Play interactive tour

Edit tour

Windows Analysis Report doa8GHSloq

Overview

General Information

Sample Name:	doa8GHSloq (renamed file extension from none to exe)
Analysis ID:	508792
MD5:	f85ca66e06121eb29b26d78cc3f64554
SHA1:	141bc2598b79d80bb3ceda6fe98c49ab7c694dd8
SHA256:	2483d6141d48f387aad22f1bec5c45945bca933eb35ba13d6ff65a46b8720885
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Yara detected Nanocore RAT

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

doa8GHSloq.exe (PID: 6672 cmdline: 'C:\Users\user\Desktop\doa8GHSloq.exe' MD5: F85CA66E06121EB29B26D78CC3F64554)

doa8GHSloq.exe (PID: 7164 cmdline: C:\Users\user\Desktop\doa8GHSloq.exe MD5: F85CA66E06121EB29B26D78CC3F64554)

doa8GHSloq.exe (PID: 4820 cmdline: C:\Users\user\Desktop\doa8GHSloq.exe MD5: F85CA66E06121EB29B26D78CC3F64554)

schtasks.exe (PID: 3180 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA5BD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5700 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC94.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

doa8GHSloq.exe (PID: 3860 cmdline: C:\Users\user\Desktop\doa8GHSloq.exe 0 MD5: F85CA66E06121EB29B26D78CC3F64554)

doa8GHSloq.exe (PID: 5356 cmdline: C:\Users\user\Desktop\doa8GHSloq.exe MD5: F85CA66E06121EB29B26D78CC3F64554)

dhcpmon.exe (PID: 6268 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: F85CA66E06121EB29B26D78CC3F64554)

dhcpmon.exe (PID: 6528 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: F85CA66E06121EB29B26D78CC3F64554)

dhcpmon.exe (PID: 6520 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: F85CA66E06121EB29B26D78CC3F64554)

dhcpmon.exe (PID: 4140 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: F85CA66E06121EB29B26D78CC3F64554)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "b4ede67b-be7e-44fd-9e96-0c0f6d15", "Group": "Default", "Domain1": "watermalon1.sytes.net", "Domain2": "", "Port": 2010, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x32b8ad:$x1: NanoCore.ClientPluginHost 0x35e2cd:$x1: NanoCore.ClientPluginHost 0x32b8ea:$x2: IClientNetworkHost 0x35e30a:$x2: IClientNetworkHost 0x32f41d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x361e3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x32b615:$a: NanoCore 0x32b625:$a: NanoCore 0x32b859:$a: NanoCore 0x32b86d:$a: NanoCore 0x32b8ad:$a: NanoCore 0x35e035:$a: NanoCore 0x35e045:$a: NanoCore 0x35e279:$a: NanoCore 0x35e28d:$a: NanoCore 0x35e2cd:$a: NanoCore 0x32b674:$b: ClientPlugin 0x32b876:$b: ClientPlugin 0x32b8b6:$b: ClientPlugin 0x35e094:$b: ClientPlugin 0x35e296:$b: ClientPlugin 0x35e2d6:$b: ClientPlugin 0xba19d:$c: ProjectData 0x2947cd:$c: ProjectData 0x32b79b:$c: ProjectData 0x35e1bb:$c: ProjectData 0x32c1a2:$d: DESCrypto
00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1e62:$a: NanoCore 0x1e87:$a: NanoCore 0x1ee0:$a: NanoCore 0x1207d:$a: NanoCore 0x120a3:$a: NanoCore 0x120ff:$a: NanoCore 0x1ef54:$a: NanoCore 0x1efad:$a: NanoCore 0x1efe0:$a: NanoCore 0x1f20c:$a: NanoCore 0x1f288:$a: NanoCore 0x1f8a1:$a: NanoCore 0x1f9ea:$a: NanoCore 0x1febe:$a: NanoCore 0x201a5:$a: NanoCore 0x201bc:$a: NanoCore 0x2575a:$a: NanoCore 0x257d4:$a: NanoCore 0x2a371:$a: NanoCore 0x2b72b:$a: NanoCore 0x2b775:$a: NanoCore
00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.306901830.0000000002811000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x32b8ad:$x1: NanoCore.ClientPluginHost 0x35e2cd:$x1: NanoCore.ClientPluginHost 0x32b8ea:$x2: IClientNetworkHost 0x35e30a:$x2: IClientNetworkHost 0x32f41d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x361e3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x32b615:$a: NanoCore 0x32b625:$a: NanoCore 0x32b859:$a: NanoCore 0x32b86d:$a: NanoCore 0x32b8ad:$a: NanoCore 0x35e035:$a: NanoCore 0x35e045:$a: NanoCore 0x35e279:$a: NanoCore 0x35e28d:$a: NanoCore 0x35e2cd:$a: NanoCore 0x32b674:$b: ClientPlugin 0x32b876:$b: ClientPlugin 0x32b8b6:$b: ClientPlugin 0x35e094:$b: ClientPlugin 0x35e296:$b: ClientPlugin 0x35e2d6:$b: ClientPlugin 0xba19d:$c: ProjectData 0x2947cd:$c: ProjectData 0x32b79b:$c: ProjectData 0x35e1bb:$c: ProjectData 0x32c1a2:$d: DESCrypto
00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x238a7:$a: NanoCore 0x23900:$a: NanoCore 0x2393d:$a: NanoCore 0x239b6:$a: NanoCore 0x23909:$b: ClientPlugin 0x23946:$b: ClientPlugin 0x24244:$b: ClientPlugin 0x24251:$b: ClientPlugin 0x1b614:$e: KeepAlive 0x23d91:$g: LogClientMessage 0x23d11:$i: get_Connected 0x158d9:$j: #=q 0x15909:$j: #=q 0x15945:$j: #=q 0x1596d:$j: #=q 0x1599d:$j: #=q 0x159cd:$j: #=q 0x159fd:$j: #=q 0x15a2d:$j: #=q 0x15a49:$j: #=q 0x15a79:$j: #=q
00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x236bf:$a: NanoCore 0x23718:$a: NanoCore 0x23755:$a: NanoCore 0x237ce:$a: NanoCore 0x23721:$b: ClientPlugin 0x2375e:$b: ClientPlugin 0x2405c:$b: ClientPlugin 0x24069:$b: ClientPlugin 0x1b42c:$e: KeepAlive 0x23ba9:$g: LogClientMessage 0x23b29:$i: get_Connected 0x156f1:$j: #=q 0x15721:$j: #=q 0x1575d:$j: #=q 0x15785:$j: #=q 0x157b5:$j: #=q 0x157e5:$j: #=q 0x15815:$j: #=q 0x15845:$j: #=q 0x15861:$j: #=q 0x15891:$j: #=q
00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000013.00000002.346700520.00000000041F1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.346700520.00000000041F1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a6d:$a: NanoCore 0x49ac6:$a: NanoCore 0x49b03:$a: NanoCore 0x49b7c:$a: NanoCore 0x5d227:$a: NanoCore 0x5d23c:$a: NanoCore 0x5d271:$a: NanoCore 0x76203:$a: NanoCore 0x76218:$a: NanoCore 0x7624d:$a: NanoCore 0x49acf:$b: ClientPlugin 0x49b0c:$b: ClientPlugin 0x4a40a:$b: ClientPlugin 0x4a417:$b: ClientPlugin 0x5cfe3:$b: ClientPlugin 0x5cffe:$b: ClientPlugin 0x5d02e:$b: ClientPlugin 0x5d245:$b: ClientPlugin 0x5d27a:$b: ClientPlugin 0x75fbf:$b: ClientPlugin 0x75fda:$b: ClientPlugin
00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a6d:$a: NanoCore 0x49ac6:$a: NanoCore 0x49b03:$a: NanoCore 0x49b7c:$a: NanoCore 0x5d227:$a: NanoCore 0x5d23c:$a: NanoCore 0x5d271:$a: NanoCore 0x76203:$a: NanoCore 0x76218:$a: NanoCore 0x7624d:$a: NanoCore 0x49acf:$b: ClientPlugin 0x49b0c:$b: ClientPlugin 0x4a40a:$b: ClientPlugin 0x4a417:$b: ClientPlugin 0x5cfe3:$b: ClientPlugin 0x5cffe:$b: ClientPlugin 0x5d02e:$b: ClientPlugin 0x5d245:$b: ClientPlugin 0x5d27a:$b: ClientPlugin 0x75fbf:$b: ClientPlugin 0x75fda:$b: ClientPlugin
00000010.00000002.331777167.00000000035F1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000015.00000002.352485340.0000000003641000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.352485340.0000000003641000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x238a7:$a: NanoCore 0x23900:$a: NanoCore 0x2393d:$a: NanoCore 0x239b6:$a: NanoCore 0x23909:$b: ClientPlugin 0x23946:$b: ClientPlugin 0x24244:$b: ClientPlugin 0x24251:$b: ClientPlugin 0x1b614:$e: KeepAlive 0x23d91:$g: LogClientMessage 0x23d11:$i: get_Connected 0x158d9:$j: #=q 0x15909:$j: #=q 0x15945:$j: #=q 0x1596d:$j: #=q 0x1599d:$j: #=q 0x159cd:$j: #=q 0x159fd:$j: #=q 0x15a2d:$j: #=q 0x15a49:$j: #=q 0x15a79:$j: #=q
00000012.00000002.343333439.0000000003CA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.343333439.0000000003CA1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a6d:$a: NanoCore 0x49ac6:$a: NanoCore 0x49b03:$a: NanoCore 0x49b7c:$a: NanoCore 0x5d227:$a: NanoCore 0x5d23c:$a: NanoCore 0x5d271:$a: NanoCore 0x76203:$a: NanoCore 0x76218:$a: NanoCore 0x7624d:$a: NanoCore 0x49acf:$b: ClientPlugin 0x49b0c:$b: ClientPlugin 0x4a40a:$b: ClientPlugin 0x4a417:$b: ClientPlugin 0x5cfe3:$b: ClientPlugin 0x5cffe:$b: ClientPlugin 0x5d02e:$b: ClientPlugin 0x5d245:$b: ClientPlugin 0x5d27a:$b: ClientPlugin 0x75fbf:$b: ClientPlugin 0x75fda:$b: ClientPlugin
0000000E.00000002.326343099.0000000003631000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x32b8ad:$x1: NanoCore.ClientPluginHost 0x35e2cd:$x1: NanoCore.ClientPluginHost 0x32b8ea:$x2: IClientNetworkHost 0x35e30a:$x2: IClientNetworkHost 0x32f41d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x361e3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x32b615:$a: NanoCore 0x32b625:$a: NanoCore 0x32b859:$a: NanoCore 0x32b86d:$a: NanoCore 0x32b8ad:$a: NanoCore 0x35e035:$a: NanoCore 0x35e045:$a: NanoCore 0x35e279:$a: NanoCore 0x35e28d:$a: NanoCore 0x35e2cd:$a: NanoCore 0x32b674:$b: ClientPlugin 0x32b876:$b: ClientPlugin 0x32b8b6:$b: ClientPlugin 0x35e094:$b: ClientPlugin 0x35e296:$b: ClientPlugin 0x35e2d6:$b: ClientPlugin 0xba19d:$c: ProjectData 0x2947cd:$c: ProjectData 0x32b79b:$c: ProjectData 0x35e1bb:$c: ProjectData 0x32c1a2:$d: DESCrypto
0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x32b8ad:$x1: NanoCore.ClientPluginHost 0x35e2cd:$x1: NanoCore.ClientPluginHost 0x32b8ea:$x2: IClientNetworkHost 0x35e30a:$x2: IClientNetworkHost 0x32f41d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x361e3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x32b615:$a: NanoCore 0x32b625:$a: NanoCore 0x32b859:$a: NanoCore 0x32b86d:$a: NanoCore 0x32b8ad:$a: NanoCore 0x35e035:$a: NanoCore 0x35e045:$a: NanoCore 0x35e279:$a: NanoCore 0x35e28d:$a: NanoCore 0x35e2cd:$a: NanoCore 0x32b674:$b: ClientPlugin 0x32b876:$b: ClientPlugin 0x32b8b6:$b: ClientPlugin 0x35e094:$b: ClientPlugin 0x35e296:$b: ClientPlugin 0x35e2d6:$b: ClientPlugin 0xba19d:$c: ProjectData 0x2947cd:$c: ProjectData 0x32b79b:$c: ProjectData 0x35e1bb:$c: ProjectData 0x32c1a2:$d: DESCrypto
Process Memory Space: doa8GHSloq.exe PID: 6672	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: doa8GHSloq.exe PID: 4820	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4e61:$a: NanoCore 0x4e86:$a: NanoCore 0x4edf:$a: NanoCore 0x897b:$a: NanoCore 0x899e:$a: NanoCore 0x89f3:$a: NanoCore 0x13b93:$a: NanoCore 0x13bb7:$a: NanoCore 0x13c0f:$a: NanoCore 0x1b085:$a: NanoCore 0x1b0de:$a: NanoCore 0x1b104:$a: NanoCore 0x1b49a:$a: NanoCore 0x1b4de:$a: NanoCore 0x1b521:$a: NanoCore 0x1b574:$a: NanoCore 0x1b5a3:$a: NanoCore 0x1b7a9:$a: NanoCore 0x1b81d:$a: NanoCore 0x1bdd4:$a: NanoCore 0x1bf10:$a: NanoCore
Process Memory Space: doa8GHSloq.exe PID: 3860	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 6268	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: doa8GHSloq.exe PID: 5356	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa0ab:$x1: NanoCore.ClientPluginHost 0xa0e8:$x2: IClientNetworkHost 0xd834:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x18757:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: doa8GHSloq.exe PID: 5356	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: doa8GHSloq.exe PID: 5356	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2a1a:$a: NanoCore 0x2fe1:$a: NanoCore 0x9dd6:$a: NanoCore 0x9e47:$a: NanoCore 0x9e56:$a: NanoCore 0xa057:$a: NanoCore 0xa06b:$a: NanoCore 0xa0ab:$a: NanoCore 0x14dc1:$a: NanoCore 0x14dd3:$a: NanoCore 0x14e0f:$a: NanoCore 0x21f01:$a: NanoCore 0x21f5d:$a: NanoCore 0x21fd0:$a: NanoCore 0x2a728:$a: NanoCore 0x2a990:$a: NanoCore 0x2a9e3:$a: NanoCore 0x2aa1c:$a: NanoCore 0x2aa8f:$a: NanoCore 0x2b649:$a: NanoCore 0x39f88:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 6528	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d60b:$x1: NanoCore.ClientPluginHost 0x1d625:$x2: IClientNetworkHost 0x33a67:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3e53e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6528	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6528	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd681:$a: NanoCore 0x14851:$a: NanoCore 0x148be:$a: NanoCore 0x14931:$a: NanoCore 0x1d575:$a: NanoCore 0x1d5ce:$a: NanoCore 0x1d60b:$a: NanoCore 0x1d684:$a: NanoCore 0x1dbac:$a: NanoCore 0x1dbff:$a: NanoCore 0x1dc38:$a: NanoCore 0x1dcab:$a: NanoCore 0x1e8aa:$a: NanoCore 0x1e8f3:$a: NanoCore 0x20bfc:$a: NanoCore 0x24d0d:$a: NanoCore 0x24d20:$a: NanoCore 0x24d52:$a: NanoCore 0x2a192:$a: NanoCore 0x2a1a5:$a: NanoCore 0x2a1d7:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 6520	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 4140	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x12f8c:$x1: NanoCore.ClientPluginHost 0x12fa6:$x2: IClientNetworkHost 0x35481:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3ff58:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 4140	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 4140	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x587f:$a: NanoCore 0x12ef6:$a: NanoCore 0x12f4f:$a: NanoCore 0x12f8c:$a: NanoCore 0x13005:$a: NanoCore 0x13621:$a: NanoCore 0x13674:$a: NanoCore 0x136ad:$a: NanoCore 0x13720:$a: NanoCore 0x1aa1a:$a: NanoCore 0x1aa2d:$a: NanoCore 0x1aa5f:$a: NanoCore 0x20735:$a: NanoCore 0x20748:$a: NanoCore 0x2077a:$a: NanoCore 0x2b217:$a: NanoCore 0x2b22b:$a: NanoCore 0x2b935:$a: NanoCore 0x2b9a2:$a: NanoCore 0x2ba15:$a: NanoCore 0x306f5:$a: NanoCore
Click to see the 47 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
21.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
19.2.dhcpmon.exe.423eac4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
19.2.dhcpmon.exe.423eac4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
19.2.dhcpmon.exe.423eac4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
10.3.doa8GHSloq.exe.421d4fe.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
10.3.doa8GHSloq.exe.421d4fe.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
18.2.doa8GHSloq.exe.3ceeac4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
18.2.doa8GHSloq.exe.3ceeac4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
18.2.doa8GHSloq.exe.3ceeac4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.3.doa8GHSloq.exe.4237555.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x3bd6:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
10.3.doa8GHSloq.exe.4237555.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x3bd6:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x3cb4:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost 0x3bf0:$s5: IClientLoggingHost
19.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
20.2.dhcpmon.exe.3ccc720.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.dhcpmon.exe.3ccc720.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
20.2.dhcpmon.exe.3ccc720.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.dhcpmon.exe.3ccc720.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
21.2.dhcpmon.exe.3663ac8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
21.2.dhcpmon.exe.3663ac8.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
16.2.dhcpmon.exe.486d510.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xaf39d:$x1: NanoCore.ClientPluginHost 0xe1dbd:$x1: NanoCore.ClientPluginHost 0xaf3da:$x2: IClientNetworkHost 0xe1dfa:$x2: IClientNetworkHost 0xb2f0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe592d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.dhcpmon.exe.486d510.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.486d510.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xaf105:$a: NanoCore 0xaf115:$a: NanoCore 0xaf349:$a: NanoCore 0xaf35d:$a: NanoCore 0xaf39d:$a: NanoCore 0xe1b25:$a: NanoCore 0xe1b35:$a: NanoCore 0xe1d69:$a: NanoCore 0xe1d7d:$a: NanoCore 0xe1dbd:$a: NanoCore 0xaf164:$b: ClientPlugin 0xaf366:$b: ClientPlugin 0xaf3a6:$b: ClientPlugin 0xe1b84:$b: ClientPlugin 0xe1d86:$b: ClientPlugin 0xe1dc6:$b: ClientPlugin 0x182bd:$c: ProjectData 0xaf28b:$c: ProjectData 0xe1cab:$c: ProjectData 0xafc92:$d: DESCrypto 0xe26b2:$d: DESCrypto
18.2.doa8GHSloq.exe.3ceeac4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28789:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287b6:$x2: IClientNetworkHost
18.2.doa8GHSloq.exe.3ceeac4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28789:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29864:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287a3:$s5: IClientLoggingHost
18.2.doa8GHSloq.exe.3ceeac4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.doa8GHSloq.exe.48ad510.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xaf39d:$x1: NanoCore.ClientPluginHost 0xe1dbd:$x1: NanoCore.ClientPluginHost 0xaf3da:$x2: IClientNetworkHost 0xe1dfa:$x2: IClientNetworkHost 0xb2f0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe592d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.doa8GHSloq.exe.48ad510.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.doa8GHSloq.exe.48ad510.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xaf105:$a: NanoCore 0xaf115:$a: NanoCore 0xaf349:$a: NanoCore 0xaf35d:$a: NanoCore 0xaf39d:$a: NanoCore 0xe1b25:$a: NanoCore 0xe1b35:$a: NanoCore 0xe1d69:$a: NanoCore 0xe1d7d:$a: NanoCore 0xe1dbd:$a: NanoCore 0xaf164:$b: ClientPlugin 0xaf366:$b: ClientPlugin 0xaf3a6:$b: ClientPlugin 0xe1b84:$b: ClientPlugin 0xe1d86:$b: ClientPlugin 0xe1dc6:$b: ClientPlugin 0x182bd:$c: ProjectData 0xaf28b:$c: ProjectData 0xe1cab:$c: ProjectData 0xafc92:$d: DESCrypto 0xe26b2:$d: DESCrypto
14.2.doa8GHSloq.exe.494c720.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.doa8GHSloq.exe.494c720.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
14.2.doa8GHSloq.exe.494c720.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.doa8GHSloq.exe.494c720.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.doa8GHSloq.exe.3b2c720.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.doa8GHSloq.exe.3b2c720.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.doa8GHSloq.exe.3b2c720.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.doa8GHSloq.exe.3b2c720.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.2.dhcpmon.exe.35f817c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
19.2.dhcpmon.exe.42430ed.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24160:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2418d:$x2: IClientNetworkHost
19.2.dhcpmon.exe.42430ed.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24160:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2523b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2417a:$s5: IClientLoggingHost
19.2.dhcpmon.exe.42430ed.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.doa8GHSloq.exe.281814c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5bf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5ec:$x2: IClientNetworkHost
18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5bf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e69a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5d9:$s5: IClientLoggingHost
18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d575:$a: NanoCore 0x2d58a:$a: NanoCore 0x2d5bf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d331:$b: ClientPlugin 0x2d34c:$b: ClientPlugin
19.2.dhcpmon.exe.4239c8e.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5bf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5ec:$x2: IClientNetworkHost
19.2.dhcpmon.exe.4239c8e.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5bf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e69a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5d9:$s5: IClientLoggingHost
19.2.dhcpmon.exe.4239c8e.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.dhcpmon.exe.4239c8e.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d575:$a: NanoCore 0x2d58a:$a: NanoCore 0x2d5bf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d331:$b: ClientPlugin 0x2d34c:$b: ClientPlugin
20.2.dhcpmon.exe.3ccc720.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.dhcpmon.exe.3ccc720.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.dhcpmon.exe.3ccc720.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.dhcpmon.exe.3ccc720.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
18.2.doa8GHSloq.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.doa8GHSloq.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
18.2.doa8GHSloq.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.doa8GHSloq.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.dhcpmon.exe.4689c8e.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5bf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5ec:$x2: IClientNetworkHost
21.2.dhcpmon.exe.4689c8e.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5bf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e69a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5d9:$s5: IClientLoggingHost
21.2.dhcpmon.exe.4689c8e.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.dhcpmon.exe.4689c8e.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d575:$a: NanoCore 0x2d58a:$a: NanoCore 0x2d5bf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d331:$b: ClientPlugin 0x2d34c:$b: ClientPlugin
16.2.dhcpmon.exe.490c720.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.dhcpmon.exe.490c720.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
16.2.dhcpmon.exe.490c720.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.490c720.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
20.2.dhcpmon.exe.29b817c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
21.2.dhcpmon.exe.468eac4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28789:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287b6:$x2: IClientNetworkHost
21.2.dhcpmon.exe.468eac4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28789:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29864:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287a3:$s5: IClientLoggingHost
21.2.dhcpmon.exe.468eac4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.doa8GHSloq.exe.363814c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
21.2.dhcpmon.exe.46930ed.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24160:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2418d:$x2: IClientNetworkHost
21.2.dhcpmon.exe.46930ed.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24160:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2523b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2417a:$s5: IClientLoggingHost
21.2.dhcpmon.exe.46930ed.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.doa8GHSloq.exe.2cc38e0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
18.2.doa8GHSloq.exe.2cc38e0.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
10.3.doa8GHSloq.exe.4237555.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x81d6:$x1: NanoCore.ClientPluginHost 0x11c42:$x1: NanoCore.ClientPluginHost 0x1c06d:$x1: NanoCore.ClientPluginHost 0x2704a:$x1: NanoCore.ClientPluginHost 0x32dec:$x1: NanoCore.ClientPluginHost 0x57cf0:$x1: NanoCore.ClientPluginHost 0x67130:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost 0x11d9f:$x2: IClientNetworkHost 0x1c0a6:$x2: IClientNetworkHost 0x27064:$x2: IClientNetworkHost 0x32e06:$x2: IClientNetworkHost 0x57d0a:$x2: IClientNetworkHost 0x6716d:$x2: IClientNetworkHost
10.3.doa8GHSloq.exe.4237555.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x81d6:$x2: NanoCore.ClientPluginHost 0x11c42:$x2: NanoCore.ClientPluginHost 0x1c06d:$x2: NanoCore.ClientPluginHost 0x2704a:$x2: NanoCore.ClientPluginHost 0x32dec:$x2: NanoCore.ClientPluginHost 0x57cf0:$x2: NanoCore.ClientPluginHost 0x67130:$x2: NanoCore.ClientPluginHost 0x12b98:$s3: PipeExists 0x2320:$s4: PipeCreated 0x82b4:$s4: PipeCreated 0x11e38:$s4: PipeCreated 0x1c1b8:$s4: PipeCreated 0x2807f:$s4: PipeCreated 0x34b97:$s4: PipeCreated 0x5b02d:$s4: PipeCreated 0x6a583:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost 0x81f0:$s5: IClientLoggingHost 0x11c5c:$s5: IClientLoggingHost 0x1c087:$s5: IClientLoggingHost
10.3.doa8GHSloq.exe.4237555.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2205:$a: NanoCore 0x227f:$a: NanoCore 0x6e1c:$a: NanoCore 0x81d6:$a: NanoCore 0x8220:$a: NanoCore 0x8e7a:$a: NanoCore 0x11c42:$a: NanoCore 0x11d2c:$a: NanoCore 0x12ba3:$a: NanoCore 0x1bd4d:$a: NanoCore 0x1bdae:$a: NanoCore 0x1bdf1:$a: NanoCore 0x1be31:$a: NanoCore 0x1c06d:$a: NanoCore 0x1c10d:$a: NanoCore 0x1c8e5:$a: NanoCore 0x1ced8:$a: NanoCore 0x1d029:$a: NanoCore 0x1de83:$a: NanoCore 0x1e0ea:$a: NanoCore 0x1e0ff:$a: NanoCore
19.2.dhcpmon.exe.423eac4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28789:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287b6:$x2: IClientNetworkHost
19.2.dhcpmon.exe.423eac4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28789:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29864:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287a3:$s5: IClientLoggingHost
19.2.dhcpmon.exe.423eac4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.dhcpmon.exe.3213ac8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
19.2.dhcpmon.exe.3213ac8.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
14.2.doa8GHSloq.exe.494c720.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.doa8GHSloq.exe.494c720.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
14.2.doa8GHSloq.exe.494c720.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.doa8GHSloq.exe.494c720.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
18.2.doa8GHSloq.exe.3cf30ed.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24160:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2418d:$x2: IClientNetworkHost
18.2.doa8GHSloq.exe.3cf30ed.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24160:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2523b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2417a:$s5: IClientLoggingHost
18.2.doa8GHSloq.exe.3cf30ed.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.dhcpmon.exe.468eac4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
21.2.dhcpmon.exe.468eac4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
21.2.dhcpmon.exe.468eac4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.dhcpmon.exe.3a52ee0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2899cd:$x1: NanoCore.ClientPluginHost 0x2bc3ed:$x1: NanoCore.ClientPluginHost 0x289a0a:$x2: IClientNetworkHost 0x2bc42a:$x2: IClientNetworkHost 0x28d53d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2bff5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.dhcpmon.exe.3a52ee0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.dhcpmon.exe.3a52ee0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x289735:$a: NanoCore 0x289745:$a: NanoCore 0x289979:$a: NanoCore 0x28998d:$a: NanoCore 0x2899cd:$a: NanoCore 0x2bc155:$a: NanoCore 0x2bc165:$a: NanoCore 0x2bc399:$a: NanoCore 0x2bc3ad:$a: NanoCore 0x2bc3ed:$a: NanoCore 0x289794:$b: ClientPlugin 0x289996:$b: ClientPlugin 0x2899d6:$b: ClientPlugin 0x2bc1b4:$b: ClientPlugin 0x2bc3b6:$b: ClientPlugin 0x2bc3f6:$b: ClientPlugin 0x182bd:$c: ProjectData 0x1f28ed:$c: ProjectData 0x2898bb:$c: ProjectData 0x2bc2db:$c: ProjectData 0x28a2c2:$d: DESCrypto
10.3.doa8GHSloq.exe.421d4fe.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d0e:$x1: NanoCore.ClientPluginHost 0x1c25c:$x1: NanoCore.ClientPluginHost 0x2222d:$x1: NanoCore.ClientPluginHost 0x2bc99:$x1: NanoCore.ClientPluginHost 0x360c4:$x1: NanoCore.ClientPluginHost 0x410a1:$x1: NanoCore.ClientPluginHost 0x4ce43:$x1: NanoCore.ClientPluginHost 0x71d47:$x1: NanoCore.ClientPluginHost 0x81187:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d47:$x2: IClientNetworkHost 0x1c295:$x2: IClientNetworkHost 0x2bdf6:$x2: IClientNetworkHost 0x360fd:$x2: IClientNetworkHost 0x410bb:$x2: IClientNetworkHost 0x4ce5d:$x2: IClientNetworkHost 0x71d61:$x2: IClientNetworkHost 0x811c4:$x2: IClientNetworkHost
10.3.doa8GHSloq.exe.421d4fe.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d0e:$x2: NanoCore.ClientPluginHost 0x1c25c:$x2: NanoCore.ClientPluginHost 0x2222d:$x2: NanoCore.ClientPluginHost 0x2bc99:$x2: NanoCore.ClientPluginHost 0x360c4:$x2: NanoCore.ClientPluginHost 0x410a1:$x2: NanoCore.ClientPluginHost 0x4ce43:$x2: NanoCore.ClientPluginHost 0x71d47:$x2: NanoCore.ClientPluginHost 0x81187:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x2cbef:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e2b:$s4: PipeCreated 0x1c377:$s4: PipeCreated 0x2230b:$s4: PipeCreated 0x2be8f:$s4: PipeCreated 0x3620f:$s4: PipeCreated 0x420d6:$s4: PipeCreated 0x4ebee:$s4: PipeCreated 0x75084:$s4: PipeCreated
10.3.doa8GHSloq.exe.421d4fe.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a56:$a: NanoCore 0x15aaf:$a: NanoCore 0x15ae2:$a: NanoCore 0x15d0e:$a: NanoCore 0x15d8a:$a: NanoCore 0x163a3:$a: NanoCore 0x164ec:$a: NanoCore 0x169c0:$a: NanoCore 0x16ca7:$a: NanoCore 0x16cbe:$a: NanoCore 0x1c25c:$a: NanoCore 0x1c2d6:$a: NanoCore 0x20e73:$a: NanoCore 0x2222d:$a: NanoCore 0x22277:$a: NanoCore 0x22ed1:$a: NanoCore 0x2bc99:$a: NanoCore 0x2bd83:$a: NanoCore
16.2.dhcpmon.exe.490c720.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.dhcpmon.exe.490c720.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.2.dhcpmon.exe.490c720.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.490c720.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
20.2.dhcpmon.exe.3c2d510.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xaf39d:$x1: NanoCore.ClientPluginHost 0xe1dbd:$x1: NanoCore.ClientPluginHost 0xaf3da:$x2: IClientNetworkHost 0xe1dfa:$x2: IClientNetworkHost 0xb2f0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe592d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.dhcpmon.exe.3c2d510.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.dhcpmon.exe.3c2d510.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xaf105:$a: NanoCore 0xaf115:$a: NanoCore 0xaf349:$a: NanoCore 0xaf35d:$a: NanoCore 0xaf39d:$a: NanoCore 0xe1b25:$a: NanoCore 0xe1b35:$a: NanoCore 0xe1d69:$a: NanoCore 0xe1d7d:$a: NanoCore 0xe1dbd:$a: NanoCore 0xaf164:$b: ClientPlugin 0xaf366:$b: ClientPlugin 0xaf3a6:$b: ClientPlugin 0xe1b84:$b: ClientPlugin 0xe1d86:$b: ClientPlugin 0xe1dc6:$b: ClientPlugin 0x182bd:$c: ProjectData 0xaf28b:$c: ProjectData 0xe1cab:$c: ProjectData 0xafc92:$d: DESCrypto 0xe26b2:$d: DESCrypto
0.2.doa8GHSloq.exe.3a8d510.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xaf39d:$x1: NanoCore.ClientPluginHost 0xe1dbd:$x1: NanoCore.ClientPluginHost 0xaf3da:$x2: IClientNetworkHost 0xe1dfa:$x2: IClientNetworkHost 0xb2f0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe592d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.doa8GHSloq.exe.3a8d510.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.doa8GHSloq.exe.3a8d510.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xaf105:$a: NanoCore 0xaf115:$a: NanoCore 0xaf349:$a: NanoCore 0xaf35d:$a: NanoCore 0xaf39d:$a: NanoCore 0xe1b25:$a: NanoCore 0xe1b35:$a: NanoCore 0xe1d69:$a: NanoCore 0xe1d7d:$a: NanoCore 0xe1dbd:$a: NanoCore 0xaf164:$b: ClientPlugin 0xaf366:$b: ClientPlugin 0xaf3a6:$b: ClientPlugin 0xe1b84:$b: ClientPlugin 0xe1d86:$b: ClientPlugin 0xe1dc6:$b: ClientPlugin 0x182bd:$c: ProjectData 0xaf28b:$c: ProjectData 0xe1cab:$c: ProjectData 0xafc92:$d: DESCrypto 0xe26b2:$d: DESCrypto
10.3.doa8GHSloq.exe.4231b29.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x7c31:$x1: NanoCore.ClientPluginHost 0xdc02:$x1: NanoCore.ClientPluginHost 0x1766e:$x1: NanoCore.ClientPluginHost 0x21a99:$x1: NanoCore.ClientPluginHost 0x2ca76:$x1: NanoCore.ClientPluginHost 0x38818:$x1: NanoCore.ClientPluginHost 0x5d71c:$x1: NanoCore.ClientPluginHost 0x6cb5c:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0x7c6a:$x2: IClientNetworkHost 0x177cb:$x2: IClientNetworkHost 0x21ad2:$x2: IClientNetworkHost 0x2ca90:$x2: IClientNetworkHost 0x38832:$x2: IClientNetworkHost 0x5d736:$x2: IClientNetworkHost 0x6cb99:$x2: IClientNetworkHost
10.3.doa8GHSloq.exe.4231b29.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x7c31:$x2: NanoCore.ClientPluginHost 0xdc02:$x2: NanoCore.ClientPluginHost 0x1766e:$x2: NanoCore.ClientPluginHost 0x21a99:$x2: NanoCore.ClientPluginHost 0x2ca76:$x2: NanoCore.ClientPluginHost 0x38818:$x2: NanoCore.ClientPluginHost 0x5d71c:$x2: NanoCore.ClientPluginHost 0x6cb5c:$x2: NanoCore.ClientPluginHost 0x185c4:$s3: PipeExists 0x1800:$s4: PipeCreated 0x7d4c:$s4: PipeCreated 0xdce0:$s4: PipeCreated 0x17864:$s4: PipeCreated 0x21be4:$s4: PipeCreated 0x2daab:$s4: PipeCreated 0x3a5c3:$s4: PipeCreated 0x60a59:$s4: PipeCreated 0x6ffaf:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost 0x7c4b:$s5: IClientLoggingHost
10.3.doa8GHSloq.exe.4231b29.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0x7c31:$a: NanoCore 0x7cab:$a: NanoCore 0xc848:$a: NanoCore 0xdc02:$a: NanoCore 0xdc4c:$a: NanoCore 0xe8a6:$a: NanoCore 0x1766e:$a: NanoCore 0x17758:$a: NanoCore 0x185cf:$a: NanoCore 0x21779:$a: NanoCore 0x217da:$a: NanoCore
14.2.doa8GHSloq.exe.46d2ee0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2899cd:$x1: NanoCore.ClientPluginHost 0x2bc3ed:$x1: NanoCore.ClientPluginHost 0x289a0a:$x2: IClientNetworkHost 0x2bc42a:$x2: IClientNetworkHost 0x28d53d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2bff5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.doa8GHSloq.exe.46d2ee0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.doa8GHSloq.exe.46d2ee0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x289735:$a: NanoCore 0x289745:$a: NanoCore 0x289979:$a: NanoCore 0x28998d:$a: NanoCore 0x2899cd:$a: NanoCore 0x2bc155:$a: NanoCore 0x2bc165:$a: NanoCore 0x2bc399:$a: NanoCore 0x2bc3ad:$a: NanoCore 0x2bc3ed:$a: NanoCore 0x289794:$b: ClientPlugin 0x289996:$b: ClientPlugin 0x2899d6:$b: ClientPlugin 0x2bc1b4:$b: ClientPlugin 0x2bc3b6:$b: ClientPlugin 0x2bc3f6:$b: ClientPlugin 0x182bd:$c: ProjectData 0x1f28ed:$c: ProjectData 0x2898bb:$c: ProjectData 0x2bc2db:$c: ProjectData 0x28a2c2:$d: DESCrypto
16.2.dhcpmon.exe.4692ee0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2899cd:$x1: NanoCore.ClientPluginHost 0x2bc3ed:$x1: NanoCore.ClientPluginHost 0x289a0a:$x2: IClientNetworkHost 0x2bc42a:$x2: IClientNetworkHost 0x28d53d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2bff5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.dhcpmon.exe.4692ee0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.4692ee0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x289735:$a: NanoCore 0x289745:$a: NanoCore 0x289979:$a: NanoCore 0x28998d:$a: NanoCore 0x2899cd:$a: NanoCore 0x2bc155:$a: NanoCore 0x2bc165:$a: NanoCore 0x2bc399:$a: NanoCore 0x2bc3ad:$a: NanoCore 0x2bc3ed:$a: NanoCore 0x289794:$b: ClientPlugin 0x289996:$b: ClientPlugin 0x2899d6:$b: ClientPlugin 0x2bc1b4:$b: ClientPlugin 0x2bc3b6:$b: ClientPlugin 0x2bc3f6:$b: ClientPlugin 0x182bd:$c: ProjectData 0x1f28ed:$c: ProjectData 0x2898bb:$c: ProjectData 0x2bc2db:$c: ProjectData 0x28a2c2:$d: DESCrypto
0.2.doa8GHSloq.exe.38b2ee0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2899cd:$x1: NanoCore.ClientPluginHost 0x2bc3ed:$x1: NanoCore.ClientPluginHost 0x289a0a:$x2: IClientNetworkHost 0x2bc42a:$x2: IClientNetworkHost 0x28d53d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2bff5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.doa8GHSloq.exe.38b2ee0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.doa8GHSloq.exe.38b2ee0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x289735:$a: NanoCore 0x289745:$a: NanoCore 0x289979:$a: NanoCore 0x28998d:$a: NanoCore 0x2899cd:$a: NanoCore 0x2bc155:$a: NanoCore 0x2bc165:$a: NanoCore 0x2bc399:$a: NanoCore 0x2bc3ad:$a: NanoCore 0x2bc3ed:$a: NanoCore 0x289794:$b: ClientPlugin 0x289996:$b: ClientPlugin 0x2899d6:$b: ClientPlugin 0x2bc1b4:$b: ClientPlugin 0x2bc3b6:$b: ClientPlugin 0x2bc3f6:$b: ClientPlugin 0x182bd:$c: ProjectData 0x1f28ed:$c: ProjectData 0x2898bb:$c: ProjectData 0x2bc2db:$c: ProjectData 0x28a2c2:$d: DESCrypto
Click to see the 125 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\doa8GHSloq.exe, ProcessId: 4820, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\doa8GHSloq.exe, ProcessId: 4820, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\doa8GHSloq.exe, ProcessId: 4820, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\doa8GHSloq.exe, ProcessId: 4820, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "b4ede67b-be7e-44fd-9e96-0c0f6d15", "Group": "Default", "Domain1": "watermalon1.sytes.net", "Domain2": "", "Port": 2010, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.423eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3ceeac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3ccc720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.486d510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3ceeac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.48ad510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.494c720.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.3b2c720.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.42430ed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3ccc720.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.4689c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.490c720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.468eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.46930ed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.494c720.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3cf30ed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.468eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3a52ee0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.490c720.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3c2d510.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.3a8d510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.46d2ee0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.4692ee0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.38b2ee0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.346700520.00000000041F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.352485340.0000000003641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.343333439.0000000003CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doa8GHSloq.exe PID: 5356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4140, type: MEMORYSTR

