000002FD0000.00000040.00000001.sdmp, Offset: 02FD0000, based on PE: false

Similarity

API ID:
String ID: ,:kr$0jr$:@Dr$X1kr
API String ID: 0-1245831938
Opcode ID: da16ce9ea55ebfd924b144daf0c5b49aa0f354352815f15f5c546cc8a42ef078
Instruction ID: 960c1c158976a5df1ec54e6d2510dab03fb3e42c08e1a78326674ccf99907df3
Opcode Fuzzy Hash: da16ce9ea55ebfd924b144daf0c5b49aa0f354352815f15f5c546cc8a42ef078
Instruction Fuzzy Hash: F8B1C570A04344CFD3A4DF788160B6BBBE6FB98744F60692EE6498B394DF759841CB42

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 2296 Parent PID: 936 RegSvcs.exeCOMMON

Executed Functions

Function 02DB05CF, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.343097310.0000000002DB0000.00000040.00000040.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055200fbdbe0977cfa8a8130a1badace6ac6519385063ebb33a0d69ed7260ee0
Instruction ID: 6bd1ed17d5ddbec7408716f9dadbd539eaa61a2efdf405b2ed1aa3b8fab7114e
Opcode Fuzzy Hash: 055200fbdbe0977cfa8a8130a1badace6ac6519385063ebb33a0d69ed7260ee0
Instruction Fuzzy Hash: 1801DB715093805FD7128F16EC50862FFF8DE86630709C4DFED49CB612D225A905CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02DB05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.343097310.0000000002DB0000.00000040.00000040.sdmp, Offset: 02DB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93429f3791748a691ab87ad84ab7cdfca9bce5f5568799de79e0b8ab4cbb26c
Instruction ID: 325aed64329050b3f20198ef2e786e6504a5b41f1935b6025fc107403750e0d5
Opcode Fuzzy Hash: f93429f3791748a691ab87ad84ab7cdfca9bce5f5568799de79e0b8ab4cbb26c
Instruction Fuzzy Hash: 6DE092766006008BD750DF0BEC41456F7E8EB88630B18C07FDC0D8B710E235B505CEA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6456 Parent PID: 936 dhcpmon.exeCOMMON

Executed Functions

Function 027611D0, Relevance: 4.0, Strings: 3, Instructions: 222COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02761406
X1kr, xrefs: 0276130B
X1kr, xrefs: 02761253

Memory Dump Source

Source File: 0000000F.00000002.348109433.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false

Similarity

API ID:
String ID: :@Dr$X1kr$X1kr
API String ID: 0-2930718046
Opcode ID: 15bdea84fedab03764e20fef8b78f703ad477fc90e78b187d820385a71b71ff4
Instruction ID: 2f292c988142014fbf72679e5208d6af1b50820b2fc2ef3da9d9f5802b162c35
Opcode Fuzzy Hash: 15bdea84fedab03764e20fef8b78f703ad477fc90e78b187d820385a71b71ff4
Instruction Fuzzy Hash: 2B813B74B001018FCB14EBADC558B7EBBE7AFC8304F64846AD90A9B7A4DE709D41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 027611C1, Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02761406
X1kr, xrefs: 02761253

Memory Dump Source

Source File: 0000000F.00000002.348109433.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false

Similarity

API ID:
String ID: :@Dr$X1kr
API String ID: 0-2776031997
Opcode ID: a1a9f79e7b12df6a30fb7e58605445eef2c317f6a4b402a22b2ba736560dd434
Instruction ID: 1787c9ea0bfbee7a821a62b01a5008fb4c7f6c8fb507aa24f31710c42ed48198
Opcode Fuzzy Hash: a1a9f79e7b12df6a30fb7e58605445eef2c317f6a4b402a22b2ba736560dd434
Instruction Fuzzy Hash: 87614C34B002018FDB14DBA9C558B7EBBF6EF84304F54806AD90AAB7A5DE749D41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A587, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 00D3A63A