Machine Learning detection for sample

Show sources

Source: doa8GHSloq.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Source: 19.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 18.2.doa8GHSloq.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: doa8GHSloq.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\doa8GHSloq.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: doa8GHSloq.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 4x nop then jmp 052D2606h	0_2_052D2568
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 4x nop then jmp 052D2606h	0_2_052D25CA
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 4x nop then jmp 05FE2606h	14_2_05FE2568
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then jmp 06BF2606h	16_2_06BF2568
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then jmp 05882606h	20_2_05882568

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49740 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49783 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49795 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49797 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49798 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49799 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49800 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49815 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49827 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49828 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49829 -> 37.0.10.144:2010
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49830 -> 37.0.10.144:2010

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: watermalon1.sytes.net

Source: Joe Sandbox View

ASN Name: WKD-ASIE WKD-ASIE

Source: global traffic

TCP traffic: 192.168.2.3:49740 -> 37.0.10.144:2010

Source: doa8GHSloq.exe, 00000000.00000003.282939049.0000000004CE2000.00000004.00000001.sdmp, doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: doa8GHSloq.exe, 00000000.00000003.285253893.0000000004CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: doa8GHSloq.exe, 00000000.00000003.285253893.0000000004CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: doa8GHSloq.exe, 00000000.00000003.285253893.0000000004CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC.
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: doa8GHSloq.exe, 00000000.00000003.285253893.0000000004CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn-uB
Source: doa8GHSloq.exe, 00000000.00000003.285253893.0000000004CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comold
Source: doa8GHSloq.exe, 00000000.00000002.308356888.00000000058D0000.00000004.00020000.sdmp, doa8GHSloq.exe, 0000000E.00000002.331090884.0000000005D10000.00000004.00020000.sdmp, dhcpmon.exe, 00000010.00000002.336182412.00000000058A0000.00000004.00020000.sdmp, dhcpmon.exe, 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: doa8GHSloq.exe, 00000000.00000003.304111800.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: doa8GHSloq.exe, 00000000.00000003.290626441.0000000004D0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: doa8GHSloq.exe, 00000000.00000003.290270148.0000000004D0E000.00000004.00000001.sdmp, doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: doa8GHSloq.exe, 00000000.00000003.304111800.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comS
Source: doa8GHSloq.exe, 00000000.00000003.290604147.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdh
Source: doa8GHSloq.exe, 00000000.00000003.290604147.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comdw
Source: doa8GHSloq.exe, 00000000.00000003.304111800.0000000004CE0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comt
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: doa8GHSloq.exe, 00000000.00000003.284469174.0000000004CE2000.00000004.00000001.sdmp, doa8GHSloq.exe, 00000000.00000003.284115409.0000000004CE9000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: doa8GHSloq.exe, 00000000.00000003.292887688.0000000004D0E000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmFwaQ
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/&
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/4
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/?
Source: doa8GHSloq.exe, 00000000.00000003.285986174.0000000004CEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/M
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/S
Source: doa8GHSloq.exe, 00000000.00000003.285986174.0000000004CEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0et
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/fi-fZ
Source: doa8GHSloq.exe, 00000000.00000003.285986174.0000000004CEF000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/h
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/M
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/h
Source: doa8GHSloq.exe, 00000000.00000003.286357383.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/w
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/tali
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/w
Source: doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/~
Source: doa8GHSloq.exe, 00000000.00000003.295742422.0000000004CE2000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: doa8GHSloq.exe, 00000000.00000003.281737832.0000000004CFB000.00000004.00000001.sdmp, doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: doa8GHSloq.exe, 00000000.00000003.281737832.0000000004CFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comauT
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: doa8GHSloq.exe, 00000000.00000003.284641592.0000000004D1D000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com8
Source: doa8GHSloq.exe, 00000000.00000003.284641592.0000000004D1D000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comY
Source: doa8GHSloq.exe, 00000000.00000003.285080083.0000000004CF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comlic
Source: doa8GHSloq.exe, 00000000.00000003.285080083.0000000004CF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comslnt8
Source: doa8GHSloq.exe, 00000000.00000003.284641592.0000000004D1D000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comw
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: watermalon1.sytes.net