Memory Dump Source

Source File: 0000000F.00000002.347848009.0000000000D3A000.00000040.00000001.sdmp, Offset: 00D3A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 8cbe24539bee32675bf6c1076ff2c366bab74c927fca09dbc02a2051603ee9d7
Instruction ID: 2263b9891b36157c585a2bff0beee362407a39a661b748e8b242b573785c801e
Opcode Fuzzy Hash: 8cbe24539bee32675bf6c1076ff2c366bab74c927fca09dbc02a2051603ee9d7
Instruction Fuzzy Hash: 7D317F7250D3C06FD3138B259C55B62BFB4EF47614F1A81DBE9848F193E225A909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,0E5F2CBF,00000000,00000000,00000000,00000000), ref: 00D3A53D

Memory Dump Source

Source File: 0000000F.00000002.347848009.0000000000D3A000.00000040.00000001.sdmp, Offset: 00D3A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: ebc84c6ab06d18b4fc3ab54f0884f2e20c94f447f32acbec7be1bf976df14e9d
Instruction ID: 20bb45b8580d8ccc5883ef0579dc358d77ae2cc5ea369bef537682381110ef6a
Opcode Fuzzy Hash: ebc84c6ab06d18b4fc3ab54f0884f2e20c94f447f32acbec7be1bf976df14e9d
Instruction Fuzzy Hash: 5321A372409380AFD7128B65DC45F96BFB8EF06310F0884DBEA849F153D265A509C772

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A5C6, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 00D3A63A

Memory Dump Source

Source File: 0000000F.00000002.347848009.0000000000D3A000.00000040.00000001.sdmp, Offset: 00D3A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 756bf3e210e3a2cab5a852666d4ea4f35d198d74618ec00163dc5cd55b1a1eb5
Instruction ID: e6ded6ee93928b571507c72957bf215021e5fb946e37c3b9756fec74d5aec293
Opcode Fuzzy Hash: 756bf3e210e3a2cab5a852666d4ea4f35d198d74618ec00163dc5cd55b1a1eb5
Instruction Fuzzy Hash: E111E271504340AFD311CB15DC42F62BFB8EF85A20F1485AAED488B642D270B915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A1F4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00D3A269

Memory Dump Source

Source File: 0000000F.00000002.347848009.0000000000D3A000.00000040.00000001.sdmp, Offset: 00D3A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 7f2005e80411e7b01049c01e70bf93c45bdf5d45779c95ed44d0b8916ac80f19
Instruction ID: 480a873a88c1d13efcf3b86e2eabe18439bb676715c51e29be735921467bb907
Opcode Fuzzy Hash: 7f2005e80411e7b01049c01e70bf93c45bdf5d45779c95ed44d0b8916ac80f19
Instruction Fuzzy Hash: 93216D7540D7C49FD7138B258C95A52BFB4EF03220F0E80DBD9848F2A3D269A909DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,0E5F2CBF,00000000,00000000,00000000,00000000), ref: 00D3A53D

Memory Dump Source

Source File: 0000000F.00000002.347848009.0000000000D3A000.00000040.00000001.sdmp, Offset: 00D3A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4b02a14759107a6a143bee6c357f6535e7ea49b5aa411f7a0d36683a4111c170
Instruction ID: 03b69182a3369dcbe9bd50869b933d31d8123aaf443e41cd6aece1dc80236237
Opcode Fuzzy Hash: 4b02a14759107a6a143bee6c357f6535e7ea49b5aa411f7a0d36683a4111c170
Instruction Fuzzy Hash: E011C172500200EFEB21CF59DC45F6AFBA8EF45720F18846BEE899B251D275A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A5EA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 00D3A63A

Memory Dump Source

Source File: 0000000F.00000002.347848009.0000000000D3A000.00000040.00000001.sdmp, Offset: 00D3A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: ccb590f88356277a388033b8cd11fc8467262d4fe515ac5759cfe4397245c96a
Instruction ID: 510af50aa315c803f630cb3c8565062b8c4fef35c5271155c8ce4c8be5dd9901
Opcode Fuzzy Hash: ccb590f88356277a388033b8cd11fc8467262d4fe515ac5759cfe4397245c96a
Instruction Fuzzy Hash: CA017176540600ABD710DF16DC86F26FBA8FB88B20F14856AED089B741E371B915CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D3A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00D3A269