Source: doa8GHSloq.exe, 00000000.00000002.305345383.00000000009BA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: doa8GHSloq.exe, 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.423eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3ceeac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3ccc720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.486d510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3ceeac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.48ad510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.494c720.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.3b2c720.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.42430ed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3ccc720.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.4689c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.490c720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.468eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.46930ed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.494c720.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3cf30ed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.468eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3a52ee0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.490c720.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3c2d510.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.3a8d510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.46d2ee0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.4692ee0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.38b2ee0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.346700520.00000000041F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.352485340.0000000003641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.343333439.0000000003CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doa8GHSloq.exe PID: 5356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4140, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.423eac4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.3.doa8GHSloq.exe.421d4fe.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.doa8GHSloq.exe.3ceeac4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.3.doa8GHSloq.exe.4237555.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.dhcpmon.exe.3ccc720.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.3ccc720.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.dhcpmon.exe.3663ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.486d510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.486d510.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.doa8GHSloq.exe.3ceeac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.doa8GHSloq.exe.48ad510.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.doa8GHSloq.exe.48ad510.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.doa8GHSloq.exe.494c720.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.doa8GHSloq.exe.494c720.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.doa8GHSloq.exe.3b2c720.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.doa8GHSloq.exe.3b2c720.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.42430ed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.dhcpmon.exe.3ccc720.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.3ccc720.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.dhcpmon.exe.4689c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.4689c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.490c720.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.490c720.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.dhcpmon.exe.468eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.46930ed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.doa8GHSloq.exe.2cc38e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.3.doa8GHSloq.exe.4237555.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.3.doa8GHSloq.exe.4237555.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.dhcpmon.exe.423eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.dhcpmon.exe.3213ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.doa8GHSloq.exe.494c720.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.doa8GHSloq.exe.494c720.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.doa8GHSloq.exe.3cf30ed.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.dhcpmon.exe.468eac4.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.3a52ee0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.3a52ee0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.3.doa8GHSloq.exe.421d4fe.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.3.doa8GHSloq.exe.421d4fe.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.490c720.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.490c720.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.dhcpmon.exe.3c2d510.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.dhcpmon.exe.3c2d510.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.doa8GHSloq.exe.3a8d510.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.doa8GHSloq.exe.3a8d510.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.3.doa8GHSloq.exe.4231b29.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.3.doa8GHSloq.exe.4231b29.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.doa8GHSloq.exe.46d2ee0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.doa8GHSloq.exe.46d2ee0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.dhcpmon.exe.4692ee0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 16.2.dhcpmon.exe.4692ee0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.doa8GHSloq.exe.38b2ee0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.doa8GHSloq.exe.38b2ee0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.346700520.00000000041F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.352485340.0000000003641000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.343333439.0000000003CA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: doa8GHSloq.exe PID: 4820, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: doa8GHSloq.exe PID: 5356, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: doa8GHSloq.exe PID: 5356, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6528, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6528, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 4140, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 4140, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: doa8GHSloq.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dhcpmon.exe.423eac4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.423eac4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.3.doa8GHSloq.exe.421d4fe.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.3.doa8GHSloq.exe.421d4fe.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.doa8GHSloq.exe.3ceeac4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.doa8GHSloq.exe.3ceeac4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.doa8GHSloq.exe.4237555.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.3.doa8GHSloq.exe.4237555.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.dhcpmon.exe.3ccc720.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.3ccc720.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.dhcpmon.exe.3ccc720.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.dhcpmon.exe.3663ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.3663ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.dhcpmon.exe.486d510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.486d510.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.doa8GHSloq.exe.3ceeac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.doa8GHSloq.exe.3ceeac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.doa8GHSloq.exe.48ad510.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.doa8GHSloq.exe.48ad510.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.doa8GHSloq.exe.494c720.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.doa8GHSloq.exe.494c720.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.doa8GHSloq.exe.494c720.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.doa8GHSloq.exe.3b2c720.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.doa8GHSloq.exe.3b2c720.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.doa8GHSloq.exe.3b2c720.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dhcpmon.exe.42430ed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.42430ed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dhcpmon.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.dhcpmon.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.dhcpmon.exe.3ccc720.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.3ccc720.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.dhcpmon.exe.3ccc720.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.dhcpmon.exe.4689c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.4689c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.dhcpmon.exe.4689c8e.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.490c720.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.490c720.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.dhcpmon.exe.490c720.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.dhcpmon.exe.468eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.468eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.dhcpmon.exe.46930ed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.46930ed.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.doa8GHSloq.exe.2cc38e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.doa8GHSloq.exe.2cc38e0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.doa8GHSloq.exe.4237555.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.3.doa8GHSloq.exe.4237555.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.doa8GHSloq.exe.4237555.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.dhcpmon.exe.423eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.423eac4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.dhcpmon.exe.3213ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.dhcpmon.exe.3213ac8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.doa8GHSloq.exe.494c720.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.doa8GHSloq.exe.494c720.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 14.2.doa8GHSloq.exe.494c720.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.doa8GHSloq.exe.3cf30ed.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.doa8GHSloq.exe.3cf30ed.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.dhcpmon.exe.468eac4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.dhcpmon.exe.468eac4.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.dhcpmon.exe.3a52ee0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.3a52ee0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.3.doa8GHSloq.exe.421d4fe.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.3.doa8GHSloq.exe.421d4fe.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.doa8GHSloq.exe.421d4fe.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.490c720.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.490c720.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.2.dhcpmon.exe.490c720.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.dhcpmon.exe.3c2d510.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.dhcpmon.exe.3c2d510.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.doa8GHSloq.exe.3a8d510.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.doa8GHSloq.exe.3a8d510.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.3.doa8GHSloq.exe.4231b29.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.3.doa8GHSloq.exe.4231b29.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 10.3.doa8GHSloq.exe.4231b29.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.doa8GHSloq.exe.46d2ee0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.doa8GHSloq.exe.46d2ee0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.2.dhcpmon.exe.4692ee0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 16.2.dhcpmon.exe.4692ee0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.doa8GHSloq.exe.38b2ee0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.doa8GHSloq.exe.38b2ee0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.346700520.00000000041F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.352485340.0000000003641000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.343333439.0000000003CA1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: doa8GHSloq.exe PID: 4820, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: doa8GHSloq.exe PID: 5356, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: doa8GHSloq.exe PID: 5356, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6528, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6528, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 4140, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 4140, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F1C10	0_2_049F1C10
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F9840	0_2_049F9840
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F12A9	0_2_049F12A9
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F0B48	0_2_049F0B48
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F0099	0_2_049F0099
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4499	0_2_049F4499
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F8490	0_2_049F8490
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4831	0_2_049F4831
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049FA85C	0_2_049FA85C
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4840	0_2_049F4840
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4988	0_2_049F4988
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F7D88	0_2_049F7D88
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F7D87	0_2_049F7D87
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F89D8	0_2_049F89D8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F71D0	0_2_049F71D0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F35D0	0_2_049F35D0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F89CA	0_2_049F89CA
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F71C1	0_2_049F71C1
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F41F8	0_2_049F41F8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4978	0_2_049F4978
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F0AB0	0_2_049F0AB0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049FA610	0_2_049FA610
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4208	0_2_049F4208
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049FA620	0_2_049FA620
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F77B8	0_2_049F77B8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F37B0	0_2_049F37B0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4BD8	0_2_049F4BD8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F4BC8	0_2_049F4BC8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F8BC8	0_2_049F8BC8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F37C0	0_2_049F37C0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F775A	0_2_049F775A
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F6B70	0_2_049F6B70
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F6B60	0_2_049F6B60
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_052D04E9	0_2_052D04E9
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05811C20	14_2_05811C20
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05819840	14_2_05819840
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05810B48	14_2_05810B48
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058112B8	14_2_058112B8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05817D88	14_2_05817D88
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05814988	14_2_05814988
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058171C1	14_2_058171C1
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058189CB	14_2_058189CB
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058171D0	14_2_058171D0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058135D0	14_2_058135D0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058189D8	14_2_058189D8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058135E0	14_2_058135E0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058141F8	14_2_058141F8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05817D53	14_2_05817D53
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05814979	14_2_05814979
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05810099	14_2_05810099
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_0581449B	14_2_0581449B
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058144A8	14_2_058144A8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058100A8	14_2_058100A8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05811C10	14_2_05811C10
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05814831	14_2_05814831
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05814840	14_2_05814840
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_0581A857	14_2_0581A857
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058177A8	14_2_058177A8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058137B0	14_2_058137B0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058177B8	14_2_058177B8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058137C0	14_2_058137C0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05814BC8	14_2_05814BC8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05814BD8	14_2_05814BD8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_0581773B	14_2_0581773B
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05816B60	14_2_05816B60
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05816B70	14_2_05816B70
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_058112AB	14_2_058112AB
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05810AB0	14_2_05810AB0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05814208	14_2_05814208
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_0581A610	14_2_0581A610
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_0581A620	14_2_0581A620
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05FE04EA	14_2_05FE04EA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03260B48	16_2_03260B48
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032612B8	16_2_032612B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03261C20	16_2_03261C20
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03269840	16_2_03269840
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_0326772A	16_2_0326772A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03266B70	16_2_03266B70
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032677A8	16_2_032677A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032637B0	16_2_032637B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032677B8	16_2_032677B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032637C0	16_2_032637C0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03264BC8	16_2_03264BC8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03264BD8	16_2_03264BD8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_0326A620	16_2_0326A620
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03264208	16_2_03264208
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_0326A610	16_2_0326A610
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03260A4C	16_2_03260A4C
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032612AA	16_2_032612AA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03260AB0	16_2_03260AB0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03264979	16_2_03264979
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03267D50	16_2_03267D50
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03267D88	16_2_03267D88
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03264988	16_2_03264988
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032635E0	16_2_032635E0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032641F8	16_2_032641F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032671C1	16_2_032671C1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032689CA	16_2_032689CA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032671D0	16_2_032671D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032635D0	16_2_032635D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032689D8	16_2_032689D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03264831	16_2_03264831
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03261C10	16_2_03261C10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03264840	16_2_03264840
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_0326A857	16_2_0326A857
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032644A8	16_2_032644A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_032600A8	16_2_032600A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_0326449A	16_2_0326449A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03260099	16_2_03260099
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_06BF04E9	16_2_06BF04E9
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_04EE2FA8	18_2_04EE2FA8
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_04EE23A0	18_2_04EE23A0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_04EE306F	18_2_04EE306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_02C82FA8	19_2_02C82FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_02C823A0	19_2_02C823A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_02C83850	19_2_02C83850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 19_2_02C8306F	19_2_02C8306F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC1C10	20_2_04BC1C10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC9840	20_2_04BC9840
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC12AA	20_2_04BC12AA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC0B48	20_2_04BC0B48
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC0099	20_2_04BC0099
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC449A	20_2_04BC449A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC8490	20_2_04BC8490
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC4831	20_2_04BC4831
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BCA857	20_2_04BCA857
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC4840	20_2_04BC4840
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC4988	20_2_04BC4988
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC7D88	20_2_04BC7D88
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC41F8	20_2_04BC41F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC89D8	20_2_04BC89D8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC71D0	20_2_04BC71D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC35D0	20_2_04BC35D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC89CA	20_2_04BC89CA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC71C1	20_2_04BC71C1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC7D78	20_2_04BC7D78
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC4979	20_2_04BC4979
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC0AB0	20_2_04BC0AB0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BCA620	20_2_04BCA620
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BCA610	20_2_04BCA610
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC4208	20_2_04BC4208
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC77B8	20_2_04BC77B8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC37B0	20_2_04BC37B0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC77A8	20_2_04BC77A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC4BD8	20_2_04BC4BD8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC4BC8	20_2_04BC4BC8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC37C0	20_2_04BC37C0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC6B70	20_2_04BC6B70
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC6B60	20_2_04BC6B60
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_04BC7756	20_2_04BC7756
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 20_2_058804EA	20_2_058804EA
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_057B3850	21_2_057B3850
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_057B2FA8	21_2_057B2FA8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_057B23A0	21_2_057B23A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_057B306F	21_2_057B306F

Source: doa8GHSloq.exe, 00000000.00000002.308356888.00000000058D0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameTaskNode.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000000.00000002.305345383.00000000009BA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000000.00000000.280232021.000000000023C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameICompatibleFrameworksMetadataEnt.exe8 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000000.00000002.308456105.00000000059A0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000009.00000000.302653222.000000000036C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameICompatibleFrameworksMetadataEnt.exe8 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000A.00000000.303527814.000000000073C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameICompatibleFrameworksMetadataEnt.exe8 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000E.00000002.331090884.0000000005D10000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameTaskNode.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000E.00000000.314793914.000000000105C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameICompatibleFrameworksMetadataEnt.exe8 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 0000000E.00000002.331122001.0000000005D30000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000012.00000000.324530237.00000000005CC000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameICompatibleFrameworksMetadataEnt.exe8 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe, 00000012.00000002.343333439.0000000003CA1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs doa8GHSloq.exe
Source: doa8GHSloq.exe	Binary or memory string: OriginalFilenameICompatibleFrameworksMetadataEnt.exe8 vs doa8GHSloq.exe

Source: doa8GHSloq.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dhcpmon.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\doa8GHSloq.exe

File read: C:\Users\user\Desktop\doa8GHSloq.exe

Jump to behavior

Source: doa8GHSloq.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\doa8GHSloq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\doa8GHSloq.exe 'C:\Users\user\Desktop\doa8GHSloq.exe'
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA5BD.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC94.tmp'
Source: unknown	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe 0
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA5BD.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC94.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: C:\Users\user\Desktop\doa8GHSloq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_04BB035A AdjustTokenPrivileges,		0_2_04BB035A
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_04BB0323 AdjustTokenPrivileges,		0_2_04BB0323

Source: C:\Users\user\Desktop\doa8GHSloq.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\doa8GHSloq.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\doa8GHSloq.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA5BD.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@20/9@20/2

Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior

Source: doa8GHSloq

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3912:120:WilError_01
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b4ede67b-be7e-44fd-9e96-0c0f6d15978b}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4248:120:WilError_01

Source: C:\Users\user\Desktop\doa8GHSloq.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\doa8GHSloq.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\doa8GHSloq.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: doa8GHSloq.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: doa8GHSloq.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_0017443B push ecx; iretd	0_2_0017443F
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_00172050 push 42EEF92Dh; iretd	0_2_0017206D
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_001763D6 push edx; iretd	0_2_001763EB
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2B81 push eax; ret	0_2_008F2B82
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F29B9 push edi; ret	0_2_008F29BA
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2EB9 push edi; ret	0_2_008F2EBA
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2CE0 push eax; ret	0_2_008F2CE2
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2A25 push edi; ret	0_2_008F2A26
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2D35 push eax; ret	0_2_008F2D36
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2E34 push eax; ret	0_2_008F2E42
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2E54 push eax; ret	0_2_008F2E5A
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_008F2A6C push ecx; ret	0_2_008F2A6E
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_00907200 push eax; ret	0_2_00907201
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 0_2_049F5215 push eax; ret	0_2_049F5216
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 9_2_002A443B push ecx; iretd	9_2_002A443F
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 9_2_002A2050 push 42EEF92Dh; iretd	9_2_002A206D
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 9_2_002A63D6 push edx; iretd	9_2_002A63EB
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_00F963D6 push edx; iretd	14_2_00F963EB
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_00F92050 push 42EEF92Dh; iretd	14_2_00F9206D
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_00F9443B push ecx; iretd	14_2_00F9443F
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 14_2_05815215 push eax; ret	14_2_05815216
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_00D563D6 push edx; iretd	16_2_00D563EB
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_00D52050 push 42EEF92Dh; iretd	16_2_00D5206D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_00D5443B push ecx; iretd	16_2_00D5443F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_03265215 push eax; ret	16_2_03265216
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 16_2_06BF275B push es; ret	16_2_06BF275C
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_00502050 push 42EEF92Dh; iretd	18_2_0050206D
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_0050443B push ecx; iretd	18_2_0050443F
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_005063D6 push edx; iretd	18_2_005063EB
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_00DC2DD9 push edi; ret	18_2_00DC2DDA
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Code function: 18_2_00DC2DCD push edi; ret	18_2_00DC2DCE

Source: initial sample	Static PE information: section name: .text entropy: 7.83365535264
Source: initial sample	Static PE information: section name: .text entropy: 7.83365535264

Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 18.2.doa8GHSloq.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 19.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 21.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\doa8GHSloq.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\doa8GHSloq.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA5BD.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\doa8GHSloq.exe

File opened: C:\Users\user\Desktop\doa8GHSloq.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 16.2.dhcpmon.exe.35f817c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.281814c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.29b817c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.363814c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.306901830.0000000002811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.331777167.00000000035F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.326343099.0000000003631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doa8GHSloq.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: doa8GHSloq.exe PID: 3860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6520, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: doa8GHSloq.exe, 00000000.00000002.306901830.0000000002811000.00000004.00000001.sdmp, doa8GHSloq.exe, 0000000E.00000002.326343099.0000000003631000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.331777167.00000000035F1000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: doa8GHSloq.exe, 00000000.00000002.306901830.0000000002811000.00000004.00000001.sdmp, doa8GHSloq.exe, 0000000E.00000002.326343099.0000000003631000.00000004.00000001.sdmp, dhcpmon.exe, 00000010.00000002.331777167.00000000035F1000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 6692	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 6308	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 6308	Thread sleep count: 194 > 30	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 6308	Thread sleep count: 277 > 30	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 6308	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 6220	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 5568	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6212	Thread sleep time: -43068s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5392	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe TID: 6548	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4628	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6612	Thread sleep time: -41560s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5684	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6620	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Window / User API: foregroundWindowGot 669			Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Window / User API: foregroundWindowGot 663			Jump to behavior

Source: C:\Users\user\Desktop\doa8GHSloq.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 43068	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 41560	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: dhcpmon.exe, 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: dhcpmon.exe, 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: doa8GHSloq.exe, 0000000A.00000003.449409834.0000000000DE6000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: dhcpmon.exe, 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\doa8GHSloq.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Memory written: C:\Users\user\Desktop\doa8GHSloq.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Memory written: C:\Users\user\Desktop\doa8GHSloq.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA5BD.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC94.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Process created: C:\Users\user\Desktop\doa8GHSloq.exe C:\Users\user\Desktop\doa8GHSloq.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: doa8GHSloq.exe, 0000000A.00000003.449341719.0000000000E19000.00000004.00000001.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doa8GHSloq.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\doa8GHSloq.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.423eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3ceeac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3ccc720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.486d510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3ceeac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.48ad510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.494c720.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.3b2c720.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.42430ed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3ccc720.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.4689c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.490c720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.468eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.46930ed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.494c720.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3cf30ed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.468eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3a52ee0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.490c720.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3c2d510.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.3a8d510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.46d2ee0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.4692ee0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.38b2ee0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.346700520.00000000041F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.352485340.0000000003641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.343333439.0000000003CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doa8GHSloq.exe PID: 5356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4140, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: doa8GHSloq.exe, 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: doa8GHSloq.exe, 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.423eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.3b2c720.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3ceeac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3ccc720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.486d510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3ceeac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.48ad510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.494c720.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.3b2c720.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.42430ed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3ce9c8e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.4239c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3ccc720.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.4689c8e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.490c720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.468eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.46930ed.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.dhcpmon.exe.423eac4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.494c720.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.doa8GHSloq.exe.3cf30ed.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.468eac4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3a52ee0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.490c720.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.3c2d510.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.3a8d510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.doa8GHSloq.exe.46d2ee0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.4692ee0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doa8GHSloq.exe.38b2ee0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.346700520.00000000041F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.352485340.0000000003641000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.343333439.0000000003CA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doa8GHSloq.exe PID: 5356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4140, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Access Token Manipulation1	Masquerading2	Input Capture21	Security Software Discovery11	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Scheduled Task/Job1	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Access Token Manipulation1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection112	LSA Secrets	System Information Discovery12	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Obfuscated Files or Information3	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Software Packing13	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
doa8GHSloq.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
19.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.2.dhcpmon.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
18.2.doa8GHSloq.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com8	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/M	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/tali	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.collada.org/2005/11/COLLADASchema9Done	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/~	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htmFwaQ	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/4	0%	URL Reputation	safe
watermalon1.sytes.net	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/h	0%	URL Reputation	safe
http://www.carterandcone.comold	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.carterandcone.comTC.	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/&	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/fi-fZ	0%	Avira URL Cloud	safe
http://www.tiro.comw	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/S	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0et	0%	Avira URL Cloud	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.fontbureau.comS	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/M	0%	URL Reputation	safe
http://www.fontbureau.comdw	0%	Avira URL Cloud	safe
http://www.tiro.comlic	0%	URL Reputation	safe
http://www.sajatypeworks.comauT	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/w	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/?	0%	URL Reputation	safe
http://www.carterandcone.comn-uB	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.comdh	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/w	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.tiro.comY	0%	Avira URL Cloud	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.fontbureau.comt	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/h	0%	URL Reputation	safe
http://www.tiro.comslnt8	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/d	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/a	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
watermalon1.sytes.net	37.0.10.144	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
watermalon1.sytes.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com8	doa8GHSloq.exe, 00000000.00000003.284641592.0000000004D1D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/M	doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/tali	doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://google.com	doa8GHSloq.exe, 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp	false		high
http://www.carterandcone.com	doa8GHSloq.exe, 00000000.00000003.285253893.0000000004CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.collada.org/2005/11/COLLADASchema9Done	doa8GHSloq.exe, 00000000.00000002.308356888.00000000058D0000.00000004.00020000.sdmp, doa8GHSloq.exe, 0000000E.00000002.331090884.0000000005D10000.00000004.00020000.sdmp, dhcpmon.exe, 00000010.00000002.336182412.00000000058A0000.00000004.00020000.sdmp, dhcpmon.exe, 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/~	doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	doa8GHSloq.exe, 00000000.00000003.281737832.0000000004CFB000.00000004.00000001.sdmp, doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmFwaQ	doa8GHSloq.exe, 00000000.00000003.292887688.0000000004D0E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	doa8GHSloq.exe, 00000000.00000003.282939049.0000000004CE2000.00000004.00000001.sdmp, doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/4	doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/h	doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comold	doa8GHSloq.exe, 00000000.00000003.285253893.0000000004CE2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comTC.	doa8GHSloq.exe, 00000000.00000003.285253893.0000000004CE2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/&	doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/fi-fZ	doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	doa8GHSloq.exe, 00000000.00000003.304111800.0000000004CE0000.00000004.00000001.sdmp	false		high
http://www.tiro.comw	doa8GHSloq.exe, 00000000.00000003.284641592.0000000004D1D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/S	doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0et	doa8GHSloq.exe, 00000000.00000003.285986174.0000000004CEF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comTC	doa8GHSloq.exe, 00000000.00000003.285253893.0000000004CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comS	doa8GHSloq.exe, 00000000.00000003.304111800.0000000004CE0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/M	doa8GHSloq.exe, 00000000.00000003.285986174.0000000004CEF000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comdw	doa8GHSloq.exe, 00000000.00000003.290604147.0000000004CED000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comlic	doa8GHSloq.exe, 00000000.00000003.285080083.0000000004CF0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.comauT	doa8GHSloq.exe, 00000000.00000003.281737832.0000000004CFB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/w	doa8GHSloq.exe, 00000000.00000003.286357383.0000000004CED000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/?	doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comn-uB	doa8GHSloq.exe, 00000000.00000003.285253893.0000000004CE2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comdh	doa8GHSloq.exe, 00000000.00000003.290604147.0000000004CED000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/w	doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	doa8GHSloq.exe, 00000000.00000003.284469174.0000000004CE2000.00000004.00000001.sdmp, doa8GHSloq.exe, 00000000.00000003.284115409.0000000004CE9000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	doa8GHSloq.exe, 00000000.00000003.290270148.0000000004D0E000.00000004.00000001.sdmp, doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false		high
http://www.tiro.comY	doa8GHSloq.exe, 00000000.00000003.284641592.0000000004D1D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.html	doa8GHSloq.exe, 00000000.00000003.290626441.0000000004D0D000.00000004.00000001.sdmp	false		high
http://www.monotype.	doa8GHSloq.exe, 00000000.00000003.295742422.0000000004CE2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comt	doa8GHSloq.exe, 00000000.00000003.304111800.0000000004CE0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	doa8GHSloq.exe, 00000000.00000002.308043937.0000000004EF2000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/h	doa8GHSloq.exe, 00000000.00000003.285986174.0000000004CEF000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.comslnt8	doa8GHSloq.exe, 00000000.00000003.285080083.0000000004CF0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/d	doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/a	doa8GHSloq.exe, 00000000.00000003.286771952.0000000004CED000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.0.10.144	watermalon1.sytes.net	Netherlands		198301	WKD-ASIE	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	508792
Start date:	25.10.2021
Start time:	16:09:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	doa8GHSloq (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@20/9@20/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 14% (good quality ratio 9.1%) Quality average: 40.7% Quality standard deviation: 36.1%
HCA Information:	Successful, ratio: 97% Number of executed functions: 607 Number of non-executed functions: 27
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.82.209.183, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/508792/sample/doa8GHSloq.exe

Simulations

Behavior and APIs

Time	Type	Description
16:10:40	API Interceptor	871x Sleep call for process: doa8GHSloq.exe modified
16:10:44	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
16:10:47	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\doa8GHSloq.exe" s>$(Arg0)
16:10:49	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
16:10:52	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
watermalon1.sytes.net	EDG.exe	Get hash	malicious	Browse	103.125.189.85

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
WKD-ASIE	OPEN_2021-10-25_09-58.exe	Get hash	malicious	Browse	37.0.10.118
	CV.exe	Get hash	malicious	Browse	37.0.10.22
	Debitnote-s3update.exe	Get hash	malicious	Browse	37.0.10.22
	SKypfeGItc.exe	Get hash	malicious	Browse	37.0.10.190
	Purchase Order.exe	Get hash	malicious	Browse	37.0.10.22
	HBC.exe	Get hash	malicious	Browse	37.0.10.15
	85QKQNr7mm.xlsx	Get hash	malicious	Browse	37.0.10.15
	AB948F038175411DC326A1AAD83DF48D6B65632501551.exe	Get hash	malicious	Browse	37.0.8.235
	FC2E04D392AB5E508FDF6C90CE456BFD0AF6DEF1F10A2.exe	Get hash	malicious	Browse	37.0.10.214
	3qZB2fO4lG.exe	Get hash	malicious	Browse	37.0.8.193
	365F984ABE68DDD398D7B749FB0E69B0F29DAF86F0E3E.exe	Get hash	malicious	Browse	37.0.11.8
	CQUOTATION REQUEST4.scr.exe	Get hash	malicious	Browse	37.0.10.252
	gy6JsH7kJx.exe	Get hash	malicious	Browse	37.0.10.225
	About company.doc	Get hash	malicious	Browse	37.0.10.225
	SecuriteInfo.com.Virus.Win32.Save.a.26327.exe	Get hash	malicious	Browse	37.0.10.225
	ifCgoV9Ykq.exe	Get hash	malicious	Browse	37.0.10.225
	Agent_UDPRat.exe	Get hash	malicious	Browse	37.0.11.171
	Agent_UDPRat.exe	Get hash	malicious	Browse	37.0.11.171
	Order.exe	Get hash	malicious	Browse	37.0.10.22
	Order.exe	Get hash	malicious	Browse	37.0.10.22

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\Desktop\doa8GHSloq.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	823808
Entropy (8bit):	7.825510973865646
Encrypted:	false
SSDEEP:	12288:JANTdXQBp9LbKV16MeEDyW89RQWQgZ8Wd9f8RWcz+nXUJHP4m9XQ6+0/l:iTdXQBjSeEDyWwLQO39URWL
MD5:	F85CA66E06121EB29B26D78CC3F64554
SHA1:	141BC2598B79D80BB3CEDA6FE98C49AB7C694DD8
SHA-256:	2483D6141D48F387AAD22F1BEC5C45945BCA933EB35BA13D6FF65A46B8720885
SHA-512:	53A9CAAD2DF5549538085EBAE5427634B841398FC794502FD0B3D6E3F39313D1A738C34EC95AD47F4B37C61045B8E04CDD3339EED6EDEEB5C0F91ED7C4E56FD7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ua................................. ........@.. ....................................@.................................d...W.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......0...4...............`.............................................!3..,...&.z..+...AC.w.h-..B.$.57/1.G.1.^E..S.bn.vC.u...wH.s.......bN!U.\|..:..0.>..l.J.5f.G..D..r....1........M.B........K......\|=.,..g...1.b......v..V?.....O..}.dz.\....A.l0...H.......G...9V6p.c...Z......Fo..}..kN....1..m..T.......Se%\".wC(a..M..V.W.H.........z,...D.J..F..q.......1.Cb.#.e.0,..B8.F02........q+.x.#.]..0.H..w..=s..<...o'.Y.U..9@.v{...k..FE%]:.~...bd...Yc.....U.a

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\doa8GHSloq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\doa8GHSloq.exe.log Download File
Process:	C:\Users\user\Desktop\doa8GHSloq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Reputation:	unknown
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmpAC94.tmp Download File
Process:	C:\Users\user\Desktop\doa8GHSloq.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\doa8GHSloq.exe
File Type:	data
Category:	modified
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Reputation:	unknown
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\doa8GHSloq.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:I8:I8
MD5:	E17438243D171CBD003AEF62A1CB4247
SHA1:	98F4323EDEAD9F3D1B8915669A7D782C620DF4DB
SHA-256:	A9A86D410BCD1CDC68D150F01C9EBD89687F43493C9B43731119DF01741DFF77
SHA-512:	6E91CE19E77F1463A4A8F3634F0D6B360BCD51EC4767FB5F982C7BA38CB8D2B19B93F03C039DACF39D869D9673D7B68BBBB9B26F486807D09B7E965AB0CA29D3
Malicious:	true
Reputation:	unknown
Preview:	.......H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\doa8GHSloq.exe
File Type:	data
Category:	dropped
Size (bytes):	426840
Entropy (8bit):	7.999608491116724
Encrypted:	true
SSDEEP:	12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg
MD5:	963D5E2C9C0008DFF05518B47C367A7F
SHA1:	C183D601FABBC9AC8FBFA0A0937DECC677535E74
SHA-256:	5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
SHA-512:	0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C
Malicious:	false
Reputation:	unknown
Preview:	..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h...J4...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H...........OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........X...bZ...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\doa8GHSloq.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	4.357837824971466
Encrypted:	false
SSDEEP:	3:oNWXp5vBK4JP0C:oNWXpF8EsC
MD5:	2EBF6D6EA84DE2782525A8EF80DCE065
SHA1:	5621AD39CB47B3E548BBC07CBD04D292D2C2AF46
SHA-256:	874B80E173A64CC41894A257147983666F52EB467E6DE3ED535A6A95D31A1EB8
SHA-512:	E96E402132CA8C0059CDE12ED7D3FFEF3F471C3D71AC7A224D28A8C7ADF48A1815321C73B93AB1858146E58EC8722209EDAFF8668A0F3581885C82CF4AE2AADA
Malicious:	false
Reputation:	unknown
Preview:	C:\Users\user\Desktop\doa8GHSloq.exe

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.825510973865646
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	doa8GHSloq.exe
File size:	823808
MD5:	f85ca66e06121eb29b26d78cc3f64554
SHA1:	141bc2598b79d80bb3ceda6fe98c49ab7c694dd8
SHA256:	2483d6141d48f387aad22f1bec5c45945bca933eb35ba13d6ff65a46b8720885
SHA512:	53a9caad2df5549538085ebae5427634b841398fc794502fd0b3d6e3f39313d1a738c34ec95ad47f4b37c61045b8e04cdd3339eed6edeeb5c0f91ed7c4e56fd7
SSDEEP:	12288:JANTdXQBp9LbKV16MeEDyW89RQWQgZ8Wd9f8RWcz+nXUJHP4m9XQ6+0/l:iTdXQBjSeEDyWwLQO39URWL
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ua................................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4ca4be
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6175C7B6 [Sun Oct 24 20:53:10 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xca464	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x610	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc84c4	0xc8600	False	0.891373109014	data	7.83365535264	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x610	0x800	False	0.32958984375	data	3.44849403746	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xcc0a0	0x384	data
RT_MANIFEST	0xcc424	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2017
Assembly Version	1.0.0.0
InternalName	ICompatibleFrameworksMetadataEnt.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	GameLibrary
ProductVersion	1.0.0.0
FileDescription	GameLibrary
OriginalFilename	ICompatibleFrameworksMetadataEnt.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/25/21-16:10:51.541596	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	58045	8.8.8.8	192.168.2.3
10/25/21-16:10:52.314567	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49740	2010	192.168.2.3	37.0.10.144
10/25/21-16:10:58.504752	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	57875	8.8.8.8	192.168.2.3
10/25/21-16:10:58.580268	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	2010	192.168.2.3	37.0.10.144
10/25/21-16:11:03.350708	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	54154	8.8.8.8	192.168.2.3
10/25/21-16:11:03.378268	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49744	2010	192.168.2.3	37.0.10.144
10/25/21-16:11:08.668535	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49745	2010	192.168.2.3	37.0.10.144
10/25/21-16:11:14.864387	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49746	2010	192.168.2.3	37.0.10.144
10/25/21-16:11:20.839143	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	64021	8.8.8.8	192.168.2.3
10/25/21-16:11:20.872151	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49747	2010	192.168.2.3	37.0.10.144
10/25/21-16:11:25.437538	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49748	2010	192.168.2.3	37.0.10.144
10/25/21-16:11:30.733559	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49749	2010	192.168.2.3	37.0.10.144
10/25/21-16:11:36.896791	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49753	2010	192.168.2.3	37.0.10.144
10/25/21-16:11:43.084738	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49783	2010	192.168.2.3	37.0.10.144
10/25/21-16:11:49.752881	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49795	2010	192.168.2.3	37.0.10.144
10/25/21-16:11:56.179155	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49797	2010	192.168.2.3	37.0.10.144
10/25/21-16:12:02.638458	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60352	8.8.8.8	192.168.2.3
10/25/21-16:12:02.676677	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49798	2010	192.168.2.3	37.0.10.144
10/25/21-16:12:06.904246	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	56773	8.8.8.8	192.168.2.3
10/25/21-16:12:06.932461	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49799	2010	192.168.2.3	37.0.10.144
10/25/21-16:12:11.265552	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	60982	8.8.8.8	192.168.2.3
10/25/21-16:12:11.297453	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49800	2010	192.168.2.3	37.0.10.144
10/25/21-16:12:17.613531	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49815	2010	192.168.2.3	37.0.10.144
10/25/21-16:12:23.599804	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49827	2010	192.168.2.3	37.0.10.144
10/25/21-16:12:29.453867	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50585	8.8.8.8	192.168.2.3
10/25/21-16:12:29.481816	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49828	2010	192.168.2.3	37.0.10.144
10/25/21-16:12:35.390177	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49829	2010	192.168.2.3	37.0.10.144
10/25/21-16:12:39.655133	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49830	2010	192.168.2.3	37.0.10.144

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2021 16:10:51.774838924 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:51.800786972 CEST	2010	49740	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:51.801011086 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:52.314567089 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:52.463696003 CEST	2010	49740	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:52.463783979 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:52.654176950 CEST	2010	49740	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:52.654304981 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:52.760652065 CEST	2010	49740	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:52.760716915 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:52.963924885 CEST	2010	49740	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:52.966273069 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:53.160900116 CEST	2010	49740	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:53.161015987 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:53.260989904 CEST	2010	49740	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:53.296989918 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:53.463767052 CEST	2010	49740	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:53.463881969 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:53.656903028 CEST	2010	49740	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:53.657042980 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:53.766315937 CEST	2010	49740	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:53.766402006 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:53.799201965 CEST	2010	49740	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:53.831784964 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:53.858479977 CEST	2010	49740	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:53.861443043 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:53.949816942 CEST	2010	49740	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:53.966963053 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:54.057473898 CEST	2010	49740	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:54.222323895 CEST	49740	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:58.535269022 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:58.579226017 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:58.579379082 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:58.580267906 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:58.621041059 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:58.621148109 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:58.760910034 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:58.760974884 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:58.787472010 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:58.809844017 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:58.964317083 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:58.964838982 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.099287033 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.100999117 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.151494980 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.202058077 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.219526052 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.219559908 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.219583988 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.219594955 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.219625950 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.219635963 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.219670057 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.245655060 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.245688915 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.245713949 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.245734930 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.245757103 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.245779037 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.245805025 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.245820045 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.245870113 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.245873928 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.245939016 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.245979071 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.264175892 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.272135973 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272173882 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272198915 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272203922 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.272229910 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.272241116 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272253990 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.272267103 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272281885 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.272291899 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272303104 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.272317886 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272339106 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.272340059 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272357941 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.272362947 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272382975 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.272386074 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272411108 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272423029 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.272433043 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272448063 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.272454977 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272473097 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.272494078 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272502899 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.272517920 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272541046 CEST	2010	49743	37.0.10.144	192.168.2.3
Oct 25, 2021 16:10:59.272546053 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.272569895 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:10:59.272589922 CEST	49743	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:03.351914883 CEST	49744	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:03.377576113 CEST	2010	49744	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:03.377666950 CEST	49744	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:03.378268003 CEST	49744	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:03.426937103 CEST	2010	49744	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:03.427054882 CEST	49744	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:03.510565996 CEST	2010	49744	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:03.510674953 CEST	49744	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:03.536818027 CEST	2010	49744	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:03.536950111 CEST	49744	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:03.612560034 CEST	2010	49744	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:03.612823009 CEST	49744	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:03.808022976 CEST	2010	49744	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:03.808284998 CEST	49744	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:03.916719913 CEST	2010	49744	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:03.916815996 CEST	49744	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:03.948019028 CEST	49744	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:08.642044067 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:08.667819023 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:08.667984009 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:08.668534994 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:08.748307943 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:08.748473883 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:08.917110920 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:08.917185068 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:08.943397999 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:08.983683109 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.123179913 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.123248100 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.245682955 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.245784044 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.251211882 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.251235008 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.251255989 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.251275063 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.251295090 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.251315117 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.277390003 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.277461052 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.279714108 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.279732943 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.279752970 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.279767036 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.279777050 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.279786110 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.279798985 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.279808044 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.279824972 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.279834032 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.279849052 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.279874086 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.279912949 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.303096056 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.303248882 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.305944920 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.305978060 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.305999994 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.306018114 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.306035995 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.306054115 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.306071997 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.306088924 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.306106091 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.306123018 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.306139946 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.306157112 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.306174040 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.306191921 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.306210995 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.307075024 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.328912020 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.328999996 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.329000950 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.332741976 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.332803965 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.332833052 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.333090067 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333127022 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333152056 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.333161116 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333199024 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333215952 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.333233118 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333271027 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333292961 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.333304882 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333338976 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333357096 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.333373070 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333408117 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333427906 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.333441973 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333477974 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333497047 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.333512068 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333544970 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333561897 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.333579063 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333610058 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.333626986 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.333642006 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.357489109 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.358010054 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.358050108 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.358191013 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.361974955 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362030983 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362072945 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362112999 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362143993 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.362152100 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362190962 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.362196922 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362240076 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362272978 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362298012 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.362309933 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362339020 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.362349033 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362384081 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362422943 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362462044 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362504959 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362549067 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362587929 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362631083 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362672091 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362710953 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362749100 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362787008 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362828970 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362869024 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362906933 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362943888 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.362982988 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.363020897 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.363059998 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.363099098 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.363167048 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.363225937 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.363255978 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.363271952 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.363275051 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.363279104 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.363281965 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.363285065 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.363287926 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.363291025 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.363293886 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.363296032 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.363298893 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.363301992 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.363312006 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.363351107 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.363354921 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.363390923 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.363430023 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.363431931 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.363507986 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.374963999 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.383537054 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.383605957 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.383641958 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.383740902 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.383759975 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.383760929 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.385179996 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.388114929 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.388220072 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.388226032 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.388251066 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.388267994 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.388412952 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.391751051 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.391782045 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.391805887 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.391828060 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.391866922 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.391870975 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.391885042 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.391908884 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.391930103 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.391933918 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.391952991 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.391973972 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.391994953 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392013073 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392024040 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.392035007 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392057896 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392059088 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.392079115 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392093897 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.392101049 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392122984 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392143011 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392146111 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.392168045 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392182112 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.392189026 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392210007 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392230988 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392251968 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392271996 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392293930 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392314911 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392339945 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392362118 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392390966 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392415047 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392441034 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392462969 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392492056 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392513990 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392534971 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392556906 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392577887 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392600060 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392627001 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.392649889 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.396593094 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.396626949 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.396631002 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.396635056 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.396637917 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.396641016 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.396644115 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.396646976 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.396650076 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.396652937 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.412530899 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.416471004 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.416506052 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.417960882 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.417988062 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.418004990 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.418030024 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.418056011 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.418354988 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.418454885 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.418478012 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.418499947 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.418525934 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.418550014 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.418571949 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.418592930 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.418616056 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.418637037 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.418663979 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.419703960 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.419723988 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.419735909 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.419753075 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.419764042 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.419775009 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.420063972 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.420088053 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.420089960 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.420092106 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.420094013 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.420095921 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.420098066 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.420099974 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.421209097 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.426029921 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.426057100 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.426820993 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.428534031 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.428566933 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.437732935 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.437779903 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.438033104 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.438986063 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439013004 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439035892 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439058065 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439080954 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439101934 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439146996 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439172983 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439189911 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.439196110 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439224958 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439243078 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.439249992 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439273119 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439291954 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.439294100 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439316988 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439337969 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439341068 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.439361095 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439383984 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439404964 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.439407110 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.439460993 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.449307919 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449348927 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449368954 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449390888 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449414968 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449439049 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449496984 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449518919 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449541092 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449562073 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449584961 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449595928 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.449608088 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449631929 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449656010 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.449656963 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449683905 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449707031 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449731112 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449739933 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.449754000 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449775934 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449788094 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.449798107 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449820995 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449841022 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.449846029 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449871063 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449893951 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449912071 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.449918032 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.449970007 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.452439070 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.452470064 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.452537060 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.465128899 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465162992 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465188026 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465215921 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465243101 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465269089 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465292931 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465317965 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465341091 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465365887 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465389013 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465416908 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465440989 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465465069 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465488911 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465513945 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465537071 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465562105 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465585947 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465614080 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465639114 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465662956 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465686083 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465711117 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465734959 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465759993 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465783119 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465809107 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465832949 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465854883 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465877056 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465899944 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465924025 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465949059 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465960979 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.465972900 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.465981007 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.465985060 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.465987921 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.465991020 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.465993881 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.465996981 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.466000080 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.466001034 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.466002941 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.466006041 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.466008902 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.466012001 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.466015100 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.466017008 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.466020107 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.466022968 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.466025114 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.466036081 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.466048002 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.466072083 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.466125011 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.466182947 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.476465940 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.476629972 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.476658106 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.476684093 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.476685047 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.478137016 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.478555918 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.478576899 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.478600025 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.478620052 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.478626013 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.478642941 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.478657007 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.478671074 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.478702068 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.478712082 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.478977919 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.479026079 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.479059935 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.479085922 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.479109049 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.479135036 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.479152918 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.479161978 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.479177952 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.479199886 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.479219913 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.541699886 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.619908094 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.644036055 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.807415962 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.807481050 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:09.916878939 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:09.955143929 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:10.120276928 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:10.131597042 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:10.307451010 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:10.307910919 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:10.416786909 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:10.438337088 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:10.510626078 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:10.510726929 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:10.618818045 CEST	2010	49745	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:10.618876934 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:10.673414946 CEST	49745	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:14.837327957 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:14.863166094 CEST	2010	49746	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:14.863322973 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:14.864387035 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:15.012285948 CEST	2010	49746	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:15.012366056 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:15.120558023 CEST	2010	49746	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:15.140824080 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:15.307703018 CEST	2010	49746	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:15.307836056 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:15.423304081 CEST	2010	49746	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:15.423443079 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:15.620129108 CEST	2010	49746	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:15.620259047 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:15.811742067 CEST	2010	49746	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:15.811822891 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:15.916909933 CEST	2010	49746	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:15.917007923 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:16.010809898 CEST	2010	49746	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:16.031647921 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:16.047931910 CEST	2010	49746	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:16.047993898 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:16.122637987 CEST	2010	49746	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:16.122725010 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:16.148936033 CEST	2010	49746	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:16.202711105 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:16.250063896 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:16.416925907 CEST	2010	49746	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:16.417083979 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:16.510660887 CEST	2010	49746	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:16.510736942 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:16.611180067 CEST	2010	49746	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:16.611248970 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:16.641634941 CEST	49746	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:20.842614889 CEST	49747	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:20.869561911 CEST	2010	49747	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:20.871148109 CEST	49747	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:20.872150898 CEST	49747	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:20.903436899 CEST	2010	49747	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:20.951086044 CEST	49747	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:20.984723091 CEST	2010	49747	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:21.031358004 CEST	49747	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:21.106446028 CEST	49747	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:21.136627913 CEST	2010	49747	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:21.163274050 CEST	49747	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:21.307735920 CEST	2010	49747	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:21.335861921 CEST	49747	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:25.410974026 CEST	49748	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:25.436759949 CEST	2010	49748	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:25.437068939 CEST	49748	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:25.437537909 CEST	49748	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:25.472999096 CEST	2010	49748	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:25.506330967 CEST	49748	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:25.532697916 CEST	2010	49748	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:25.578558922 CEST	49748	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:25.997724056 CEST	2010	49748	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:26.047370911 CEST	49748	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:26.101413965 CEST	49748	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:26.260730028 CEST	2010	49748	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:26.300384045 CEST	49748	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:26.463987112 CEST	2010	49748	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:26.464081049 CEST	49748	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:26.627898932 CEST	49748	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:26.651452065 CEST	2010	49748	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:26.651536942 CEST	49748	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:30.700731039 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:30.726844072 CEST	2010	49749	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:30.726955891 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:30.733558893 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:30.950642109 CEST	2010	49749	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:30.950766087 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:31.062594891 CEST	2010	49749	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:31.062709093 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:31.151655912 CEST	2010	49749	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:31.151882887 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:31.261149883 CEST	2010	49749	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:31.261295080 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:31.452042103 CEST	2010	49749	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:31.452110052 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:31.558890104 CEST	2010	49749	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:31.558991909 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:31.652036905 CEST	2010	49749	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:31.652107000 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:31.762392044 CEST	2010	49749	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:31.762455940 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:31.964056015 CEST	2010	49749	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:31.964170933 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:32.151453972 CEST	2010	49749	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:32.151531935 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:32.263302088 CEST	2010	49749	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:32.282757044 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:32.464180946 CEST	2010	49749	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:32.464335918 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:32.569782972 CEST	49749	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:36.869898081 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:36.895788908 CEST	2010	49753	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:36.895927906 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:36.896790981 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:37.057548046 CEST	2010	49753	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:37.057621956 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:37.155395985 CEST	2010	49753	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:37.155484915 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:37.260538101 CEST	2010	49753	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:37.260700941 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:37.464337111 CEST	2010	49753	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:37.466003895 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:37.651504040 CEST	2010	49753	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:37.651607037 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:37.760855913 CEST	2010	49753	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:37.764552116 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:37.963937044 CEST	2010	49753	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:37.964075089 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:38.151767015 CEST	2010	49753	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:38.152390957 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:38.260601997 CEST	2010	49753	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:38.315146923 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:38.451349974 CEST	2010	49753	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:38.451452971 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:38.557425976 CEST	2010	49753	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:38.557497978 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:38.656892061 CEST	2010	49753	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:38.656956911 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:38.756797075 CEST	2010	49753	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:38.783145905 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:38.846298933 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:38.854737043 CEST	2010	49753	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:38.854809999 CEST	49753	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:43.057754040 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:43.083949089 CEST	2010	49783	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:43.084089041 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:43.084738016 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:43.125693083 CEST	2010	49783	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:43.126044989 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:43.260814905 CEST	2010	49783	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:43.260951042 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:43.444433928 CEST	2010	49783	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:43.444741964 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:43.568063974 CEST	2010	49783	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:43.568145037 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:43.760884047 CEST	2010	49783	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:43.763664961 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:43.964035988 CEST	2010	49783	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:43.964149952 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:44.065855980 CEST	2010	49783	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:44.111927032 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:44.261440039 CEST	2010	49783	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:44.265175104 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:44.464479923 CEST	2010	49783	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:44.466813087 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:44.654570103 CEST	2010	49783	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:44.654751062 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:44.760710955 CEST	2010	49783	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:44.760842085 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:44.964092016 CEST	2010	49783	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:44.964193106 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:45.072161913 CEST	49783	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:49.697392941 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:49.723310947 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:49.724417925 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:49.752881050 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:49.923584938 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:49.924565077 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:50.010973930 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:50.056936979 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:50.307945013 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:50.308207035 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:50.417426109 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:50.417994976 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:50.510966063 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:50.511151075 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:50.714164972 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:50.714308977 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:50.917192936 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:50.917884111 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:51.011158943 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:51.018902063 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:51.126291037 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:51.164264917 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:51.308702946 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:51.311479092 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:51.417115927 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:51.417217970 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:51.510828972 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:51.511279106 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:51.622478008 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:51.648231983 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:51.721313953 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:51.828866005 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:51.917185068 CEST	2010	49795	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:51.956265926 CEST	49795	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:56.126547098 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:56.161860943 CEST	2010	49797	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:56.162070990 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:56.179155111 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:56.264822006 CEST	2010	49797	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:56.300353050 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:56.358560085 CEST	2010	49797	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:56.359679937 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:56.390475988 CEST	2010	49797	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:56.440562963 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:56.454962969 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:56.652905941 CEST	2010	49797	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:56.652949095 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:56.762126923 CEST	2010	49797	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:56.762192965 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:56.963956118 CEST	2010	49797	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:56.964061975 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:57.066955090 CEST	2010	49797	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:57.067156076 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:57.265276909 CEST	2010	49797	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:57.265459061 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:57.465388060 CEST	2010	49797	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:57.465783119 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:57.651427984 CEST	2010	49797	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:57.652422905 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:57.762624979 CEST	2010	49797	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:57.763170958 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:57.964317083 CEST	2010	49797	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:57.964402914 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:58.151397943 CEST	2010	49797	37.0.10.144	192.168.2.3
Oct 25, 2021 16:11:58.151580095 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:11:58.226011992 CEST	49797	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:02.641036034 CEST	49798	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:02.666989088 CEST	2010	49798	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:02.667112112 CEST	49798	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:02.676676989 CEST	49798	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:02.714359999 CEST	2010	49798	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:06.905622959 CEST	49799	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:06.931408882 CEST	2010	49799	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:06.931545973 CEST	49799	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:06.932461023 CEST	49799	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:06.958511114 CEST	2010	49799	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:11.270790100 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:11.296648979 CEST	2010	49800	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:11.296885967 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:11.297452927 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:11.464884043 CEST	2010	49800	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:11.465044975 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:11.662980080 CEST	2010	49800	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:11.663043022 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:11.762481928 CEST	2010	49800	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:11.786062956 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:11.963926077 CEST	2010	49800	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:11.964036942 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:12.151525021 CEST	2010	49800	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:12.151611090 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:12.260513067 CEST	2010	49800	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:12.260586023 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:12.448234081 CEST	2010	49800	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:12.448369026 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:12.558099031 CEST	2010	49800	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:12.558190107 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:12.653058052 CEST	2010	49800	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:12.653148890 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:12.762202978 CEST	2010	49800	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:12.769211054 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:12.964092970 CEST	2010	49800	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:12.964196920 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:13.151722908 CEST	2010	49800	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:13.154537916 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:13.262447119 CEST	2010	49800	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:13.354284048 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:13.458264112 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:13.464196920 CEST	2010	49800	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:13.464314938 CEST	49800	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:17.586612940 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:17.612335920 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:17.612791061 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:17.613531113 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:17.807410002 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:17.807574987 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:17.917512894 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:17.917747021 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:18.010601997 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:18.010704041 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:18.122314930 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:18.135407925 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:18.308569908 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:18.308664083 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:18.416960001 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:18.417726994 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:18.513923883 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:18.514321089 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:18.619941950 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:18.620028973 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:18.750755072 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:18.750869036 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:18.916959047 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:18.917627096 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:19.010581017 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:19.010679960 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:19.119949102 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:19.133716106 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:19.307477951 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:19.307683945 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:19.416801929 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:19.419321060 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:19.505760908 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:19.510591984 CEST	2010	49815	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:19.511171103 CEST	49815	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:23.572372913 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:23.598572969 CEST	2010	49827	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:23.598687887 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:23.599803925 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:23.781403065 CEST	2010	49827	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:23.781653881 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:23.917445898 CEST	2010	49827	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:23.917661905 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:24.010813951 CEST	2010	49827	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:24.010977983 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:24.027548075 CEST	2010	49827	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:24.083511114 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:24.120212078 CEST	2010	49827	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:24.120284081 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:24.307697058 CEST	2010	49827	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:24.307893038 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:24.418544054 CEST	2010	49827	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:24.418720961 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:24.511274099 CEST	2010	49827	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:24.511460066 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:24.620254040 CEST	2010	49827	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:24.631587982 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:24.807686090 CEST	2010	49827	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:24.807807922 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:24.917057991 CEST	2010	49827	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:24.917145014 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:25.011018991 CEST	2010	49827	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:25.011142969 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:25.120659113 CEST	2010	49827	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:25.120732069 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:25.318878889 CEST	2010	49827	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:25.318973064 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:25.365401983 CEST	49827	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:29.454984903 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:29.480837107 CEST	2010	49828	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:29.481023073 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:29.481816053 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:29.557552099 CEST	2010	49828	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:29.557734013 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:29.656599998 CEST	2010	49828	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:29.656855106 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:29.761008024 CEST	2010	49828	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:29.761156082 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:29.963846922 CEST	2010	49828	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:29.963983059 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:30.151418924 CEST	2010	49828	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:30.151593924 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:30.263097048 CEST	2010	49828	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:30.263274908 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:30.465318918 CEST	2010	49828	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:30.465630054 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:30.565674067 CEST	2010	49828	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:30.565987110 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:30.651532888 CEST	2010	49828	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:30.651608944 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:30.760725975 CEST	2010	49828	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:30.760823011 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:30.963793039 CEST	2010	49828	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:30.963865995 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:31.129388094 CEST	2010	49828	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:31.132843018 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:31.262644053 CEST	2010	49828	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:31.262779951 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:31.287739038 CEST	49828	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:35.363241911 CEST	49829	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:35.389219046 CEST	2010	49829	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:35.389377117 CEST	49829	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:35.390177011 CEST	49829	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:35.422904015 CEST	2010	49829	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:35.444804907 CEST	49829	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:35.471349001 CEST	2010	49829	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:35.471777916 CEST	49829	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:35.497996092 CEST	2010	49829	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:35.553384066 CEST	49829	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:35.585139990 CEST	49829	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:39.627723932 CEST	49830	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:39.653912067 CEST	2010	49830	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:39.654103041 CEST	49830	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:39.655133009 CEST	49830	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:39.738044024 CEST	2010	49830	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:39.788110971 CEST	49830	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:39.814213991 CEST	2010	49830	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:39.816701889 CEST	49830	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:39.882251978 CEST	2010	49830	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:39.884053946 CEST	49830	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:39.964660883 CEST	2010	49830	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:40.187191963 CEST	2010	49830	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:40.204216003 CEST	49830	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:40.234340906 CEST	2010	49830	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:40.280309916 CEST	49830	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:40.306582928 CEST	2010	49830	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:40.307951927 CEST	49830	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:40.334599972 CEST	2010	49830	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:40.334739923 CEST	49830	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:40.363929987 CEST	2010	49830	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:40.364062071 CEST	49830	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:40.464181900 CEST	2010	49830	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:40.464289904 CEST	49830	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:40.651561975 CEST	2010	49830	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:44.793035984 CEST	2010	49830	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:44.839031935 CEST	49830	2010	192.168.2.3	37.0.10.144
Oct 25, 2021 16:12:45.467433929 CEST	2010	49830	37.0.10.144	192.168.2.3
Oct 25, 2021 16:12:45.511859894 CEST	49830	2010	192.168.2.3	37.0.10.144