Memory Dump Source

Source File: 0000000F.00000002.347848009.0000000000D3A000.00000040.00000001.sdmp, Offset: 00D3A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: c59b6aa6837349ac1181db1460ce1d3860b740ddb5d182de514cf50f27aadfab
Instruction ID: 1bccf47657540f3946ad1245d2faf11df4a180d151918bf624a2340804222fd8
Opcode Fuzzy Hash: c59b6aa6837349ac1181db1460ce1d3860b740ddb5d182de514cf50f27aadfab
Instruction Fuzzy Hash: 39F0A434904644DFD7108F19D885752FFD4EF04720F18D0AADE894F316D2B6A844CAB6

Uniqueness

Uniqueness Score: -1.00%

Function 0276010F, Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 027602C5

Memory Dump Source

Source File: 0000000F.00000002.348109433.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 8ba4c9b8ab973aa53a39dac97533947c1cf6c6d9bc64627ad71154ed4ab1c6c3
Instruction ID: b0cd4d0d40c694345a0e91a919de6d7b411bc3413f8a412c73ee1aaa84f2dc81
Opcode Fuzzy Hash: 8ba4c9b8ab973aa53a39dac97533947c1cf6c6d9bc64627ad71154ed4ab1c6c3
Instruction Fuzzy Hash: DA918E34A102058FCB29EF78D85CB6D7BF2BB89344F148069D806EB7A5DB719D85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00D7025D, Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.347900396.0000000000D70000.00000040.00000040.sdmp, Offset: 00D70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13dfe0c247ef120775181fa1301a8d6aa0f0cb46b50d6c3c415ab7dfc8cf39cc
Instruction ID: ca687d12417c5c16463713f87b756a1254913cee88aa041d90ed6be65798d451
Opcode Fuzzy Hash: 13dfe0c247ef120775181fa1301a8d6aa0f0cb46b50d6c3c415ab7dfc8cf39cc
Instruction Fuzzy Hash: D721C07554E7C18FC7038B319C61191BFB0AE47220B1E81EBD889CF5A3D26D984ACB72

Uniqueness

Uniqueness Score: -1.00%

Function 0276040C, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.348109433.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd29fa80b2a36c1bb509744f2a538ecef6cb70ece47980fd569107641f729405
Instruction ID: 0826a332d855fc5a97dbd3b356b955de6913aef92e152ecbe0216c1420be8c10
Opcode Fuzzy Hash: fd29fa80b2a36c1bb509744f2a538ecef6cb70ece47980fd569107641f729405
Instruction Fuzzy Hash: C1415870A00326CFEB24AF64C49DBBE7FB1BB89704F145029D902AB791DFB58941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 027606E8, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.348109433.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd7992af3f3349f3b7df64569ec04c8a7052196b71f5766cb7c02cd3db73ee7
Instruction ID: 31e606336c3877d6f07dcbeb793f468d4102fc3eef1b9a3c54dc5191306d75dd
Opcode Fuzzy Hash: 3bd7992af3f3349f3b7df64569ec04c8a7052196b71f5766cb7c02cd3db73ee7
Instruction Fuzzy Hash: 8431FE307012108FC759AB7DD52963E3AE2EF86309B2404BAE506CF7E5EE36DC458795

Uniqueness

Uniqueness Score: -1.00%

Function 027606F8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.348109433.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e35372e931fb75649c7754574ea0c2aaaa2ffcefe4718f18d208a69ef1a349d0
Instruction ID: bf8349051765abab540474c122fe9c154279734ecc37784d7de85f176d5f1804
Opcode Fuzzy Hash: e35372e931fb75649c7754574ea0c2aaaa2ffcefe4718f18d208a69ef1a349d0
Instruction Fuzzy Hash: 7421F8307012108FC759AB7DD12863E3AE2EF85309B1404BAE506CF7A1EE3ADC458B95

Uniqueness

Uniqueness Score: -1.00%

Function 02761070, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.348109433.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf52ad0e8588d56d975d4ad432f8e067b732108c032d2d4715372205d478e1e
Instruction ID: 54eaa3e7a28032928ca5e22c9fa1a77200ec8e0f478405e8c8156107b66b1c3d
Opcode Fuzzy Hash: faf52ad0e8588d56d975d4ad432f8e067b732108c032d2d4715372205d478e1e
Instruction Fuzzy Hash: 5DF0B435310150ABDB1496799905F7B77EADBC8760F14446AF60DDB380DE61DC0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 02761060, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.348109433.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2e6b31827ccbd8dceae279a7ca5bbdae4af55abf87f6a7c2a8ede37f76151a
Instruction ID: 10250681e08e4dc0ffddabd863e954007451a7f369ffbad12b51a2d62876fb1a
Opcode Fuzzy Hash: 7c2e6b31827ccbd8dceae279a7ca5bbdae4af55abf87f6a7c2a8ede37f76151a
Instruction Fuzzy Hash: 2DF0E2317043C07BDB2566795D1AF373EAA8B85710F24446AEA09EB2C2DEA1D80087B5

Uniqueness

Uniqueness Score: -1.00%

Function 027600C0, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.348109433.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d0639600b574644a95c6ec9426b8e365c171eb7d876a7a59ce35d7e4f37f4d
Instruction ID: eed183e4b8d0e0d18b7b151ef380fc13b28dea63505612da72f002ae70dfd639
Opcode Fuzzy Hash: c8d0639600b574644a95c6ec9426b8e365c171eb7d876a7a59ce35d7e4f37f4d
Instruction Fuzzy Hash: 98F03075D092895FCF51DFB85C45AFEBFF4BA59310B20057AD548E3211E63146058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 027610D0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.348109433.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0178dcce4034faa739f6b31591d8160c47f44a84807fe99e4147c509c0f32c2e
Instruction ID: 602b8b200a1f5a96b3b784b15c76aa4b194bac0f5ddafbf20f91cc4538600828
Opcode Fuzzy Hash: 0178dcce4034faa739f6b31591d8160c47f44a84807fe99e4147c509c0f32c2e
Instruction Fuzzy Hash: 64F030B1E04249AA8F60DEBA5C097FFBFF8EA45262F504166D519E6201E230920587E2

Uniqueness

Uniqueness Score: -1.00%

Function 02760F23, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.348109433.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4208895cbfb19173b9f6a3785b73dc71a0ff54d4df15239290b89226485cc3c
Instruction ID: 550ce4c90cffd1deacdb031726a9c8a618aafd8029af2f2ea4303bb60bad1bc5
Opcode Fuzzy Hash: c4208895cbfb19173b9f6a3785b73dc71a0ff54d4df15239290b89226485cc3c
Instruction Fuzzy Hash: F5F0A0392142408FC765EBBCD8589A53BEBEF4E21431500E7E409CB7B6CA616C45C791