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2021 16:10:51.521492004 CEST	58045	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:10:51.541595936 CEST	53	58045	8.8.8.8	192.168.2.3
Oct 25, 2021 16:10:58.484582901 CEST	57875	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:10:58.504751921 CEST	53	57875	8.8.8.8	192.168.2.3
Oct 25, 2021 16:11:03.329360962 CEST	54154	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:11:03.350708008 CEST	53	54154	8.8.8.8	192.168.2.3
Oct 25, 2021 16:11:08.444194078 CEST	52806	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:11:08.460779905 CEST	53	52806	8.8.8.8	192.168.2.3
Oct 25, 2021 16:11:14.816983938 CEST	53910	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:11:14.835227966 CEST	53	53910	8.8.8.8	192.168.2.3
Oct 25, 2021 16:11:20.819073915 CEST	64021	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:11:20.839143038 CEST	53	64021	8.8.8.8	192.168.2.3
Oct 25, 2021 16:11:25.388521910 CEST	60784	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:11:25.409646034 CEST	53	60784	8.8.8.8	192.168.2.3
Oct 25, 2021 16:11:30.680711031 CEST	51143	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:11:30.699050903 CEST	53	51143	8.8.8.8	192.168.2.3
Oct 25, 2021 16:11:36.781388044 CEST	59026	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:11:36.811371088 CEST	53	59026	8.8.8.8	192.168.2.3
Oct 25, 2021 16:11:43.037879944 CEST	53615	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:11:43.056184053 CEST	53	53615	8.8.8.8	192.168.2.3
Oct 25, 2021 16:11:49.647819042 CEST	53777	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:11:49.666081905 CEST	53	53777	8.8.8.8	192.168.2.3
Oct 25, 2021 16:11:56.105796099 CEST	57106	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:11:56.124810934 CEST	53	57106	8.8.8.8	192.168.2.3
Oct 25, 2021 16:12:02.618041039 CEST	60352	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:12:02.638458014 CEST	53	60352	8.8.8.8	192.168.2.3
Oct 25, 2021 16:12:06.804496050 CEST	56773	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:12:06.904246092 CEST	53	56773	8.8.8.8	192.168.2.3
Oct 25, 2021 16:12:11.245232105 CEST	60982	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:12:11.265552044 CEST	53	60982	8.8.8.8	192.168.2.3
Oct 25, 2021 16:12:17.564661980 CEST	51539	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:12:17.582935095 CEST	53	51539	8.8.8.8	192.168.2.3
Oct 25, 2021 16:12:23.551165104 CEST	55393	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:12:23.569952965 CEST	53	55393	8.8.8.8	192.168.2.3
Oct 25, 2021 16:12:29.434122086 CEST	50585	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:12:29.453866959 CEST	53	50585	8.8.8.8	192.168.2.3
Oct 25, 2021 16:12:35.343000889 CEST	63456	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:12:35.361471891 CEST	53	63456	8.8.8.8	192.168.2.3
Oct 25, 2021 16:12:39.608083963 CEST	58540	53	192.168.2.3	8.8.8.8
Oct 25, 2021 16:12:39.626637936 CEST	53	58540	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 25, 2021 16:10:51.521492004 CEST	192.168.2.3	8.8.8.8	0x1039	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:10:58.484582901 CEST	192.168.2.3	8.8.8.8	0xa444	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:03.329360962 CEST	192.168.2.3	8.8.8.8	0xb4c	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:08.444194078 CEST	192.168.2.3	8.8.8.8	0x58be	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:14.816983938 CEST	192.168.2.3	8.8.8.8	0x1b05	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:20.819073915 CEST	192.168.2.3	8.8.8.8	0xdb9d	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:25.388521910 CEST	192.168.2.3	8.8.8.8	0x1d2b	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:30.680711031 CEST	192.168.2.3	8.8.8.8	0xda24	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:36.781388044 CEST	192.168.2.3	8.8.8.8	0xa24d	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:43.037879944 CEST	192.168.2.3	8.8.8.8	0xf5c7	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:49.647819042 CEST	192.168.2.3	8.8.8.8	0xca4f	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:56.105796099 CEST	192.168.2.3	8.8.8.8	0x3b3a	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:02.618041039 CEST	192.168.2.3	8.8.8.8	0xb25b	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:06.804496050 CEST	192.168.2.3	8.8.8.8	0x8118	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:11.245232105 CEST	192.168.2.3	8.8.8.8	0xce6c	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:17.564661980 CEST	192.168.2.3	8.8.8.8	0xa9ad	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:23.551165104 CEST	192.168.2.3	8.8.8.8	0x4f8f	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:29.434122086 CEST	192.168.2.3	8.8.8.8	0xa64a	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:35.343000889 CEST	192.168.2.3	8.8.8.8	0xdaef	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:39.608083963 CEST	192.168.2.3	8.8.8.8	0xf833	Standard query (0)	watermalon1.sytes.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Oct 25, 2021 16:10:51.541595936 CEST	8.8.8.8	192.168.2.3	0x1039	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:10:58.504751921 CEST	8.8.8.8	192.168.2.3	0xa444	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:03.350708008 CEST	8.8.8.8	192.168.2.3	0xb4c	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:08.460779905 CEST	8.8.8.8	192.168.2.3	0x58be	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:14.835227966 CEST	8.8.8.8	192.168.2.3	0x1b05	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:20.839143038 CEST	8.8.8.8	192.168.2.3	0xdb9d	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:25.409646034 CEST	8.8.8.8	192.168.2.3	0x1d2b	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:30.699050903 CEST	8.8.8.8	192.168.2.3	0xda24	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:36.811371088 CEST	8.8.8.8	192.168.2.3	0xa24d	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:43.056184053 CEST	8.8.8.8	192.168.2.3	0xf5c7	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:49.666081905 CEST	8.8.8.8	192.168.2.3	0xca4f	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:11:56.124810934 CEST	8.8.8.8	192.168.2.3	0x3b3a	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:02.638458014 CEST	8.8.8.8	192.168.2.3	0xb25b	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:06.904246092 CEST	8.8.8.8	192.168.2.3	0x8118	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:11.265552044 CEST	8.8.8.8	192.168.2.3	0xce6c	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:17.582935095 CEST	8.8.8.8	192.168.2.3	0xa9ad	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:23.569952965 CEST	8.8.8.8	192.168.2.3	0x4f8f	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:29.453866959 CEST	8.8.8.8	192.168.2.3	0xa64a	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:35.361471891 CEST	8.8.8.8	192.168.2.3	0xdaef	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)
Oct 25, 2021 16:12:39.626637936 CEST	8.8.8.8	192.168.2.3	0xf833	No error (0)	watermalon1.sytes.net	37.0.10.144	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: doa8GHSloq.exe PID: 6672 Parent PID: 3572

General

Start time:	16:10:31
Start date:	25/10/2021
Path:	C:\Users\user\Desktop\doa8GHSloq.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\doa8GHSloq.exe'
Imagebase:	0x170000
File size:	823808 bytes
MD5 hash:	F85CA66E06121EB29B26D78CC3F64554
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.306901830.0000000002811000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.307288504.0000000003811000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: doa8GHSloq.exe PID: 7164 Parent PID: 6672

General

Start time:	16:10:41
Start date:	25/10/2021
Path:	C:\Users\user\Desktop\doa8GHSloq.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\doa8GHSloq.exe
Imagebase:	0x2a0000
File size:	823808 bytes
MD5 hash:	F85CA66E06121EB29B26D78CC3F64554
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: doa8GHSloq.exe PID: 4820 Parent PID: 6672

General

Start time:	16:10:42
Start date:	25/10/2021
Path:	C:\Users\user\Desktop\doa8GHSloq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\doa8GHSloq.exe
Imagebase:	0x670000
File size:	823808 bytes
MD5 hash:	F85CA66E06121EB29B26D78CC3F64554
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: NanoCore, Description: unknown, Source: 0000000A.00000003.360949669.0000000004214000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 3180 Parent PID: 4820

General

Start time:	16:10:45
Start date:	25/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA5BD.tmp'
Imagebase:	0x11d0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3912 Parent PID: 3180

General

Start time:	16:10:45
Start date:	25/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 5700 Parent PID: 4820

General

Start time:	16:10:46
Start date:	25/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpAC94.tmp'
Imagebase:	0x11d0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: doa8GHSloq.exe PID: 3860 Parent PID: 664

General

Start time:	16:10:47
Start date:	25/10/2021
Path:	C:\Users\user\Desktop\doa8GHSloq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\doa8GHSloq.exe 0
Imagebase:	0xf90000
File size:	823808 bytes
MD5 hash:	F85CA66E06121EB29B26D78CC3F64554
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.326343099.0000000003631000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.327119659.0000000004631000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 4248 Parent PID: 5700

General

Start time:	16:10:47
Start date:	25/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6268 Parent PID: 664

General

Start time:	16:10:50
Start date:	25/10/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0xd50000
File size:	823808 bytes
MD5 hash:	F85CA66E06121EB29B26D78CC3F64554
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000010.00000002.332763752.00000000045F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.331777167.00000000035F1000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: doa8GHSloq.exe PID: 5356 Parent PID: 3860

General

Start time:	16:10:52
Start date:	25/10/2021
Path:	C:\Users\user\Desktop\doa8GHSloq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\doa8GHSloq.exe
Imagebase:	0x500000
File size:	823808 bytes
MD5 hash:	F85CA66E06121EB29B26D78CC3F64554
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.340775979.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.343174730.0000000002CA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.343333439.0000000003CA1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000012.00000002.343333439.0000000003CA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6528 Parent PID: 6268

General

Start time:	16:10:53
Start date:	25/10/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x7b0000
File size:	823808 bytes
MD5 hash:	F85CA66E06121EB29B26D78CC3F64554
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.346641462.00000000031F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.343983482.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.346700520.00000000041F1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.346700520.00000000041F1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 6520 Parent PID: 3352

General

Start time:	16:10:53
Start date:	25/10/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x200000
File size:	823808 bytes
MD5 hash:	F85CA66E06121EB29B26D78CC3F64554
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000014.00000002.337336999.00000000029B1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000014.00000002.338194880.00000000039B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: dhcpmon.exe PID: 4140 Parent PID: 6520

General

Start time:	16:10:56
Start date:	25/10/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0xe00000
File size:	823808 bytes
MD5 hash:	F85CA66E06121EB29B26D78CC3F64554
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.352700590.0000000004641000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.352485340.0000000003641000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.352485340.0000000003641000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.350478158.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: doa8GHSloq.exe PID: 6672 Parent PID: 3572 doa8GHSloq.exeCOMMON

Executed Functions

Function 04BB0323, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04BB03A3

Memory Dump Source

Source File: 00000000.00000002.307875860.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: f451edab46ac058bbd21b78b0743ffd06dc52bc7c51998dd0d091da3157d5db3
Instruction ID: e0d67241c8a3cfe5fcff501b356f64bfff9aeefe25a01c06ced0a04a91515672
Opcode Fuzzy Hash: f451edab46ac058bbd21b78b0743ffd06dc52bc7c51998dd0d091da3157d5db3
Instruction Fuzzy Hash: 6B21D6755097849FDB238F25DC44BA2BFF4EF06310F0885DAE9858F163D275A508CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04BB035A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 04BB03A3

Memory Dump Source

Source File: 00000000.00000002.307875860.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: e48a57f130b551a4d0a0473ccd8eb223bae68ac68fccd420c080fa5b1ceded21
Instruction ID: 782d9d1a5b0793c7e8c010bba74186d40342b0f282284d850aa98c74087ddb37
Opcode Fuzzy Hash: e48a57f130b551a4d0a0473ccd8eb223bae68ac68fccd420c080fa5b1ceded21
Instruction Fuzzy Hash: D211A0355003449FDB21DF55D988BAAFBE4EF08320F08C4AADD8A8B612D271E408CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 049F0AB0, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7ae1d9ae1ae36386739ff6d4edb0dfab7b1f43a48d48f8e275dbbe35a41e192
Instruction ID: 6ba8592b497153e5db85845eb4c3dbe9dca6048689ed5133dfec5516f8bfc0ef
Opcode Fuzzy Hash: c7ae1d9ae1ae36386739ff6d4edb0dfab7b1f43a48d48f8e275dbbe35a41e192
Instruction Fuzzy Hash: D9A13571E05209DFCB04CFA9C995AEDFBB2FF88304F10846AD402BB255E7386A469F55

Uniqueness

Uniqueness Score: -1.00%

Function 049F0B48, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb2ec502d698bcd10dd359387fc385d3323c12594c484499b5cb2790ba04e904
Instruction ID: 0aa1214eed7ab8ea3d4626d1872495fccbe315dbd2f4df978ceb308805df8ecd
Opcode Fuzzy Hash: eb2ec502d698bcd10dd359387fc385d3323c12594c484499b5cb2790ba04e904
Instruction Fuzzy Hash: CE81F270E15209DFCB04CFA9C955AAEFBB6FF88304F10852AD506BB254DB78AA01CF55

Uniqueness

Uniqueness Score: -1.00%

Function 049F9840, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c539f8f492a5edbc59e7d0111eadb5fe3c30b2e977da0b7dd9f94e4983bc39
Instruction ID: 611c3ae3fa2b65255e7379a2695c0da15563d13e8d7121830d3f72a3013a0fd6
Opcode Fuzzy Hash: 51c539f8f492a5edbc59e7d0111eadb5fe3c30b2e977da0b7dd9f94e4983bc39
Instruction Fuzzy Hash: DC71E1B4E05209DFCB04DFA9C984AAEFBF2BF49304F24956AD509B7205D734AA81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 049F89CA, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3bd741e9d7d09201761bf72c60dabd00962d27a18b30084a1afe3f6d7bbdc21
Instruction ID: 41077b3f510323e788da8b9480e403c6f6e6151c618d5e41c16b8bba548055aa
Opcode Fuzzy Hash: d3bd741e9d7d09201761bf72c60dabd00962d27a18b30084a1afe3f6d7bbdc21
Instruction Fuzzy Hash: 115122B4E15209EFCB44DFA5C9816AEFBF2FF49304F1095AAD410BB250E734AA018F65

Uniqueness

Uniqueness Score: -1.00%

Function 049F8490, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5865e1a7f60bc9b63b2163ab7630522d6be26120069fc5970db0d6833401af9
Instruction ID: 698c20178d7ab88cf483fe5b5782f3cbbfe0affa139b40012e29d791f904be8d
Opcode Fuzzy Hash: a5865e1a7f60bc9b63b2163ab7630522d6be26120069fc5970db0d6833401af9
Instruction Fuzzy Hash: 235169B4E1920AEFCB44DFA4D9845AEFBF2FB49310F2084AAD505B7254D7346A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 049F12A9, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3ce395f5ca0aa94b1791ada084eae0b9549199c4494730608633366faa13a7
Instruction ID: e8aa676026a45a3f5673cc75d809862d5d1aa896719344bf4523175baab7a2c7
Opcode Fuzzy Hash: 8d3ce395f5ca0aa94b1791ada084eae0b9549199c4494730608633366faa13a7
Instruction Fuzzy Hash: 83512671D04209CFCB08CFA9C8815AEFBF2FF89304F24D42AD515AB650D774AA41CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 052D2568, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8bc459ab6496463f0ed5d6e539f82c6c8e8666bdde404e834685dab552767a
Instruction ID: 2c107d2e968131a2920d7758ecfcab073b3137fb7e54d70bda7d14ee2bd939bb
Opcode Fuzzy Hash: 7a8bc459ab6496463f0ed5d6e539f82c6c8e8666bdde404e834685dab552767a
Instruction Fuzzy Hash: 9A41F279914228CFDB60DF68C884BECBBB2BF49305F1080EAD509A7290DB755AC5DF51

Uniqueness

Uniqueness Score: -1.00%

Function 052D25CA, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ea06bee67968b7e90d0e3a8d58478bdb9537438d29016ab006a25bf932ae14
Instruction ID: 7b8dd2f591be0fd1bc016eb36b942f61a2ddc8d3443599c3653a95411ff0f0d0
Opcode Fuzzy Hash: 99ea06bee67968b7e90d0e3a8d58478bdb9537438d29016ab006a25bf932ae14
Instruction Fuzzy Hash: D0311278865229CFDB20DF64D9497ECBBB1BF09301F1094EAD11AA3281DBB54AC4DF60

Uniqueness

Uniqueness Score: -1.00%

Function 049F1C10, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b00ee374b200090526ecc20cb53da8c24b98db631e01119c81dba778f0e902d0
Instruction ID: 1c18d651d606f81ad4c8f6633090ffe219643f9447cf286ed37ca3731a4526d2
Opcode Fuzzy Hash: b00ee374b200090526ecc20cb53da8c24b98db631e01119c81dba778f0e902d0
Instruction Fuzzy Hash: BB2106B1E002188BDB18CFAAD8447DEFBF6AFC8310F14C07AD508A6254DB351A45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 052D1BB2, Relevance: 2.6, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

(, xrefs: 052D2276
), xrefs: 052D2282

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: ($)
API String ID: 0-2051389312
Opcode ID: 3a5aed4e675a54898528abf31efc0012cb5d8a7a09425fe4c952ab754c39e6e6
Instruction ID: ba634f845171e6ca3ea5c359bb0bd79693f79df3eb4880fe4fa7d6840ae5ddd4
Opcode Fuzzy Hash: 3a5aed4e675a54898528abf31efc0012cb5d8a7a09425fe4c952ab754c39e6e6
Instruction Fuzzy Hash: 9D51E074910228CFDB64DF68C884BECBBB2BF59305F1081EAD50AA7290DB745AC5CF11

Uniqueness

Uniqueness Score: -1.00%

Function 052D1E4F, Relevance: 2.6, Strings: 2, Instructions: 90COMMON

Download Yara Rule

Strings

(, xrefs: 052D2276
), xrefs: 052D2282

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: ($)
API String ID: 0-2051389312
Opcode ID: 1c159c4c2d94c8f0b9e8a7bc3179ca4622976834aa2601989f16692193eeffc1
Instruction ID: f2f1b61c1173c0aeec43ddc103216ee23f114df57a88b7f43388ff5d7e3e14e9
Opcode Fuzzy Hash: 1c159c4c2d94c8f0b9e8a7bc3179ca4622976834aa2601989f16692193eeffc1
Instruction Fuzzy Hash: 7141FF74911228CFDB64CF68C884BECBBB2BF5A305F1081EAD50AA7280DB755AC5DF11

Uniqueness

Uniqueness Score: -1.00%

Function 052D224F, Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

(, xrefs: 052D2276
), xrefs: 052D2282

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: ($)
API String ID: 0-2051389312
Opcode ID: 5e92e2fd343a5937ffba07873b861ddb9afad513e02d1fba0dff4817c9c3bdec
Instruction ID: 9b8ac998ef1f17deda9566df9bb1a61865e834ae2c5c3a292ea0b45c1616624a
Opcode Fuzzy Hash: 5e92e2fd343a5937ffba07873b861ddb9afad513e02d1fba0dff4817c9c3bdec
Instruction Fuzzy Hash: 8B31DD79910228CFCB64DF68C884BECBBB2BF45305F2080EAD50AA7281CB755AC5CF11

Uniqueness

Uniqueness Score: -1.00%

Function 008FAC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 008FACD1

Memory Dump Source

Source File: 00000000.00000002.305071726.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4ba9845cf7c5f320249fe833230df70531a4cdf9f8df8d0b12a6cc3525b06908
Instruction ID: 1327d95ab4e7a491b8e1897779b6ce7cba7f54e43c2ff4f79453b9e31c6d366b
Opcode Fuzzy Hash: 4ba9845cf7c5f320249fe833230df70531a4cdf9f8df8d0b12a6cc3525b06908
Instruction Fuzzy Hash: CA31E8725043846FE7228F25CC45F67BFECEF06310F08859AED859B152D265E909CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 008FAD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,9499F1E9,00000000,00000000,00000000,00000000), ref: 008FADD4

Memory Dump Source

Source File: 00000000.00000002.305071726.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ca62f75fb1345dd7ecf796987df59d1210e5dddb04c1bc4cec5e2284ac07496c
Instruction ID: 0047980e16080eab7b07982e994b78a054aff36babbe8088b4394079ee9996f1
Opcode Fuzzy Hash: ca62f75fb1345dd7ecf796987df59d1210e5dddb04c1bc4cec5e2284ac07496c
Instruction Fuzzy Hash: 2331B5711043845FD722CB25CC85FA6BFFCEF06320F18849AE985DB153D264E948CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04BB0654, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,9499F1E9,00000000,00000000,00000000,00000000), ref: 04BB06E8

Memory Dump Source

Source File: 00000000.00000002.307875860.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 3c4286c0abd4413fe25802aeb3111779f20a74d4c546d644ab37d9602170eb1b
Instruction ID: e0824bcb1dbfb9d2d6fefbd95c091081bc72099e7f0fa874339d94f775cb325a
Opcode Fuzzy Hash: 3c4286c0abd4413fe25802aeb3111779f20a74d4c546d644ab37d9602170eb1b
Instruction Fuzzy Hash: 2221E9715093806FE7128B24DC45BA6BFA8EF43310F1880DAED84DF153D264A905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008FA2AC, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 008FA346

Memory Dump Source

Source File: 00000000.00000002.305071726.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 9b25a265e7d2a630af92487729d880f6da3bc705b1571bb2dccfc4b01855b536
Instruction ID: 6a6bfc9893148d9e2d69125ce3d713a3ea3b954b9274f7dc1f9beb9169b1e8ed
Opcode Fuzzy Hash: 9b25a265e7d2a630af92487729d880f6da3bc705b1571bb2dccfc4b01855b536
Instruction Fuzzy Hash: 1D21C77550D3C06FD3138B259C51B22BFB4EF87624F0A80DBE884CB5A3D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 008FAC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 008FACD1

Memory Dump Source

Source File: 00000000.00000002.305071726.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 2fbb9933291ce670e7ba5017ce921e395fe008ce61c0229ebdb18151af1bf3e2
Instruction ID: 4ef9c878c6b0f56f5679cb487a023c6014bb122a4627bbd2a4c9e9cec2eaef8f
Opcode Fuzzy Hash: 2fbb9933291ce670e7ba5017ce921e395fe008ce61c0229ebdb18151af1bf3e2
Instruction Fuzzy Hash: D021D772500208AFE7219F29CD85F7BFBECEF04320F14855AED45D7241D625E9088BB2

Uniqueness

Uniqueness Score: -1.00%

Function 04BB01A7, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04BB0222

Memory Dump Source

Source File: 00000000.00000002.307875860.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5d1d7f208654276604a0fd09b940576014096473b9b533d320efb7115598f94b
Instruction ID: 76c6cec7cc14e5d8d1d65b2c7a429b4b2e237dfefd5ca9aaf6d0542471796be6
Opcode Fuzzy Hash: 5d1d7f208654276604a0fd09b940576014096473b9b533d320efb7115598f94b
Instruction Fuzzy Hash: 0D2183765093805FDB128F65DC45BA7BFE8EF46310F0984DAD984CB263D274E808C761

Uniqueness

Uniqueness Score: -1.00%

Function 008FAD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,9499F1E9,00000000,00000000,00000000,00000000), ref: 008FADD4

Memory Dump Source

Source File: 00000000.00000002.305071726.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fdc1b119749be0d0e5df0c17789af840dbeb546ad22ec08046cc7c921564694b
Instruction ID: 689c290dea0a575848f6c5315361d66432e9d23d4041497cf3029665909254e1
Opcode Fuzzy Hash: fdc1b119749be0d0e5df0c17789af840dbeb546ad22ec08046cc7c921564694b
Instruction Fuzzy Hash: 262192B15006089FE721DE25CD84F76BBECEF04721F14845AED49DB652D360E804CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 04BB04A5, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,9499F1E9,00000000,?,?,?,?,?,?,?,?,72733C38), ref: 04BB0516

Memory Dump Source

Source File: 00000000.00000002.307875860.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 5ececc8743b36d71af34652a2c05d5493d959565d7946d72ae96883d83420509
Instruction ID: 271e9becd4920fc7b56471927d52600aae1d29b013ffc88692fafcfca3976532
Opcode Fuzzy Hash: 5ececc8743b36d71af34652a2c05d5493d959565d7946d72ae96883d83420509
Instruction Fuzzy Hash: DD2150715093845FD712CF25DC85BA6BFE8EF46220F0984EAE985CB163D275A908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008FB42D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 008FB4A9

Memory Dump Source

Source File: 00000000.00000002.305071726.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 58893cdcb85ea7e0dbd104053d72ce40e8d594367e412c74332f1a39d9fd0801
Instruction ID: e62d297e73c0871070dbb2cb0c6cd9ea5e535185857d180b8193f1f36c4ddce3
Opcode Fuzzy Hash: 58893cdcb85ea7e0dbd104053d72ce40e8d594367e412c74332f1a39d9fd0801
Instruction Fuzzy Hash: C2218EB55093845FD7228E25DC45B62BFE8FF56714F08808AED84CB293D365E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04BB07D9, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04BB084D

Memory Dump Source

Source File: 00000000.00000002.307875860.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d6bd7f9c9acc84ba6daeeca0f2d4a0ad0b84fb157d84e75170ae8a48581951d9
Instruction ID: 5ad20852c801ca6b635695796a22c68bd0a271cc7b46ca244832256a3805ecf2
Opcode Fuzzy Hash: d6bd7f9c9acc84ba6daeeca0f2d4a0ad0b84fb157d84e75170ae8a48581951d9
Instruction Fuzzy Hash: 8C215E714097C09FDB238F25DC44A62FFB4EF17210F0985DAE9C48F163D265A958DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008FA5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 008FA666

Memory Dump Source

Source File: 00000000.00000002.305071726.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bb2989fae31f2821d7269fa9e14ac082b4aada84864e05241c8e01f9f863c8fd
Instruction ID: 99717d0285f8bf30bf3586cbb5d2e05a4de6cd474b807f789d52eeecfe56379e
Opcode Fuzzy Hash: bb2989fae31f2821d7269fa9e14ac082b4aada84864e05241c8e01f9f863c8fd
Instruction Fuzzy Hash: DC11A571405780AFDB228F50DC44A62FFF4EF5A320F0884DAED858B152D235A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 04BB0692, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E2C,9499F1E9,00000000,00000000,00000000,00000000), ref: 04BB06E8

Memory Dump Source

Source File: 00000000.00000002.307875860.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 65823e2ba152d6904b9f0dd5f3573e15632531f3d2cd8d81fe48f2ff1b9e0ff2
Instruction ID: 22e43f78971f37b555730900d791f8c5f26bbed1d4889337ed491bb99f9adb99
Opcode Fuzzy Hash: 65823e2ba152d6904b9f0dd5f3573e15632531f3d2cd8d81fe48f2ff1b9e0ff2
Instruction Fuzzy Hash: F911A371600244AFEB11DF29DE85BBBFB9CEF45320F1484AAED45DB242E674A5048FB1

Uniqueness

Uniqueness Score: -1.00%

Function 04BB0B6B, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04BB0BD5

Memory Dump Source

Source File: 00000000.00000002.307875860.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8cd2a505ac1f09242b9f187432a3c55d7ea7986646f5d0157030f28464503774
Instruction ID: aba585395d98625776acf3620675cf2dec53788181f04af839ffb5ea58c99206
Opcode Fuzzy Hash: 8cd2a505ac1f09242b9f187432a3c55d7ea7986646f5d0157030f28464503774
Instruction Fuzzy Hash: 5411B2765097809FDB228F15DC45B66FFB4EF06324F0884DEED854B163D275A418CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04BB01DA, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 04BB0222

Memory Dump Source

Source File: 00000000.00000002.307875860.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 9ca493aeb8458c21ae4d13e195805b7c6fd87f1d3b068f03dc70b6a5f18679eb
Instruction ID: 7b82272ab91cf187ab46cb4008ee57352fb3175f8eff504a200aca9e60f91ed1
Opcode Fuzzy Hash: 9ca493aeb8458c21ae4d13e195805b7c6fd87f1d3b068f03dc70b6a5f18679eb
Instruction Fuzzy Hash: EA1130756002449FDB21DF29D9457A7FBD8EF44720F1884AADD89CB652E274E408CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 04BB04D6, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,9499F1E9,00000000,?,?,?,?,?,?,?,?,72733C38), ref: 04BB0516

Memory Dump Source

Source File: 00000000.00000002.307875860.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 98cb8525122a0cacfabb297b378ecec8134c679155283dfb7bf7ea3674518775
Instruction ID: 7d471d17f8e6c58fc5df8e40e229727830f9fc0ad3a28509d03c6d66c624496c
Opcode Fuzzy Hash: 98cb8525122a0cacfabb297b378ecec8134c679155283dfb7bf7ea3674518775
Instruction Fuzzy Hash: 6611C4716002448FDB11DF29D984BBAFBE4EF05320F08C4AADD89CB612D2B0E404CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 008FAAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 008FAB46

Memory Dump Source

Source File: 00000000.00000002.305071726.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4e316b162b3aeeba3e598140908e0bd49246a22465cda38f42004bb7bf8683be
Instruction ID: ed42f2bce99a271cbb99e17809ac14d13ad2bc5fd1633ce093adfa5f64bad3d1
Opcode Fuzzy Hash: 4e316b162b3aeeba3e598140908e0bd49246a22465cda38f42004bb7bf8683be
Instruction Fuzzy Hash: 9611A0714097849FC721CF15DC84A52FFF4EF06320F0884DAED898B262C275A808CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008FA42A, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 008FA480

Memory Dump Source

Source File: 00000000.00000002.305071726.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 6d3f471c5b824dda2cb5996b181f5a3fa91942fb7cd9aaf0c5dd85e94531920f
Instruction ID: c3dea556363a5c0921f8d792e345d6db5058ac6e43b9fc25b1bad0a975aaa544
Opcode Fuzzy Hash: 6d3f471c5b824dda2cb5996b181f5a3fa91942fb7cd9aaf0c5dd85e94531920f
Instruction Fuzzy Hash: E21152754093C49FD7128F25DC44B66FFA4EF56320F0980DADD858B263D279A948CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 008FB45E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 008FB4A9

Memory Dump Source

Source File: 00000000.00000002.305071726.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 1b7673891d1310b2d4a536d74c7346fcd69fca5e1b24cb350aeb5aeb6d32b330
Instruction ID: 9cdf5f6a14a1ed0fecbf4f9e360a97a10ff822e3be2c6e1d1405bbda15b576ee
Opcode Fuzzy Hash: 1b7673891d1310b2d4a536d74c7346fcd69fca5e1b24cb350aeb5aeb6d32b330
Instruction Fuzzy Hash: AD0180755002488FDB20CE29DA45B26FBE8FF24720F188499DE49CB647D375E808CB76

Uniqueness

Uniqueness Score: -1.00%

Function 008FA622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 008FA666

Memory Dump Source

Source File: 00000000.00000002.305071726.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 91ce8e983fef433d06abb34898e8350e468cdb8e3c30dd7591270137292c10d3
Instruction ID: 0b5205b8ff27eb7608daa888a5b735475a464d23dd784e0ff694a084f175c51e
Opcode Fuzzy Hash: 91ce8e983fef433d06abb34898e8350e468cdb8e3c30dd7591270137292c10d3
Instruction Fuzzy Hash: 7701C0724006449FDB22CF65D944B26FFE4FF58320F18C8AADE898B612D235E418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 008FA2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 008FA346

Memory Dump Source

Source File: 00000000.00000002.305071726.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: ce7c4e8b5c459c9b2ce5a5a9eff6ccfa0b312c664e337a898c2ae665ac1657c2
Instruction ID: bb243054390d462507e5b1fa33d971f3b54867fbefb28fed06376689ddf041d6
Opcode Fuzzy Hash: ce7c4e8b5c459c9b2ce5a5a9eff6ccfa0b312c664e337a898c2ae665ac1657c2
Instruction Fuzzy Hash: 9D01A275500600ABD250DF1ADC82F26FBE8FB88B20F14C15AED084B741E631F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 04BB0B9A, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04BB0BD5

Memory Dump Source

Source File: 00000000.00000002.307875860.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 64fde1b33e64ea5ed4b6a6668224e25e95947dfb41908b551f80950217696020
Instruction ID: 56f84b42b2392ae1f503b6ed57278eb6bf1410e912f437575972f1dc0402ec1f
Opcode Fuzzy Hash: 64fde1b33e64ea5ed4b6a6668224e25e95947dfb41908b551f80950217696020
Instruction Fuzzy Hash: 1001B1355006408FDB219F15D844B76FFE4EF04320F08C49EDD894B612D3B1A418DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 04BB0812, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04BB084D

Memory Dump Source

Source File: 00000000.00000002.307875860.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d9a583781532cb712b9b91f1a82355bbb6b8d6ee4c6b2c5fd21b14511fa32aac
Instruction ID: 33a07c20c6381b913182059715c9ca637e946353142c8d739f75fa28d73f4645
Opcode Fuzzy Hash: d9a583781532cb712b9b91f1a82355bbb6b8d6ee4c6b2c5fd21b14511fa32aac
Instruction Fuzzy Hash: A50178359006409FDB219F15DD88B66FFA4EF08320F08C49ADDC90B626D2B5A518DFE2

Uniqueness

Uniqueness Score: -1.00%

Function 008FAB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 008FAB46

Memory Dump Source

Source File: 00000000.00000002.305071726.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 05b10292d5cd19b30965531128db3cf3fec4526d7f9f5e67805cbba714ddf432
Instruction ID: 50cd587665ca7e460cf1f43188d77ed9d9cd08e1ecf388e5b2bd6159a9fb17bd
Opcode Fuzzy Hash: 05b10292d5cd19b30965531128db3cf3fec4526d7f9f5e67805cbba714ddf432
Instruction Fuzzy Hash: FF01AD754046488FDB218F15D984B25FFE4EF04731F18C49ADE8A4B656C275A418DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 008FA44E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 008FA480

Memory Dump Source

Source File: 00000000.00000002.305071726.00000000008FA000.00000040.00000001.sdmp, Offset: 008FA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 94c3f40954cca8ac285ae717984d801b5a6f30e651a26b2ece3c81feaf49c200
Instruction ID: f6a0d8e13d7578f8c574253f5cd9ffb0b39b3738ee60e8a5d7bfe8c959540879
Opcode Fuzzy Hash: 94c3f40954cca8ac285ae717984d801b5a6f30e651a26b2ece3c81feaf49c200
Instruction Fuzzy Hash: 89F0A4755042488FD711CF15D988775FFD4EF54331F18C0AADE494B256D2B5A408CEB6

Uniqueness

Uniqueness Score: -1.00%

Function 052D1906, Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

', xrefs: 052D20E1

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 96054fd734d8b1d2beee222e677f0dc622954ae18100f56549642045493f3d44
Instruction ID: 53fe04514c6e9313bbfb67369c2c7e28d2165c34a0251abfe65052f9f8091371
Opcode Fuzzy Hash: 96054fd734d8b1d2beee222e677f0dc622954ae18100f56549642045493f3d44
Instruction Fuzzy Hash: DE81DF78910229CFDB64DF68C884BECBBB1BF59305F1081EA950DA7280DBB59AC5DF50

Uniqueness

Uniqueness Score: -1.00%

Function 052D1FA6, Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

#, xrefs: 052D23E3

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 6110b3935c8a374cb7baef22db253e89202264bf4683bae5922ede4cd2118a62
Instruction ID: 85c259fb441bd5053adf9e5018398f2c8389f8356fde37e14b3c3020942adb80
Opcode Fuzzy Hash: 6110b3935c8a374cb7baef22db253e89202264bf4683bae5922ede4cd2118a62
Instruction Fuzzy Hash: 6B61DE79914228CFDB64DF68C884BECB7B2BF49305F1080EA950EA7290DB755AC4DF21

Uniqueness

Uniqueness Score: -1.00%

Function 052D239D, Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

#, xrefs: 052D23E3

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 50c790929a7611b0ce9c5c937d52de24db47fc68c49a5f80674762dab16286c8
Instruction ID: e32965124a0e6b228f76a7d2f69eacb9191021d53a1d73813c77f768fdd93b4f
Opcode Fuzzy Hash: 50c790929a7611b0ce9c5c937d52de24db47fc68c49a5f80674762dab16286c8
Instruction Fuzzy Hash: 5C51CE75910228CFDB64DF69C888BECBBB2BF49305F1480EA950DA7290DB755AC4DF11

Uniqueness

Uniqueness Score: -1.00%

Function 052D219E, Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

&, xrefs: 052D1AD3

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: d6e794de3815747c57d362f7f9f15b23684aa315dc246d188bf7b7c2bc687836
Instruction ID: 7d2267ee875a90d0f93fcc8624652001541461249e94bac87d96334fcfe70c71
Opcode Fuzzy Hash: d6e794de3815747c57d362f7f9f15b23684aa315dc246d188bf7b7c2bc687836
Instruction Fuzzy Hash: 7751EF79914229CFCB64DF68C884BECBBB2BF09304F1481EAD409A7291CB759AC5CF10

Uniqueness

Uniqueness Score: -1.00%

Function 052D1C4D, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

", xrefs: 052D1C97

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 77033e454c269c24b02377c9b490a9c4b8d82e9250a951e7e3a5af34ad2f91ce
Instruction ID: 4c198a7523e82632ac0fe32a1ca723824f054b41ad89cb3d29eaeba4735f80a7
Opcode Fuzzy Hash: 77033e454c269c24b02377c9b490a9c4b8d82e9250a951e7e3a5af34ad2f91ce
Instruction Fuzzy Hash: B751A074910268CFCB64DF68C884BECBBB1BB59305F1081EA9509AB284DB755AC5DF50

Uniqueness

Uniqueness Score: -1.00%

Function 052D1FC3, Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

(, xrefs: 052D1FD1

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 9abd6f407b6551d7b89408a3b787c75cc1a082a8f679ce79ee02926d365e0f52
Instruction ID: 543d9b9d609c782a8d891bf74219dd725cec27ec98e2426b2b850b04d7253730
Opcode Fuzzy Hash: 9abd6f407b6551d7b89408a3b787c75cc1a082a8f679ce79ee02926d365e0f52
Instruction Fuzzy Hash: 3E51EF74914229CFDB64CF69C888BECBBB2BF59305F1081EA9409A7290DB744AC4CF11

Uniqueness

Uniqueness Score: -1.00%

Function 052D1A26, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

&, xrefs: 052D1AD3

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: 86b68431306aa851445e9e23eb63f2f4370212bdfda6d7704e9e8e79a181fcc7
Instruction ID: 1422b7b58755de31953a6e4e9c69b05566a1e88b3787ad9ee47f847d7d66906e
Opcode Fuzzy Hash: 86b68431306aa851445e9e23eb63f2f4370212bdfda6d7704e9e8e79a181fcc7
Instruction Fuzzy Hash: B751DE79910229CFCB64DF68C884BECBBB2BF49304F1481EAD409A7291CB759AC5CF10

Uniqueness

Uniqueness Score: -1.00%

Function 052D1AE2, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

+, xrefs: 052D1D45

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: 2dabba77edfce169f9e5bdffa2031eb541540f3f81f0d83613c0fa19a732b5e5
Instruction ID: 724b3e6ba5ef5f66785587eca7ec566c45ac4b70605c58274aadb8228e59b8eb
Opcode Fuzzy Hash: 2dabba77edfce169f9e5bdffa2031eb541540f3f81f0d83613c0fa19a732b5e5
Instruction Fuzzy Hash: 24411379914229CFCB64DF64C884BECBBB2BF55305F1080EAD40AA7290DB758AC5CF10

Uniqueness

Uniqueness Score: -1.00%

Function 052D2311, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

!, xrefs: 052D238E

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: a32dc3fc876b87ef5599978c89ec5e8accf9f627f8959e8a0ff80d107ab5563c
Instruction ID: fadf5d599fbfda1854aa5bea7df0c18ac7664adef46265e2648b85adbbd985fc
Opcode Fuzzy Hash: a32dc3fc876b87ef5599978c89ec5e8accf9f627f8959e8a0ff80d107ab5563c
Instruction Fuzzy Hash: 2941C178914229CFDB64DF68C884BECB7B2BF55305F1080EAD409A7290DB755AC5CF11

Uniqueness

Uniqueness Score: -1.00%

Function 052D1D54, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 052D1D5A

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 2d007cbafc6a8d4dfe42194fbb6091775d9755ff082312b3479ba7872e55d8c8
Instruction ID: 0b71687aed7fdb41046e0c7fb25bf20118384bd591c5763f02d53d4bd7ce7012
Opcode Fuzzy Hash: 2d007cbafc6a8d4dfe42194fbb6091775d9755ff082312b3479ba7872e55d8c8
Instruction Fuzzy Hash: 6841F479910228CFCB64CF64C884BECBBB2BF59305F1080EAD519A7281DB759AC5CF10

Uniqueness

Uniqueness Score: -1.00%

Function 052D254A, Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

,, xrefs: 052D1BA3

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 05a8308da996a89f5aaac89abf9dcf45154ec9d18da296cfc95898d43427180b
Instruction ID: 73a9438ba9c09ce8f56ab8cc6a572089f1f0bb701a6692c9f3d9339f3d3d630c
Opcode Fuzzy Hash: 05a8308da996a89f5aaac89abf9dcf45154ec9d18da296cfc95898d43427180b
Instruction Fuzzy Hash: C841CF78915229CFDB64CF68C884BECBBB2BF55305F1080EAD409A7280DB759AC5CF11

Uniqueness

Uniqueness Score: -1.00%

Function 052D1CF5, Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

+, xrefs: 052D1D45

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: 0f3db5d96af0b623536a76167429ff57bcf1bdb21e583b40578eddb397eaa125
Instruction ID: 7f2f644374fb37799cf3837d566f548ae59e76ad10ec6bad5f087eb6b87a5dbe
Opcode Fuzzy Hash: 0f3db5d96af0b623536a76167429ff57bcf1bdb21e583b40578eddb397eaa125
Instruction Fuzzy Hash: 4141EF79910228CFCB64DF68C884BECBBB2BF45301F2080EA950AA7290DB355AC1CF11

Uniqueness

Uniqueness Score: -1.00%

Function 052D1B5B, Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

,, xrefs: 052D1BA3

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: aea7a25e0699c92bfda1fafaef228730c1931668683d1a14658b9cd713274866
Instruction ID: 7524fbf0432f2f662c186941b2fd594a6a2126cb563614c1aae9b7f0c04a46b3
Opcode Fuzzy Hash: aea7a25e0699c92bfda1fafaef228730c1931668683d1a14658b9cd713274866
Instruction Fuzzy Hash: 9641B078915229CFDB64DF68C884BECBBB2BB55305F1080EAD409A7280DB759A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 052D21C1, Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

-, xrefs: 052D21E0

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 8a65cf497389f5c9146088540178eccb1dcbf0f2d4e8a2ab8e8a70f31e9946ac
Instruction ID: a20b227b3ab48d0d23ab7e6b52b0bebf21f463044edcce98d5aefbbb8981e73d
Opcode Fuzzy Hash: 8a65cf497389f5c9146088540178eccb1dcbf0f2d4e8a2ab8e8a70f31e9946ac
Instruction Fuzzy Hash: 0231F379910229CFCB64DF64C8847ECBBB1BF49305F1080EAD509A7290DB759AC5DF10

Uniqueness

Uniqueness Score: -1.00%

Function 052D1E25, Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

*, xrefs: 052D1E40

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: 5072846bd53dc8825849ea0599000f7edbdd663d1a3132a4cbf40ee948c62e69
Instruction ID: 7309c3e2fa3ced2cbb35bc4c7ca2f239b5447fe77b52b820949c910e42dca944
Opcode Fuzzy Hash: 5072846bd53dc8825849ea0599000f7edbdd663d1a3132a4cbf40ee948c62e69
Instruction Fuzzy Hash: 7831D078914229CFCB64DF68C884BECBBB2BF55305F1080EA950AA7290DB755AC5DF11

Uniqueness

Uniqueness Score: -1.00%

Function 052D1DC8, Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

, xrefs: 052D1DE4

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f1f85b80f0604032613d98fbc1c4d17b12f1722a6d6fb7da1f1f36fc72568836
Instruction ID: 0fc3ae76b62b0024edf25a5dfa9d47e645f54b0caab8230ecd007e5867cf3760
Opcode Fuzzy Hash: f1f85b80f0604032613d98fbc1c4d17b12f1722a6d6fb7da1f1f36fc72568836
Instruction Fuzzy Hash: 5931D279914229CFCB64DF68C884BECBBB2BF59305F2080EAD509A7280DB755AC5DF10

Uniqueness

Uniqueness Score: -1.00%

Function 052D123F, Relevance: 1.3, Strings: 1, Instructions: 6COMMON

Download Yara Rule

Strings

!, xrefs: 052D124F

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 91767421fe0e40d4f90f8537998c29812585d30e7f610eede516437e22de8d7d
Instruction ID: c162be7f27e4cacc4d45e220a7650c8f49dabf19b13d8d61adbe0a291fcd65a1
Opcode Fuzzy Hash: 91767421fe0e40d4f90f8537998c29812585d30e7f610eede516437e22de8d7d
Instruction Fuzzy Hash: E2C09BB4974114CFD714CFB0E44C55DF775BB4D305F10C105955113161DB705401DF10

Uniqueness

Uniqueness Score: -1.00%

Function 052D14D0, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f70c07870f593c236c858a8116852f3ab13f74e00ef4114c74ad220c2a75235
Instruction ID: 7386e0b8ddbef11f81db3745ac676d6aa9460a52d45169ad5915685a327fbde2
Opcode Fuzzy Hash: 5f70c07870f593c236c858a8116852f3ab13f74e00ef4114c74ad220c2a75235
Instruction Fuzzy Hash: 0D91BDB4D29208CFDB10CFA4C588BEDBBF1BF09344F20516AD406AB690D7795A85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 049F0E09, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed9c7f8eece1b24bc21e11dd36157d6b10deac05a7a249f9761882c7cc1dd8f
Instruction ID: e6d427c4afa48001c7626c90987e9e5f9982d3e011da63f32f2ad6b05d497a6e
Opcode Fuzzy Hash: 0ed9c7f8eece1b24bc21e11dd36157d6b10deac05a7a249f9761882c7cc1dd8f
Instruction Fuzzy Hash: 1E91E574A0024ADFDB04DBA8C98499DBBF6FF88304F208169E504AB356DB31AD42CF95

Uniqueness

Uniqueness Score: -1.00%

Function 049F8E08, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d5efe1c6f5dae7fc34c2da24889b545ccd1a4b4346e0b5d3ff2c04e100b746
Instruction ID: 689d098087e1b1ad237f817aa3b8dd14f5116d2d603b6685fc77866a55da4125
Opcode Fuzzy Hash: 34d5efe1c6f5dae7fc34c2da24889b545ccd1a4b4346e0b5d3ff2c04e100b746
Instruction Fuzzy Hash: 0E61F774E05219DFDB44EFA9D8486AEBBF2FF49310F10846AD40AAB351DB306941CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0090A5C0, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5308d091722f73957cf28588ed41de1c5fa7ea584e17ab628e7478255fd76713
Instruction ID: 7886fcaa0285e72de9d79da7a48cf05062d817ea29c8ae23351e39bdc34d1aad
Opcode Fuzzy Hash: 5308d091722f73957cf28588ed41de1c5fa7ea584e17ab628e7478255fd76713
Instruction Fuzzy Hash: CA51AF7650D3806FD712CF15DC51956FFF8EF86620F19C89FE8889B252D235A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 052D0990, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc3527adb8f60d7ca4e873061f923609819a982bcdeb89a54047f457b19f974
Instruction ID: 6ba2b5945a1d5bb89fb09f025e5b254a5ca0811f7a249044a5efa0f2d896be96
Opcode Fuzzy Hash: acc3527adb8f60d7ca4e873061f923609819a982bcdeb89a54047f457b19f974
Instruction Fuzzy Hash: 12513670D26208DFCB00CFB9C548AEEFBB2BF49314F64D565D514B7260E3B89A408B65

Uniqueness

Uniqueness Score: -1.00%

Function 049F95E6, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8de61ee7f45d510881b68a7cceb505a7b90ad25aa99702a5d744984338e5027e
Instruction ID: 9339cd38c26a5d248d37ecf6c45f759c485a91cf020879c2c5ce535b8c905755
Opcode Fuzzy Hash: 8de61ee7f45d510881b68a7cceb505a7b90ad25aa99702a5d744984338e5027e
Instruction Fuzzy Hash: 2D51A0B4E05619CFDF10CFE5C880AEDBBB6FB89304F209429E615AB251D7356A85DF00

Uniqueness

Uniqueness Score: -1.00%

Function 049F9838, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b2fb1a8f5dab86510488b49561a237b8e86fd47aa8f0b973358c6ed948995e5
Instruction ID: 605f2f7adbd6442e50c6c3dd1f6353515753f652ba4e57cfc9a15989c93fb21f
Opcode Fuzzy Hash: 4b2fb1a8f5dab86510488b49561a237b8e86fd47aa8f0b973358c6ed948995e5
Instruction Fuzzy Hash: 8951C2B0E05208CFDB04DFAAC9846AEFBF2BF89304F249469D509A7214E734A985DF51

Uniqueness

Uniqueness Score: -1.00%

Function 052D0980, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bed8994f9cf10ec90d6432d56ca9e74a703b7138c50491598526e9c21eb1bd6
Instruction ID: 00e8dc80cf6c47c6506c88020505203fa7954c555e54bec394e6bcab89407cde
Opcode Fuzzy Hash: 6bed8994f9cf10ec90d6432d56ca9e74a703b7138c50491598526e9c21eb1bd6
Instruction Fuzzy Hash: 98415670D662099FCB00CFE9C548AEEFBF2BF49314F24D565D514B72A0E3B88A418B65