Uniqueness

Uniqueness Score: -1.00%

Function 00D705F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.347900396.0000000000D70000.00000040.00000040.sdmp, Offset: 00D70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96595613fbe74c84653d0567e45033616f8c5743ae89fce8cd99c87fd3960e9a
Instruction ID: ee462fee24a4199ff7abd41ecd7999212fcf9b4dccbb9644f69cc56aa5501c1b
Opcode Fuzzy Hash: 96595613fbe74c84653d0567e45033616f8c5743ae89fce8cd99c87fd3960e9a
Instruction Fuzzy Hash: 03E092B66406009BD650CF0BEC41452F7D8EB88630B18C47FED0D8B711E175B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 00D705B0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.347900396.0000000000D70000.00000040.00000040.sdmp, Offset: 00D70000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d25556deca766f2411586b181d3b357621b02c47b079b630a8f4cb2cf11629
Instruction ID: 96af7bff1cca8724691e0e905ff36dbe3f4eb3127a3441c5e07743537ec6c006
Opcode Fuzzy Hash: 08d25556deca766f2411586b181d3b357621b02c47b079b630a8f4cb2cf11629
Instruction Fuzzy Hash: DAE020726455408BDA40CF0AFC85095BB80EB81730B18C47FDC4DC7710E126D109CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02760F30, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.348109433.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a7d9eefa3316e5aeb5d3e0f6bcba28b50f0b569166a0db70088e4292013875
Instruction ID: f818d5cfa1b0a2c8b863e298ca894ffe109433d2160c86275294ef78507d84c7
Opcode Fuzzy Hash: a5a7d9eefa3316e5aeb5d3e0f6bcba28b50f0b569166a0db70088e4292013875
Instruction Fuzzy Hash: 64E092383101108FC764EB6CE54895537EBAB8D2143104067E409CB765CA705C40CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 027600D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.348109433.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64601e0afc86f7deb256b9205f00714b3645b87a40c3d39312bbc908751f5211
Instruction ID: df8d09569345cce221bda4de2bdcc4008844c1e19c43f0446c997d45cf1862ee
Opcode Fuzzy Hash: 64601e0afc86f7deb256b9205f00714b3645b87a40c3d39312bbc908751f5211
Instruction Fuzzy Hash: A7E09A75D0521D9F8F40DFB999455DEBFF8FA49254F200466D509F3200E33156118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 027610E0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.348109433.0000000002760000.00000040.00000001.sdmp, Offset: 02760000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38800d02c00abef8463ecb295d2f0cb07028ebee4a8d053e491d0bcb324c4906
Instruction ID: 9aa1f391869b848dc283092b8c7bbe73fc3f6f48f9e0bad3cb4897ae5517ab10
Opcode Fuzzy Hash: 38800d02c00abef8463ecb295d2f0cb07028ebee4a8d053e491d0bcb324c4906
Instruction Fuzzy Hash: 01E0B6B1D002099ECB40EFBE98456EFBFF8EB48261F50403AD508E3200E63552118BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00D323F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.347840281.0000000000D32000.00000040.00000001.sdmp, Offset: 00D32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed6e43690ef7da3025ba98b5c1e37ac110605a5b38ae795f65a0dded637a0ea
Instruction ID: 15d5f618ffb2a671191e408036838d5b2fe902f160bb556ceb8059eb99750a59
Opcode Fuzzy Hash: 4ed6e43690ef7da3025ba98b5c1e37ac110605a5b38ae795f65a0dded637a0ea
Instruction Fuzzy Hash: A7D05E79615A818FD3268A1CC1A9BA53B94AB61B04F4A44FDE8008B663C368E981D210

Uniqueness

Uniqueness Score: -1.00%

Function 00D323BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.347840281.0000000000D32000.00000040.00000001.sdmp, Offset: 00D32000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114ec2ae586121ea755459e711b1c4e766d567705bfd6f8bbeae7ae2c602e097
Instruction ID: b5218eb41deb901431603bf7eb9fc23459924b421abc605279c8a89f78012492
Opcode Fuzzy Hash: 114ec2ae586121ea755459e711b1c4e766d567705bfd6f8bbeae7ae2c602e097
Instruction Fuzzy Hash: AED05E346412818BC715DB0CC594F6977D4AB41B00F0A44ECAC008B662C3A9DC81C610

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 7024 Parent PID: 3440 dhcpmon.exeCOMMON

Executed Functions

Function 0155A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,D0B8B5F1,00000000,00000000,00000000,00000000), ref: 0155A53D

Memory Dump Source

Source File: 00000012.00000002.365423559.000000000155A000.00000040.00000001.sdmp, Offset: 0155A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a308aa7d9c973071dfaf0650d907aa6c38da3e15612295272f2f2bf4c2ca4b70
Instruction ID: 4b711bbe02b423e15291dbc545a2fcab9a4a77ffff78c59f4e79e6e9b46794ab
Opcode Fuzzy Hash: a308aa7d9c973071dfaf0650d907aa6c38da3e15612295272f2f2bf4c2ca4b70
Instruction Fuzzy Hash: AD21A371409380AFDB128F65DC54F96BFB8EF06310F0885DBEA849F153D264A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0155A336, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0155A39C

Memory Dump Source

Source File: 00000012.00000002.365423559.000000000155A000.00000040.00000001.sdmp, Offset: 0155A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 493c6c3778cee38a965fcb39166b02947368431a0889f422a165783f785137bf
Instruction ID: 360458debdb1e82bb4996b08fe45ce3746e7bf27c692177906630e810824502b
Opcode Fuzzy Hash: 493c6c3778cee38a965fcb39166b02947368431a0889f422a165783f785137bf
Instruction Fuzzy Hash: 56216D715093C49FD7128F25DC55A56BFB4EF06220F0984EBED85CF263D278A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0155A1F4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0155A269