Uniqueness

Uniqueness Score: -1.00%

Function 049F9738, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b514e6c36dd4c3cf1aad715f37e96b798ed67590b486810ace58a82062d07426
Instruction ID: 8875bae697cd977637ee4e13f331cee45cdd1ddbd8efde5f8c1da01c4f8ea6a4
Opcode Fuzzy Hash: b514e6c36dd4c3cf1aad715f37e96b798ed67590b486810ace58a82062d07426
Instruction Fuzzy Hash: 9D41A2B4E05219CFDF20CFE4C8847ADBBB6FB49314F24942AE519A7241D734AA85CF01

Uniqueness

Uniqueness Score: -1.00%

Function 049F9AAA, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a38437887c318157e6299b3fdc94d01c28bca1ae22ec04826601feb15d0508
Instruction ID: 4c80bd1e38ba00d3f831e1a97fd153bbc1869de5602db196b36b137d304ba2b6
Opcode Fuzzy Hash: d5a38437887c318157e6299b3fdc94d01c28bca1ae22ec04826601feb15d0508
Instruction Fuzzy Hash: C6312430B19295CFCB12DBBD9D546AEBFB6BFC5201F2440AAD500DB292DA346D05C762

Uniqueness

Uniqueness Score: -1.00%

Function 049F94D8, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c3310dc06e6ba3face00e103c48c6227b825bd4069dcf69f1675da1f3537fd
Instruction ID: 3da0ceba1ab5305d7318638c610644ac27d4c29649e4735025add511fbcd1d1e
Opcode Fuzzy Hash: 26c3310dc06e6ba3face00e103c48c6227b825bd4069dcf69f1675da1f3537fd
Instruction Fuzzy Hash: 2D319AB4E08218DFCB05CFA4D8816ADBBB2FB89300F1085AAD909A3251D7346A41EF41

Uniqueness

Uniqueness Score: -1.00%

Function 052D2502, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffc5625bc32aaed6f51360736e76d9784d86f016ca8c84c3f224311ea1dda89
Instruction ID: d9b32e343daaa3bedd26274a9ab6c2310355856d4354cd3914a1c45eb388cb90
Opcode Fuzzy Hash: 9ffc5625bc32aaed6f51360736e76d9784d86f016ca8c84c3f224311ea1dda89
Instruction Fuzzy Hash: 1541AF78910229CFDB64DF68C884BECBBB2BF55305F2081AAD409A7284DB755EC5DF50

Uniqueness

Uniqueness Score: -1.00%

Function 052D1F35, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fc4d7322b45f9dc186aee6abc30f9efcfe3b02cc78542e94b238cc6c556bed
Instruction ID: e5eaa28e4593b89a907f2591d2351ba1970c10e4bdd74c3ec554121fcdeb3447
Opcode Fuzzy Hash: 01fc4d7322b45f9dc186aee6abc30f9efcfe3b02cc78542e94b238cc6c556bed
Instruction Fuzzy Hash: 3041F475910228CFCB64DF68C884BEDBBB2BF59305F1080EAD509A7280DB759AC5CF10

Uniqueness

Uniqueness Score: -1.00%

Function 052D2130, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e032abbcc3ab948df6947aab7a8fabcce44d7742320b6ada4a21d5f2ed760262
Instruction ID: 41364a91bc497dc4fe731a454b6e897ea5fa2c3814a07ea488aba5c224c5cc41
Opcode Fuzzy Hash: e032abbcc3ab948df6947aab7a8fabcce44d7742320b6ada4a21d5f2ed760262
Instruction Fuzzy Hash: 4141F278910228CFCB64DF68C8857ECBBB2BF49301F1080EAD50AA7291DB759AC1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 052D20A4, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80bacf3083acf51c5ebe66a6c519552d203d9713453b91e7ddb1443b6059ade6
Instruction ID: 47d9f9ab6a8b2332778a1d43841c627ae08f84f1e9537608ba49b00946cf154b
Opcode Fuzzy Hash: 80bacf3083acf51c5ebe66a6c519552d203d9713453b91e7ddb1443b6059ade6
Instruction Fuzzy Hash: E541EF78914228CFCB60DF68C884BECBBB2BF49305F1081EAD509A7280CB755AC1DF11

Uniqueness

Uniqueness Score: -1.00%

Function 052D1EBE, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85b63df7e7d70d266963a0ca636a7d3fa78b26c2faa29c488d423ad5c6acb87
Instruction ID: 83a0e251eb7c20a1edc1acd8ab44e5c12b5295d36d4e41d23ea38112d38c2500
Opcode Fuzzy Hash: c85b63df7e7d70d266963a0ca636a7d3fa78b26c2faa29c488d423ad5c6acb87
Instruction Fuzzy Hash: 1141C278910229CFCB64DF68C884BECBBB2BF45305F2080EAD409A7284DB359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0090A700, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a176096556f5f25129373d9444d849a64b137ce8b18445f66ccb210b9abe60
Instruction ID: 7f3d5e60b976abadc0e1da798541add2693776269f25412dc1a7f22cc35b2abb
Opcode Fuzzy Hash: 66a176096556f5f25129373d9444d849a64b137ce8b18445f66ccb210b9abe60
Instruction Fuzzy Hash: 6E2130B6544300BFD210CF4AEC41E5BFBE8EBC8760F14C91EFD4997201D276A9149BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0090A82C, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524f1f54aee1d97ee90983992a72c95a93a18058b9f11ff1f15d99790e26f309
Instruction ID: e1e3fdef4e1cdf1ac7be01f60bfad355c9e27a2ff6689618793a24329513cc4f
Opcode Fuzzy Hash: 524f1f54aee1d97ee90983992a72c95a93a18058b9f11ff1f15d99790e26f309
Instruction Fuzzy Hash: 682130B6544304BFD210CF4AEC41D5BFBE8EBC8660F14C91EFD4997201D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0090A958, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b7ffbb9c0842527f83acda960ce53e737fc94b5960e7a254e9d046eefca136
Instruction ID: a77e0851b9c73861ec0808ab2cbea7eb8f783c80126b4b6262d631d4591cdcaf
Opcode Fuzzy Hash: 91b7ffbb9c0842527f83acda960ce53e737fc94b5960e7a254e9d046eefca136
Instruction Fuzzy Hash: AA212CB6644300BFD210CF4AEC41D5BFBE8EB88760F14C92EFD4997211D276A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0090A3AC, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b418e971ffb6a5e18e10b7d66e8a6bcaaf3fcc03c13c3075372ed1c523e922
Instruction ID: d4f86b6c38a0f001d77ae3153e84c805a7507e217e822f73ba1a072889c46d1c
Opcode Fuzzy Hash: 04b418e971ffb6a5e18e10b7d66e8a6bcaaf3fcc03c13c3075372ed1c523e922
Instruction Fuzzy Hash: 8B21C1B6509340AFD7118F15EC41E56FFE8EB85630F18C8AFFD499B212D236A504CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0090AAC8, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f43b5ccad19c78b50b70e561c562b50f8958cb0f0b93178bed80ebc70ad90153
Instruction ID: aa3e5837d822dfcc15b3c5867a0f78810777d6f29a57f8a343afa2c7cdc952dd
Opcode Fuzzy Hash: f43b5ccad19c78b50b70e561c562b50f8958cb0f0b93178bed80ebc70ad90153
Instruction Fuzzy Hash: 50314E7550D3C19FD302CF259851956BFF4EF86214F0888DEE8C4DB253D2759908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 049F1471, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d78b26dca0693101d63f49878a826522fe501515a14015ea575480a2e074f4
Instruction ID: 1b87d0d1e63528f00b1bad8b9bcf5dce29d53b22918ecc8c56e04bd59292bd69
Opcode Fuzzy Hash: 08d78b26dca0693101d63f49878a826522fe501515a14015ea575480a2e074f4
Instruction Fuzzy Hash: 9831C674E0510ADFCB44CFA5C5819AEBBF2FB89300F1095AAD915A7754D738AA42CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 049F1480, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebe70c7aaa2e36fecb43f86959fbfa92f4ae3c12ab2bdf7692be31f7a0a652ad
Instruction ID: 34e7c8111aab7411510944ea441a089d9975add1f19f3c56fe21507ae4080aa0
Opcode Fuzzy Hash: ebe70c7aaa2e36fecb43f86959fbfa92f4ae3c12ab2bdf7692be31f7a0a652ad
Instruction Fuzzy Hash: 7331D774E0420ADFCB44CF96C5819AEFBF6FB88300F10956AD915A7750D738AA41CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0090A716, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5859bdb6852f31349c169042341f37948b83274b4f9a260cafb0c4ebd36ebc8c
Instruction ID: 1898e7e6089204c81f98a8d5fef73c4a6438fe397cbfceb90e8fada1bca3143c
Opcode Fuzzy Hash: 5859bdb6852f31349c169042341f37948b83274b4f9a260cafb0c4ebd36ebc8c
Instruction Fuzzy Hash: 162110B6544300AFD210CF09EC41D5BFBE8EB88620F14C96EFD4997311D276A5149BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0090A842, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12a4fe96d290831d6680944c2501df9a1158061197f3013d9e6ca345abeb6f7
Instruction ID: f6e374275797c6ded0aff34ce3c793c9552cbde4175cce0e02578826f7d06d83
Opcode Fuzzy Hash: e12a4fe96d290831d6680944c2501df9a1158061197f3013d9e6ca345abeb6f7
Instruction Fuzzy Hash: D12110B6544304AFD210CF0AEC41A5BFBE8EB88660F14C96EFD4997311D275A5148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0090A96E, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31cb4d620570de2bc6681bc9c0695c044d0064dbad24d2b8abf2154ade6411f
Instruction ID: 97dab4b8ea5362d9725720315b3a7eadbb5407c76cef7a747c66a870d66094a8
Opcode Fuzzy Hash: f31cb4d620570de2bc6681bc9c0695c044d0064dbad24d2b8abf2154ade6411f
Instruction Fuzzy Hash: ED2110B6544300AFD210CF0AEC4195BFBE8EB88720F14C96EFD4997311D275A5148FA2

Uniqueness

Uniqueness Score: -1.00%

Function 052D1DF3, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6b462f33a29703a0f18cb6664fd3902298b8e69a7622bad6a33e5f28da6889
Instruction ID: dab08ccc8d665312f8d815ee6c0b3f156608fe228de89d665a6d94339ddb623f
Opcode Fuzzy Hash: ec6b462f33a29703a0f18cb6664fd3902298b8e69a7622bad6a33e5f28da6889
Instruction Fuzzy Hash: DB31C178914229CFCB64DF68C894BECBBB2BF55305F2084EA9509B7280DB759AC5CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0090A1A4, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd5222f1820111ca1d2ca7d5d0a55a0ba860826fcb4039bb9288dd07360da74
Instruction ID: 6fe0a5a43875581f4a5f787b32678108faebd31e54fc97600d4d0d94e12f649e
Opcode Fuzzy Hash: 3bd5222f1820111ca1d2ca7d5d0a55a0ba860826fcb4039bb9288dd07360da74
Instruction Fuzzy Hash: 4611B176644204BFD6108E0AEC41E67FFACEBC4B70F18C86AFD095B201D276B9049BB1

Uniqueness

Uniqueness Score: -1.00%

Function 052D20ED, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70cd01c04a3968d6772368b7a7fcf0ed1decc2042a808080f710b4a43f0fdbc
Instruction ID: c614e393be56a529d2605bf5f378feb9fb14ac712699051ef0c0792e8f01ce44
Opcode Fuzzy Hash: c70cd01c04a3968d6772368b7a7fcf0ed1decc2042a808080f710b4a43f0fdbc
Instruction Fuzzy Hash: 5831E178914229CFCB64DF68C884BECBBB2BF59305F1080EAD50AA7290DB755AC5DF11

Uniqueness

Uniqueness Score: -1.00%

Function 0090A3D2, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055871d84510fe9dfb9ab4c6420cc71b52d4dc671cabe30fec765b0786bf0f9b
Instruction ID: f7c53b0b19c50361f5904ab6c1741c70fc5e70d560d8bee3b3eca2a976a0cabd
Opcode Fuzzy Hash: 055871d84510fe9dfb9ab4c6420cc71b52d4dc671cabe30fec765b0786bf0f9b
Instruction Fuzzy Hash: 181190B6644204BFD2108F0AEC41E67FBE8EB84730F18C96AFD095B211D276B5149BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0090A5EA, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4dffa4311b7d1612235d12c8a09e3292d6a022a78b55c4beb61a7dbc34c845
Instruction ID: 31e27e3b481307cd9c34178ebde6478abe2f99d63d0271f6b200aec21105f57a
Opcode Fuzzy Hash: 3f4dffa4311b7d1612235d12c8a09e3292d6a022a78b55c4beb61a7dbc34c845
Instruction Fuzzy Hash: 761190B6644200BFD2108F0AEC41E67FBE8EB84630F18C96AFD095B311D276B5149BA2

Uniqueness

Uniqueness Score: -1.00%

Function 049F15B1, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9c0fd4126267fe8b08bd228ee105efab2fdae7480058789b569a2b62a17750
Instruction ID: f1903f56fcf7c7549984a09711af6c93c18dd2d8cc6d5b4ac84fd1d5f8c3469f
Opcode Fuzzy Hash: ba9c0fd4126267fe8b08bd228ee105efab2fdae7480058789b569a2b62a17750
Instruction Fuzzy Hash: 34212A70E09209DFCB04CFA9C9819AEFBF2FF89304F1488A9D505AB215D730AE418F91

Uniqueness

Uniqueness Score: -1.00%

Function 049F93EA, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c0900f50d403e3c35bc34f50fa82b6dc601e0d07b767ebb164dc534bc174bc
Instruction ID: 38e9a037edd27fc6c84a7fd784c0522bf454b5d4332c0566804f49611e4fb635
Opcode Fuzzy Hash: 38c0900f50d403e3c35bc34f50fa82b6dc601e0d07b767ebb164dc534bc174bc
Instruction Fuzzy Hash: 032114B4E09218CFCB05DFA9D8446EEBBB2FB88300F1085A9D915B7350E7342945DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0090A1BA, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd42e6d65fbf05fc2e1c3b93ae744a28de6accc5ed79b5eaf4fdf8d3d243426
Instruction ID: d706166a75459a14433273bcd81130ac6623c54d6b937495db4632379707207c
Opcode Fuzzy Hash: 9bd42e6d65fbf05fc2e1c3b93ae744a28de6accc5ed79b5eaf4fdf8d3d243426
Instruction Fuzzy Hash: 8711A376644204BFD6108E0AEC41E66FB98EB84731F18C86AFD095B201D176B5149BF1

Uniqueness

Uniqueness Score: -1.00%

Function 049F8829, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780a8770a071b0ea3439c617ffc337849d2b74f42a550ff394bce064a35e5f9d
Instruction ID: 8ffeb6cbddefc2a3e5f7a90a2d5b8571ba48f4ab8fa957a754f128680f829d85
Opcode Fuzzy Hash: 780a8770a071b0ea3439c617ffc337849d2b74f42a550ff394bce064a35e5f9d
Instruction Fuzzy Hash: 362163B4D09249EFCB44DFA8D9819AEBFB1FF89314F1084AAD411A7290D334AA12DB11

Uniqueness

Uniqueness Score: -1.00%

Function 049F8DB2, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a6461b9d11436a648ba0a792e42a2ed68b079e1ac310981b4f9abe2944baaa2
Instruction ID: bfc177666e86515f216ec1617daf7849589526516b405c6f4c4e7ce6316c8146
Opcode Fuzzy Hash: 2a6461b9d11436a648ba0a792e42a2ed68b079e1ac310981b4f9abe2944baaa2
Instruction Fuzzy Hash: 3211E330A0A509DFCB46FFA4DC849A97B3AFF16304F10CAA6D90957266E7316D42DF00

Uniqueness

Uniqueness Score: -1.00%

Function 049F83B0, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9440d2a85f48d5901395527fb1a62dfcea18456b78f590a46b66e2451a2ac5c
Instruction ID: 1b56e44228d41b2bdf7c2ca3eadb22256d905f918536464523724966d8a1d48f
Opcode Fuzzy Hash: b9440d2a85f48d5901395527fb1a62dfcea18456b78f590a46b66e2451a2ac5c
Instruction Fuzzy Hash: 92212974E04109EFCB44EFE9C9446AEBBF6FB88300F108469D915A7294D7706A01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 049F83A1, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da603b01c43294eb0c21b695555c31597576e5b279afe7f7d40373c9fcba7db2
Instruction ID: 0aa9eea5decd10e00e1c89fe8aa1a71478a8ffeb8bf62a5ef31afbd2e68eefd6
Opcode Fuzzy Hash: da603b01c43294eb0c21b695555c31597576e5b279afe7f7d40373c9fcba7db2
Instruction Fuzzy Hash: F0215BB4E08209EFCB44EFA5C8455AEBBF2FB89300F10C4AAC505AB294D7706A11CF91

Uniqueness

Uniqueness Score: -1.00%

Function 052D0C58, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a844642099e6e77c87cc311717d5c0f5b2f76f46a9827b75dfd9de0e430bffe
Instruction ID: a5a6634b66356ce0fb9183d9a79cfd0afb444dd2832195388a4920780ac291f0
Opcode Fuzzy Hash: 4a844642099e6e77c87cc311717d5c0f5b2f76f46a9827b75dfd9de0e430bffe
Instruction Fuzzy Hash: B121F475D2520A8FCB00DF98C596AEEBBF1FF49300F10815AD855A7361E734AA41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 049F8C4F, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 139054e33999556cf67ca79dd741847bb0b5ab59b985928efc3206d36a2d8e76
Instruction ID: ec0ac5f018fbe3568a1aa9388c295fe200de0d66ea101d2f94b3ce6bc57556f9
Opcode Fuzzy Hash: 139054e33999556cf67ca79dd741847bb0b5ab59b985928efc3206d36a2d8e76
Instruction Fuzzy Hash: 7A11BEB4D04249AFCF06CFA4C980AAEBFB2FF89300F1081A9D91067392D7315A11DB92

Uniqueness

Uniqueness Score: -1.00%

Function 023C075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306865902.00000000023C0000.00000040.00000040.sdmp, Offset: 023C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d740cf4595fe55aebd55c482b24ff72d1f4109f1f7119a840003230f4268a87
Instruction ID: a7a64ba736248485e42413d4d0f24724dcebe4057b2d5938dd3e6be85de41356
Opcode Fuzzy Hash: 0d740cf4595fe55aebd55c482b24ff72d1f4109f1f7119a840003230f4268a87
Instruction Fuzzy Hash: 3011A2342442C4DFD71ACB54C984B26BB95EB48B08F34C5ACE9491BA53C77BD803CB51

Uniqueness

Uniqueness Score: -1.00%

Function 023C0726, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306865902.00000000023C0000.00000040.00000040.sdmp, Offset: 023C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3966e9649fb85ab8ace7049261299b0c800bf85f73d02993375375c5aa7637d
Instruction ID: 653148a38964a398114ba47fa859b7a056d1e4a56c52ef94c9da19d854f5e291
Opcode Fuzzy Hash: f3966e9649fb85ab8ace7049261299b0c800bf85f73d02993375375c5aa7637d
Instruction Fuzzy Hash: E02149355093C08FD7178B20C890B55BFA1AF47714F2985EED4888B6A3C33A880ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 049F3018, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151392f6403ab7ca5cd7762cca3391af2139066fdd5a023587df1119eb76f1e3
Instruction ID: 38c157651dbf14c5b586bff2181d47375ede2e2373ed7ce43b247aac75e1d996
Opcode Fuzzy Hash: 151392f6403ab7ca5cd7762cca3391af2139066fdd5a023587df1119eb76f1e3
Instruction Fuzzy Hash: 20117CB0D19209EFCB04CFA5D9854ADFFB1EF45300F18C9BAD815AB212D338AA41DB41

Uniqueness

Uniqueness Score: -1.00%

Function 049F8838, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b230fa6a6896c111cd1335016c5dd6ff605f850238d20df9278699ce498ed3
Instruction ID: abda8b8b00217501b0abab416b95a2510a10fe41bb8c7635b10a61dc94f1ae67
Opcode Fuzzy Hash: a6b230fa6a6896c111cd1335016c5dd6ff605f850238d20df9278699ce498ed3
Instruction Fuzzy Hash: C92167B0D19209DFCB44EFA8D9405AEFBB1FF89301F5094AAC425E7250D734AA41DF51

Uniqueness

Uniqueness Score: -1.00%

Function 049F9BB8, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e966476096dece4ddf50b35fb76379bf2bf2a88e7978297c9b83c832f446ed1b
Instruction ID: 9a0501dcb2dc95b4204a327c79da4e6e066cd57cb9606381b1ab4d0f31439194
Opcode Fuzzy Hash: e966476096dece4ddf50b35fb76379bf2bf2a88e7978297c9b83c832f446ed1b
Instruction Fuzzy Hash: 2C11C470D2E348DFCB02DFA8C89575CBFB5AF46301F1480EAC80097262D7382906DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0090AB09, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6fb52c645e0df752081a5a0329a3e8f3ecded39a0f2aedaa3d87eaf0e0b0c2
Instruction ID: ee85d1f866dea69d68f08edd256fe3f5011c1ed848f6dc3ee1450337466c2dec
Opcode Fuzzy Hash: de6fb52c645e0df752081a5a0329a3e8f3ecded39a0f2aedaa3d87eaf0e0b0c2
Instruction Fuzzy Hash: 4B11D7B5908301AFD350CF19D881A5BFBE4FB88664F04896EF89897311D231E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 052D0C68, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3689b7519427255beb2d82ab86b72a25210c8e663dfa4773bcf1a5cf8624a7
Instruction ID: 016eaa48e201a1fd27a0c1f0d0fb76bfbbd0ab538a425f6b3a1413f6e421a09f
Opcode Fuzzy Hash: 4c3689b7519427255beb2d82ab86b72a25210c8e663dfa4773bcf1a5cf8624a7
Instruction Fuzzy Hash: 6621AF75D1520A9FCB04DF98C589AAEFBF5AF48310F108069D815AB361EB74AA40CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 049F0006, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04e2a133e36ca14af1836de1ee36ac58f62e8ce5bd5255c8a18b668799d5c5b
Instruction ID: e73d1529494ae4af71067cc168f4147855860031b750a71bcce0b16f461ccd66
Opcode Fuzzy Hash: c04e2a133e36ca14af1836de1ee36ac58f62e8ce5bd5255c8a18b668799d5c5b
Instruction Fuzzy Hash: F90104A184F3C14FC7038B745C69599BF749F13209B1E80FBC889DB0A3E268091ADB67

Uniqueness

Uniqueness Score: -1.00%

Function 049F4DC8, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c8e816e956af4ae791eeb90b41165dea4260cf2c85acdabc9bdcbe879a8f6e
Instruction ID: 28af57bb9a2b824928056aaecfc634779d715021f2b5dd393a70484300819c6c
Opcode Fuzzy Hash: d6c8e816e956af4ae791eeb90b41165dea4260cf2c85acdabc9bdcbe879a8f6e
Instruction Fuzzy Hash: D411A170C69208EFDB14DFB4E59555EFFB4EB96310F2098BAC502E7190D734AA40DB05

Uniqueness

Uniqueness Score: -1.00%

Function 049F4F01, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2fb528ecf991ccafe21c14440ab71ef43ecef5aea2d756c663c6fdbeb9274b
Instruction ID: 07f1df0169fcbb8b7a0600a246838522b01f0c30f075dacc10f4afb481cc6636
Opcode Fuzzy Hash: 4a2fb528ecf991ccafe21c14440ab71ef43ecef5aea2d756c663c6fdbeb9274b
Instruction Fuzzy Hash: 2D01AD70C59609EFDB04CFA5D58199DFBB2EF46200F1095EAD009AB260D7346A01CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0090A118, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee75d330fcaf73fef55931b4e1b85240ce88468691cfff39c2dcd050adfe1bc2
Instruction ID: dca44b9da60011185d1470d650a71ed68f867d9198a6372ba9dd529291c56e29
Opcode Fuzzy Hash: ee75d330fcaf73fef55931b4e1b85240ce88468691cfff39c2dcd050adfe1bc2
Instruction Fuzzy Hash: 3801D47640D3C06FD31347259C55A92BFB8DF43620F0884CBE9888F193D1266909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 049F4DD8, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9dde932c33832df06c98e1df6612fe7ea0658e466eee02b50f53f4ce188458
Instruction ID: ea25f11e52c861f2b0b0fabaf3a395e29e832544b03af56961ed97b23c14db0b
Opcode Fuzzy Hash: 0c9dde932c33832df06c98e1df6612fe7ea0658e466eee02b50f53f4ce188458
Instruction Fuzzy Hash: 1801B570D59208EFDB14DFE4E65555EFBB8EB86301F1098B9C106A7290DB34AB40DB45