Memory Dump Source

Source File: 00000012.00000002.365423559.000000000155A000.00000040.00000001.sdmp, Offset: 0155A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 83aa6476c6dc2af7dc3536fb557da47e335212abd4058fa6d327e4d07ff9495a
Instruction ID: 8834f84c8d7d205b470ac2ee28f49bca16e9f4312cd38ebdba30022f436c99ff
Opcode Fuzzy Hash: 83aa6476c6dc2af7dc3536fb557da47e335212abd4058fa6d327e4d07ff9495a
Instruction Fuzzy Hash: 8C215C3540D7C49FD7138B258C95A92BFB4EF03220F0A81DBDD848F1A3D269A949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0155A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,D0B8B5F1,00000000,00000000,00000000,00000000), ref: 0155A53D

Memory Dump Source

Source File: 00000012.00000002.365423559.000000000155A000.00000040.00000001.sdmp, Offset: 0155A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d24ef35aaee21e1f826fc51a1e33a542af3ef6f37458ab73d17624e9731103c9
Instruction ID: 134b25b3ab8d35175ec302dbfee538571b755c9c8283bf4a11bd19cd7adb9571
Opcode Fuzzy Hash: d24ef35aaee21e1f826fc51a1e33a542af3ef6f37458ab73d17624e9731103c9
Instruction Fuzzy Hash: DA11BF71400200EEEB21CF69DC84FAAFBE8EF44320F14856BEE459B251D674A5088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0155A36A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0155A39C

Memory Dump Source

Source File: 00000012.00000002.365423559.000000000155A000.00000040.00000001.sdmp, Offset: 0155A000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e178549c02c7b0e031f700f91f22cde7b095f97f9b828a4c0f5b6e4184ead06b
Instruction ID: cb3452993a14985d4d081afc44f19d0711cfbac116f6e13c6a807f7786035fa7
Opcode Fuzzy Hash: e178549c02c7b0e031f700f91f22cde7b095f97f9b828a4c0f5b6e4184ead06b
Instruction Fuzzy Hash: F4018F75504244DFDB518F29D88576AFFD4EF04324F18C5ABDD098F252D6B5A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0155A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0155A269

Memory Dump Source

Source File: 00000012.00000002.365423559.000000000155A000.00000040.00000001.sdmp, Offset: 0155A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 8bcbd0d0e7cecf28d6b5878b4e2da418c7dbc2e1763cc0e94b8d0f48ed23ea35
Instruction ID: f44af9d0273f9891cce59c2cb605ed4c54b8c0eaaa3e0e6bded946b719973169
Opcode Fuzzy Hash: 8bcbd0d0e7cecf28d6b5878b4e2da418c7dbc2e1763cc0e94b8d0f48ed23ea35
Instruction Fuzzy Hash: 85F0A9308046449FDB518F1AD886766FFE0EF04720F18C1ABDE094F212D2BAA448CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 02F9010F, Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

:@Dr, xrefs: 02F902C5

Memory Dump Source

Source File: 00000012.00000002.365942745.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false

Similarity

API ID:
String ID: :@Dr
API String ID: 0-3830894600
Opcode ID: 9df290913ab28845d3bd79692eccd9869177baa58911da4e0e2a44b365776bd5
Instruction ID: 5b20929c50c73059d8963e3c7dfa51b9a2be3d1981d39af221574d3fb87ad615
Opcode Fuzzy Hash: 9df290913ab28845d3bd79692eccd9869177baa58911da4e0e2a44b365776bd5
Instruction Fuzzy Hash: 36715D34B00211CFDB5ADB28E469B697FE7FB88350F158069D9068B394CF759C89DB80

Uniqueness

Uniqueness Score: -1.00%

Function 02F90818, Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.365942745.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d7d72ea38a5cf4405dfa9d712bfade6fba4ebfa43f05bfb8dce79428098431
Instruction ID: b33ddf7a6dc8d1ba9a88aba7c2e5cd5d33cfc2269fc5eb98164e2378c9687d0e
Opcode Fuzzy Hash: 82d7d72ea38a5cf4405dfa9d712bfade6fba4ebfa43f05bfb8dce79428098431
Instruction Fuzzy Hash: EAF14B30700642CFEB18CF64E4A4A2A7BA7FBC4354B15856DD5468B258DF71EC0AEB91

Uniqueness

Uniqueness Score: -1.00%

Function 02F906E8, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.365942745.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f56e7d7496dcc4ae8618b9425b8e4e96c40217afeede4249584086398d7ded2
Instruction ID: 85f954ac3719a589030cf04d07e2172ad811145ef74377e9e49413c8ae22539a
Opcode Fuzzy Hash: 6f56e7d7496dcc4ae8618b9425b8e4e96c40217afeede4249584086398d7ded2
Instruction Fuzzy Hash: 8031C9307012118FC7596B7CD428A6E3BE2AFC6309B2504BED506CF7E1DE359C468B95

Uniqueness

Uniqueness Score: -1.00%

Function 02F906F8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.365942745.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e7c5028c1a44c53c22acbd9455bf2db641533451c3134aad71f22ef6aa95ac
Instruction ID: fad93d763802306cc10e705f9b846c67d690180aadaa06848a6dff9c9ec0a25c
Opcode Fuzzy Hash: 52e7c5028c1a44c53c22acbd9455bf2db641533451c3134aad71f22ef6aa95ac
Instruction Fuzzy Hash: 1321F8307012118FCB59AB7DD028A2E3AE6AFC5309B1404BEE506CF7E1EE36DC458B95

Uniqueness

Uniqueness Score: -1.00%

Function 02F90DD0, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.365942745.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1741a75a091921ee1cfd934f3559cb4a95279568546b127d230fe4bd09f026be
Instruction ID: 98c62fe74025d94f55dd896fb7c5c3cfb125fdf8d3c7f54f15aadca7c74afda4
Opcode Fuzzy Hash: 1741a75a091921ee1cfd934f3559cb4a95279568546b127d230fe4bd09f026be
Instruction Fuzzy Hash: F221E431B002449FC755DBBDD8216AE3FBABFC5610F1040AAD505CB291CF348D06D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02F900A0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.365942745.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7993da61b0dd00ae6886ca28f8c1b20df937586791129b2bb0f485a4f7427917
Instruction ID: 2f25537f081d8ed8bd3b835fb2da65e451513e9d973c3a463240396dc1b3cf17
Opcode Fuzzy Hash: 7993da61b0dd00ae6886ca28f8c1b20df937586791129b2bb0f485a4f7427917
Instruction Fuzzy Hash: E8F0C830D492855FDB01CFB8AC525EEBFF4ED4A61071640EAD5C4E7112D2300517CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02FA05CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.365952088.0000000002FA0000.00000040.00000040.sdmp, Offset: 02FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3b1a4cb9edf059e81ca35ccfdb4480eee7d97de599b52cdd60c276f991b0932
Instruction ID: f67772866447b03bc817b9aa45a0eb03d2523ea2e6b5939cc46177ada083898e
Opcode Fuzzy Hash: e3b1a4cb9edf059e81ca35ccfdb4480eee7d97de599b52cdd60c276f991b0932
Instruction Fuzzy Hash: C201D6755097C06FC7028F16EC40893FFF8DF8B23070984ABED88CB212D125A958CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02F90EF7, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.365942745.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947091e4959c56e065a0953403c058c3edde28f7db4bd605d58c72084cce0de8
Instruction ID: df09a3960de27b0884a5692351362c632adda490c186a00e4c992eeea9e05c5c
Opcode Fuzzy Hash: 947091e4959c56e065a0953403c058c3edde28f7db4bd605d58c72084cce0de8
Instruction Fuzzy Hash: 18F030346052804FC741DB7CD4649BE3FFAAF8A214B1540EFD445D76B2C9255C49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02FA05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.365952088.0000000002FA0000.00000040.00000040.sdmp, Offset: 02FA0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40143bcedd3e9b121968e4e1fbb1f537968e0d5690f3e48f115597b26cf62a6b
Instruction ID: 4a2fdac1a5da93988256147b385cac1dec0ddf6256311df4490bf81696d94411
Opcode Fuzzy Hash: 40143bcedd3e9b121968e4e1fbb1f537968e0d5690f3e48f115597b26cf62a6b
Instruction Fuzzy Hash: 47E092766046008BD650CF0BEC81452F7D8EB88730B18C07FDD0D8B710E535B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 02F900D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.365942745.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23a26764ff9024b1611ebc54f95d420d22e43d24cdf87e1e01653eae00e6369
Instruction ID: f69fc65fb4d352d83c5bc1acc4722754bfced7ade42386020e190da7567ae669
Opcode Fuzzy Hash: a23a26764ff9024b1611ebc54f95d420d22e43d24cdf87e1e01653eae00e6369
Instruction Fuzzy Hash: 86E09A71E0521D9F8F50DFB9A9455DEBFF8FA48250F10046AD618F3200E33156158FE5