Uniqueness

Uniqueness Score: -1.00%

Function 049F4F10, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93281212fcdd468764070d8c3c8bb94a82c281c418ac6eb82d88770ae78997f4
Instruction ID: 84d9a1d30a90b7ae69ca16580c23557ce037b51bf456e1158f86b86c8a111d66
Opcode Fuzzy Hash: 93281212fcdd468764070d8c3c8bb94a82c281c418ac6eb82d88770ae78997f4
Instruction Fuzzy Hash: FF019E30D55209EFDB04CFA5D68159EFBB5EF45200F1094B9D109AB214E634BB009B45

Uniqueness

Uniqueness Score: -1.00%

Function 023C05CF, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306865902.00000000023C0000.00000040.00000040.sdmp, Offset: 023C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02156173731fb73382a601020b1ea97f315cd1d65eca749e8b09ca3544ee39e2
Instruction ID: 3288664b287d5feb18b1e2d5839fc504d705b6e37a2d5e086e618c6198c99480
Opcode Fuzzy Hash: 02156173731fb73382a601020b1ea97f315cd1d65eca749e8b09ca3544ee39e2
Instruction Fuzzy Hash: E201A77650D7805FD7128B15DC40862FFA8DE86620748C49FEC498B612C129A904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 049F30E0, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fa9a8febb1dfed875db906ef345f015b3bdeb6669f8aff40174cf93674d5c9
Instruction ID: 200579c35f3cdb363cc8e9dcdc2555993c775107037ed416b112d5169b97e886
Opcode Fuzzy Hash: 26fa9a8febb1dfed875db906ef345f015b3bdeb6669f8aff40174cf93674d5c9
Instruction Fuzzy Hash: 0601EC78A05108EFDB05DBA8D989A9DBFF2FF49300F05C0A5E504AB361D634AA51DB41

Uniqueness

Uniqueness Score: -1.00%

Function 049F8778, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600c68d66fa161155ed90d48b038155a377ede471b65f45ebb2960acba10e90e
Instruction ID: a816133b1287d986f2d9f10f44c450bd6083af5639f744a82de3506b86332f65
Opcode Fuzzy Hash: 600c68d66fa161155ed90d48b038155a377ede471b65f45ebb2960acba10e90e
Instruction Fuzzy Hash: E6018C72D081599FCF06DFA4D8455EEBB76EF86301F00806AE9007B651C775191ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 049F30F0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed39a4413e79c5ed1d4c252918e768572f8f5872c6e570d0ef85da5836f18abd
Instruction ID: 992a3d4a4b2385457d7139173bac7c77edcb33d3f860926d4381fe52ed5219e0
Opcode Fuzzy Hash: ed39a4413e79c5ed1d4c252918e768572f8f5872c6e570d0ef85da5836f18abd
Instruction Fuzzy Hash: BBF07978A04208AFCB04DFA9C989A5DFFF5EF48300F15C0A4D908AB361D634EA50DB41

Uniqueness

Uniqueness Score: -1.00%

Function 049F8788, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c7d343bd150b7dee3a734390a5b799b97b236d3d571e494b2d4edbc6b32bd0
Instruction ID: 76bc23d823f17773c52b1373bf7f77f347ad3c01376faff437430b635a75a27d
Opcode Fuzzy Hash: b2c7d343bd150b7dee3a734390a5b799b97b236d3d571e494b2d4edbc6b32bd0
Instruction Fuzzy Hash: 55F03A32D001199BCF06EFA8D8445DEBB76EF89311F00802AE9103B250CB766919CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 052D142F, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b5b84b9be984ff5d130ed929b70b7222b4ac6c68038fd5a067c0ba138bf052
Instruction ID: 4c103272f97b51d398263193092e09bfe92c0994347c9f90405ccd99e5b109f6
Opcode Fuzzy Hash: c5b5b84b9be984ff5d130ed929b70b7222b4ac6c68038fd5a067c0ba138bf052
Instruction Fuzzy Hash: 17F08C349AA2489FCB04CFA0E5555AEBF71FF8A300F2092E9D89993652CB341A06DF54

Uniqueness

Uniqueness Score: -1.00%

Function 023C0818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306865902.00000000023C0000.00000040.00000040.sdmp, Offset: 023C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction ID: 37fe97b25501659acb6cc2c1837184228f6bc7737a405e498b9e6c11a52708be
Opcode Fuzzy Hash: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction Fuzzy Hash: 25F0FB35108684DFC616CB44D940B15FBA6EB89718F24C6ADE9490B752C3379813DB81

Uniqueness

Uniqueness Score: -1.00%

Function 049F503A, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8d09685c6f23c95215db8b439ddb74ff04ec1ba1b49d195c2e8192685142a7
Instruction ID: 4446f7e3cfdf591ca38d958a4211c3a6caee6d35eb7ed04a9cc01e602c8ad770
Opcode Fuzzy Hash: 8c8d09685c6f23c95215db8b439ddb74ff04ec1ba1b49d195c2e8192685142a7
Instruction Fuzzy Hash: D6012434A14654CFCB04CFA4CD88A99B7B2FB89311F0088A9D50AAB755D774AD858F00

Uniqueness

Uniqueness Score: -1.00%

Function 052D2A89, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c80282529e39edd5c17156d9b43776179a947eba5924b6c8d51a1d41747e03a
Instruction ID: 5a86eff2f1ef73eaffd886f169a1ece96a0cb6c19c64329dc93311ec877d0762
Opcode Fuzzy Hash: 4c80282529e39edd5c17156d9b43776179a947eba5924b6c8d51a1d41747e03a
Instruction Fuzzy Hash: 8CF08C78958288DFC711CFA4C5555AEFFB0FF1A300B2581DBC89987262C6354A42EB11

Uniqueness

Uniqueness Score: -1.00%

Function 049FA08C, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2dc572355382c49c8d29070a9b8a1a4654e695571497f057bd4af5aaa1c217
Instruction ID: a918ebc7c593bacb6e39006fbfc2da4020db650b41f24bd6f490e5332236faac
Opcode Fuzzy Hash: 2c2dc572355382c49c8d29070a9b8a1a4654e695571497f057bd4af5aaa1c217
Instruction Fuzzy Hash: C301D038A1015ACFCB20DF64E948B9DBBB1FB88300F1085E9E54AD3645DB711E419F11

Uniqueness

Uniqueness Score: -1.00%

Function 052D1488, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ae1409083902310bad90e766057177d0e12e9762edd05e45d0242d9ac4502d
Instruction ID: 4fcd32ea1428561e6bc280bfc42d3e47532f4fcc244f4769097df73eefd104d1
Opcode Fuzzy Hash: 42ae1409083902310bad90e766057177d0e12e9762edd05e45d0242d9ac4502d
Instruction Fuzzy Hash: 8EF0ED749692089FCB00CFA4C9525EEBF70EF06300F1086AAD85983202C6381A42CA14

Uniqueness

Uniqueness Score: -1.00%

Function 049F898A, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b2022235d8c1ac8a01527ad65372e16d7208542d661256c9715bbd8b88776f
Instruction ID: 86240e9c4329c42424c5c70a491fdba5210afcbae81d2aba5fd8694e1fd0f57a
Opcode Fuzzy Hash: 95b2022235d8c1ac8a01527ad65372e16d7208542d661256c9715bbd8b88776f
Instruction Fuzzy Hash: 8DF08274D092489FCB55DBA8D4966ACFFB1EF01314B1482DEC8545BB92D7342A02DF42

Uniqueness

Uniqueness Score: -1.00%

Function 049F01C0, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf609ed1998a25c60847970a61a75e95f4461f563bf3d22ebb5f7922e0ac528
Instruction ID: 3850bd0cd2997cbd3bf36787686be39de0d13f799181931af77ff90bb9a75334
Opcode Fuzzy Hash: cdf609ed1998a25c60847970a61a75e95f4461f563bf3d22ebb5f7922e0ac528
Instruction Fuzzy Hash: 5BF01270E16219EFCB54CFA4EA849ACB7F7FB49310F1058A5E50AAA255D7309E418B00

Uniqueness

Uniqueness Score: -1.00%

Function 052D2AD8, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590ca90208b7ca84c340a050b761037a6e1fcaffe2264a318c41becde571c892
Instruction ID: 629e7e4ddb6b9d958a140f4db640920f047a49eeebe0b0c760190f2881837ded
Opcode Fuzzy Hash: 590ca90208b7ca84c340a050b761037a6e1fcaffe2264a318c41becde571c892
Instruction Fuzzy Hash: 7AF0A074A1E248DFC701DFA8C95169DFFB4FF07214F2482DAC89897292C7711A01CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 049F9068, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e23c64c70cb922f9de38177ca5cad262159366a7c4b00e675bfa0febde21181
Instruction ID: af970ecc232a54d652d7d721d37012539fa77894e40ccb938cf4b39ddb80e8f3
Opcode Fuzzy Hash: 3e23c64c70cb922f9de38177ca5cad262159366a7c4b00e675bfa0febde21181
Instruction Fuzzy Hash: B4E092B1D2A208CFDB04DFA498457ADBBB4EF06315F1441E9CD0463222E7302925EB55

Uniqueness

Uniqueness Score: -1.00%

Function 049F6B18, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb52580b99fa86686fe501c254924c3344b61e31aa2f04e864fc0918f00f47c
Instruction ID: 4f6166e01fad2d0508fd6fe5726f3931be4a0aa0ac8a4b21e70009fc52412728
Opcode Fuzzy Hash: 5cb52580b99fa86686fe501c254924c3344b61e31aa2f04e864fc0918f00f47c
Instruction Fuzzy Hash: ABF02B758552089FCB01DFB4CC859CC7FB0FF06304F2041A9D80497661E3318666CB01

Uniqueness

Uniqueness Score: -1.00%

Function 023C05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.306865902.00000000023C0000.00000040.00000040.sdmp, Offset: 023C0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ddd00c6f2e2cb84a77c35319b70388be613d12c526d1dad9802fb50b59271f1
Instruction ID: 49da049bf35aa6c4d0d293d6adfcfa560dd481a81fdefdcc74004d20b6568ece
Opcode Fuzzy Hash: 0ddd00c6f2e2cb84a77c35319b70388be613d12c526d1dad9802fb50b59271f1
Instruction Fuzzy Hash: D0E092766406004BD650CF0AEC41856FBD8EB84630718C07FDC0D8B700D536B504CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 049F6787, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79bc53458b0890fa0fcaf96d7f389721ee8e32b2e472022fd23c1bef14ae0013
Instruction ID: f50176d0a01489ea33d4af4bc275ceec416a5dfe8074029908b1a28324077830
Opcode Fuzzy Hash: 79bc53458b0890fa0fcaf96d7f389721ee8e32b2e472022fd23c1bef14ae0013
Instruction Fuzzy Hash: EDF0B739A103189FDB04CF90CE44BD9B7F2EF49300F1544A59509AB666D735AE54EF01

Uniqueness

Uniqueness Score: -1.00%

Function 0090A6A3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb77909424172f4173c19d5b431d2afc6a7d6d1c2c6b88ce46e8ab757dc66be
Instruction ID: 53f5527554b69168b18d488f6b771242f683c777a8b3eceb200872e86406a26a
Opcode Fuzzy Hash: eeb77909424172f4173c19d5b431d2afc6a7d6d1c2c6b88ce46e8ab757dc66be
Instruction Fuzzy Hash: 34E0D87264120067D2108F06EC86F16FB98DB90A30F14C46BED081B702D072B5148EF1

Uniqueness

Uniqueness Score: -1.00%

Function 0090A14C, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 662b71d89023d3b350000d34a64457fa7f3d9b0acfe50194454b55dd67b6ace7
Instruction ID: 9630b8965d4de31b7dbc4527e45c8f85050dbca094c34e0493c4e069286d8948
Opcode Fuzzy Hash: 662b71d89023d3b350000d34a64457fa7f3d9b0acfe50194454b55dd67b6ace7
Instruction Fuzzy Hash: D9E0D872A4130067D2109F0AEC46B12FB9CDB80A31F54C46BED0C1B302D076B5048EF1

Uniqueness

Uniqueness Score: -1.00%

Function 0090A7CF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77753ff7152dbbcc34b0b5a8d72038deb9697ede5855f2d88f147d62c8018e5e
Instruction ID: 317045f449cc3ae3e463014816ee8fa5be8bd5b7b7df90ea0eb5786797741b6e
Opcode Fuzzy Hash: 77753ff7152dbbcc34b0b5a8d72038deb9697ede5855f2d88f147d62c8018e5e
Instruction Fuzzy Hash: FFE0D8726412046BD2108F06EC87F16FB9CDB90A70F14C46BED085B702D072B5048EF5

Uniqueness

Uniqueness Score: -1.00%

Function 0090A57B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d7024a441f1dfb9e1c34e4760389b44dea63688e8e0cfc93095c0eda00212e5
Instruction ID: 2f8ffbeb2de46338cee18267e858864a50979fd397aee6343306543ac85ada44
Opcode Fuzzy Hash: 4d7024a441f1dfb9e1c34e4760389b44dea63688e8e0cfc93095c0eda00212e5
Instruction Fuzzy Hash: 6EE02072A4130067D2208F06EC46F22FF9CDB80A31F54C46BED081B302D076B5048EF5

Uniqueness

Uniqueness Score: -1.00%

Function 0090A8FB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1c7c9f571529f5b64a501818b399ca686c3f3070d8fd33f53fd3c979e0b1bb
Instruction ID: dc8dc0a4847040c54b975c8b13d6391c1b4816f3543e5d78e8e64147908052ee
Opcode Fuzzy Hash: ea1c7c9f571529f5b64a501818b399ca686c3f3070d8fd33f53fd3c979e0b1bb
Instruction Fuzzy Hash: E5E0D87264120067D2109F06EC46F17FB98DB90A30F14C46BED081B302D072B5048EF1

Uniqueness

Uniqueness Score: -1.00%

Function 0090A363, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f367c8385b74704859b50335c5b6f4006c0b851cced6976377d1f8c163686fe
Instruction ID: 22b82f91e9afbbd65749d9371c29615f49e079ba97ca344bdf35b2a49a92c610
Opcode Fuzzy Hash: 3f367c8385b74704859b50335c5b6f4006c0b851cced6976377d1f8c163686fe
Instruction Fuzzy Hash: B6E0207264130467D2108F06EC46F12FB9CDB80A30F58C46BED081B302E076B5048FF5

Uniqueness

Uniqueness Score: -1.00%

Function 0090AB6B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305120183.0000000000902000.00000040.00000001.sdmp, Offset: 00902000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14421607dc800a918509e32ae07796a7a24013ff010067e25b656a94a3054b1f
Instruction ID: 0d094b0489cb211c0128e769e399218685b9d34eaa06e9d7a8b9c31890cca510
Opcode Fuzzy Hash: 14421607dc800a918509e32ae07796a7a24013ff010067e25b656a94a3054b1f
Instruction Fuzzy Hash: 45E0D87264130067D2108E06EC46F22FB98DB80A30F14C56BED081B302D072B5148EF1

Uniqueness

Uniqueness Score: -1.00%

Function 049F8DC0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a47c243f5c8dce65958cb1e2baa04906b8c3bd0d08eeb6b608cedc9c279df3
Instruction ID: 44ac8f4b8dc594f10e69f18ec9cd2f952c2da9a6001a4799322d3f5db0513d01
Opcode Fuzzy Hash: d7a47c243f5c8dce65958cb1e2baa04906b8c3bd0d08eeb6b608cedc9c279df3
Instruction Fuzzy Hash: EFE04F31919108EFCB48EF94DC456BEBB39EF56311F1090699C0523251DB306A50EB95

Uniqueness

Uniqueness Score: -1.00%

Function 052D13F1, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ce53cd29642346d3e438897e9361627217000d3087af3e48fe251fce525ee9
Instruction ID: a65874ec560a8c062bcf0b28fb0fda4765fa665e9afa9d4ab692d36ad2c1a90f
Opcode Fuzzy Hash: a6ce53cd29642346d3e438897e9361627217000d3087af3e48fe251fce525ee9
Instruction Fuzzy Hash: 58E0267056E2808FC305DF64E8195BABF30AF47205F1401EAD489531A3C6320A16CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 049FA5CF, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3628d2afd55e76d6ea138af209a6c042fdc4796c4a3740353b6afc0095c1277
Instruction ID: 548301e658ceb6a19da6a78d95c3796b6e31c05655565f21a728463b5e77ce7e
Opcode Fuzzy Hash: a3628d2afd55e76d6ea138af209a6c042fdc4796c4a3740353b6afc0095c1277
Instruction Fuzzy Hash: A9E02639959184DFC302D7F4D88249D3FB1EF06200B1544D5C80C87263DA392D0BCB01

Uniqueness

Uniqueness Score: -1.00%

Function 049F4EC0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40a57b5466b2e2a7f13ed7c225d509a47c1b288be0d0267edffc35c15c0967aa
Instruction ID: dbdd72e5c40b78cc9af040402417c2c2f5b1a019def8cc91ddd98707bc802baa
Opcode Fuzzy Hash: 40a57b5466b2e2a7f13ed7c225d509a47c1b288be0d0267edffc35c15c0967aa
Instruction Fuzzy Hash: 9BE07DB4C1F2844ECF12DBB44D9629DBFF0DB12301F2541FEC48192652D1340716C712

Uniqueness

Uniqueness Score: -1.00%

Function 052D03CF, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaff6e4de811c0793b58a5428f4f416e1fef6b47af213153af1cd4314d4c27d7
Instruction ID: 2fb7ba76ec702996eb966aff172fded2275ee9a5a3a300b5aa6855cc57a7447d
Opcode Fuzzy Hash: aaff6e4de811c0793b58a5428f4f416e1fef6b47af213153af1cd4314d4c27d7
Instruction Fuzzy Hash: 8AE0D87451D2C4CFC753DF78D495498BFB1AF47204B2544DAC88897263DB311E06CB45

Uniqueness

Uniqueness Score: -1.00%

Function 049F8C60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01c33cf0f01997ed52dece77741e88a6a5a962ef1fd5745b1acfd38bdd1a3e7
Instruction ID: 31faf345c9182a1389b8a2c80bbe2b3671dc835e3f5d77399d190a06dd7b0339
Opcode Fuzzy Hash: c01c33cf0f01997ed52dece77741e88a6a5a962ef1fd5745b1acfd38bdd1a3e7
Instruction Fuzzy Hash: 36F0C075D1020CAFCF45EF98D945A9DBBB5FF48300F008569E91453250D7755660DB51

Uniqueness

Uniqueness Score: -1.00%

Function 049F8909, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079325135be95db5554586ce5adfb8890796546786e3847870ba2a2cbacbc6a1
Instruction ID: cdf5d0d490e47d454ace7a836b588e6c89165076820a26512ef295ec774a1174
Opcode Fuzzy Hash: 079325135be95db5554586ce5adfb8890796546786e3847870ba2a2cbacbc6a1
Instruction Fuzzy Hash: 86E01AB0D5A2489FCB51EBB8D88A69CBFB49B05304F1481FEC809A2A52D2341A55CF52

Uniqueness

Uniqueness Score: -1.00%

Function 049F93A2, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea7f7c3cc1d751585a5a0e310f6f7b54d1817f1464afb1a8d010f22208f0289
Instruction ID: e4f87da72f00c92fbe82612b2b3c485438f647219572909843e262b4510c416d
Opcode Fuzzy Hash: 3ea7f7c3cc1d751585a5a0e310f6f7b54d1817f1464afb1a8d010f22208f0289
Instruction Fuzzy Hash: CBE065B0D1A208DFCB05DFA4E88569DBBB0AB46300F1080FAD804932A2C7302A41EF01

Uniqueness

Uniqueness Score: -1.00%

Function 049F9EE1, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8b4dce9b40f5f1f5ccbfa5f88394426919de6657c54a73f148aa59e849d189e
Instruction ID: 8442519d78bf73a95612909626feeafafc739775ef4fefa0d0691af253c0bfb8
Opcode Fuzzy Hash: f8b4dce9b40f5f1f5ccbfa5f88394426919de6657c54a73f148aa59e849d189e
Instruction Fuzzy Hash: 29F0D474A12119CBEB509F54ED48FADBBB2FB88301F1046A9EA0AA7280DB305D45CF09

Uniqueness

Uniqueness Score: -1.00%

Function 052D2B20, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8533046420d4657a6b8526cba4d0eba0eae73cd52d22af7508cd6e1bec31e4
Instruction ID: d55d76d34d1ed0f4d1d259504162901a51e71b33b06c68a54f446429b54c1946
Opcode Fuzzy Hash: 9b8533046420d4657a6b8526cba4d0eba0eae73cd52d22af7508cd6e1bec31e4
Instruction Fuzzy Hash: 89E08C7592E248CFC341CFA4889176ABB79AF42308F1040DA840557162C6781A11D721

Uniqueness

Uniqueness Score: -1.00%

Function 052D2987, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660891e18a88434ec26ba397a902b506e03c7bbfc9a18e6e653a8dfbf79b854b
Instruction ID: 304d157832aec9800cb58c96ac938f4d52cf24fb7f2069c07ec99acf877e96e4
Opcode Fuzzy Hash: 660891e18a88434ec26ba397a902b506e03c7bbfc9a18e6e653a8dfbf79b854b
Instruction Fuzzy Hash: F1E08C7596E240CBC316DF70C6863A9BB21AF42204F3804DE84881A252CA364900DB66

Uniqueness

Uniqueness Score: -1.00%

Function 052D2A98, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2034f5d33cc3524cd21df14bb428fea73f861a580569098a46e798620df9f961
Instruction ID: c0171b8f7879f407859d597e741c82121e510204daddd0441c1a05fe2a7c04ec
Opcode Fuzzy Hash: 2034f5d33cc3524cd21df14bb428fea73f861a580569098a46e798620df9f961
Instruction Fuzzy Hash: 83E01A78D18208EFCB14DFA8D5419ADFBB5EF48300F14C0AADC5853341D6399A51DB95

Uniqueness

Uniqueness Score: -1.00%

Function 049F9BC8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71476db6b3684f0dc527c1c409916e5148a4c4058bd7205aea9975ec9c50574e
Instruction ID: 0b4ec6cf4af40a5358230e16c8c23ec66b6f7f130b3bac6186611a2fe5c059c0
Opcode Fuzzy Hash: 71476db6b3684f0dc527c1c409916e5148a4c4058bd7205aea9975ec9c50574e
Instruction Fuzzy Hash: 62E046B0D1820CEFCB14EFE8D840AADBBBAEB44311F2080B9D80423300D7316A90EF95

Uniqueness

Uniqueness Score: -1.00%

Function 049F1FFC, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb584f6236c4d050e67f3933f89fb10c0e6d8f0ad6e170f7da08eb4191a2935
Instruction ID: d0c784c7bd156b2b3e20147968948355a16c338e62e830270acbf28c3cade983
Opcode Fuzzy Hash: ddb584f6236c4d050e67f3933f89fb10c0e6d8f0ad6e170f7da08eb4191a2935
Instruction Fuzzy Hash: D0E09AB5A05348CFCB21CF60C8843C8BBB6EB06700F1091AAC494AB318D3325A42CF84

Uniqueness

Uniqueness Score: -1.00%

Function 052D2AE8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3090d8329cee78f20c4ec9be2b4a1ee498f56f829df6c962fbe59a9f3fdcf040
Instruction ID: 7e1515e3b76dbbb48ee1b9f6609e20255470054ad93695e6f574a79fcb7801f9
Opcode Fuzzy Hash: 3090d8329cee78f20c4ec9be2b4a1ee498f56f829df6c962fbe59a9f3fdcf040
Instruction Fuzzy Hash: BEE04F74D14108EFC704DF98D5816ADFBB4FF49304F2080ADC80853341CB716A01CB55

Uniqueness

Uniqueness Score: -1.00%

Function 049F201B, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0623f44884ad7e91ab3051860a6bdd96aee96f4e50b3b9ba66f706da9f61e8
Instruction ID: ae387c21922f3e2e19243db95144bb119bc685a517bd1872565d1d33a06efcf5
Opcode Fuzzy Hash: 4b0623f44884ad7e91ab3051860a6bdd96aee96f4e50b3b9ba66f706da9f61e8
Instruction Fuzzy Hash: 30F07F78A01358CFCBA0CF18C884A98BBB1FB4A311F5050D5A449A7310D730AE81CF00

Uniqueness

Uniqueness Score: -1.00%

Function 049F93B0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534b76f864cd97c6971101e8dad4edba3db92ce1e0eba0429f41367573232c97
Instruction ID: b1d141d8ee9e5dab34c91a0b47f12e7f555b2045111677116bd9734e956e7e76
Opcode Fuzzy Hash: 534b76f864cd97c6971101e8dad4edba3db92ce1e0eba0429f41367573232c97
Instruction Fuzzy Hash: E3E0EC74E19208EFCB04EFE8E8456ADFBB8EB45310F1091B9D81463360D6702A44EF95

Uniqueness

Uniqueness Score: -1.00%

Function 049F6B28, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1885274ccc97a2dacb666ee2630ad8eb6904baff559d15ec5f39b79d0b32c9a