Uniqueness

Uniqueness Score: -1.00%

Function 02F90F08, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.365942745.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2709c02a996fb674d96961322f11fe3e196aff2a6a285df21c4a07b195ba5b0d
Instruction ID: 7b314e8c61f3a806668c6e35adeb8a7b5d1dfb7de8a997c2b5768dcc8e57f3f7
Opcode Fuzzy Hash: 2709c02a996fb674d96961322f11fe3e196aff2a6a285df21c4a07b195ba5b0d
Instruction Fuzzy Hash: 78E065306002108FC200EB6CE464A6A3BEEEB89220B1040AAE809D7360CE20AC08CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02F90DC0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.365942745.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e92e32243e509f6f06ea6d09dca140412463000dd23c38082efc8171b2175aa8
Instruction ID: 6547ad330af6004aa42785149ffd3fd1b2bd819fb6f70377bdf7d90907d34055
Opcode Fuzzy Hash: e92e32243e509f6f06ea6d09dca140412463000dd23c38082efc8171b2175aa8
Instruction Fuzzy Hash: 7BE02630E042809FD71197B8A8566E93F74EF0B520F0540D6D9C48F2A2CB268C0BC782

Uniqueness

Uniqueness Score: -1.00%

Function 02F903C5, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.365942745.0000000002F90000.00000040.00000001.sdmp, Offset: 02F90000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0607667469e1b1a08ab24a3f62d5c3f208bddb0295ace9183762584bb65e8107
Instruction ID: 6b098677dc6283cfb2d2686df5173127ae7663f7e4d66108b0597d72c92f7daf
Opcode Fuzzy Hash: 0607667469e1b1a08ab24a3f62d5c3f208bddb0295ace9183762584bb65e8107
Instruction Fuzzy Hash: 16F01C70A00225CFEF149BA4D169BAD7EF0AF88354F100459D512AA290DF744988DF44

Uniqueness

Uniqueness Score: -1.00%

Function 015523F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.365413726.0000000001552000.00000040.00000001.sdmp, Offset: 01552000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a553c294a1b700f25e5f405ec3be3fe390edbaee9943556e65f6264a8781e5b
Instruction ID: 92cfcd25c4656f6f2216d60f695b9db84cc0997f15e4a124cc80fa8bc4829b1b
Opcode Fuzzy Hash: 6a553c294a1b700f25e5f405ec3be3fe390edbaee9943556e65f6264a8781e5b
Instruction Fuzzy Hash: 86D05E79215A81CFE3268A1CC1B8B993FA4BB51B04F4644FEEC008F663C368D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 015523BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.365413726.0000000001552000.00000040.00000001.sdmp, Offset: 01552000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb794b4a67b10cddce08115e46a218400c146e575828f93833fba8f40cbd4506
Instruction ID: d1dbb2009517dc6558c2e2a8b662fead4551558921a191d5d7fc39de1cdb20c2
Opcode Fuzzy Hash: cb794b4a67b10cddce08115e46a218400c146e575828f93833fba8f40cbd4506
Instruction Fuzzy Hash: EFD05E342002818BD715DB0CC5A4F5D3BD4BB41B00F0644E9AD008F662C3A4D881C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report DRAFT BL-DOCS-20211510-VP-KMC022021.scr

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre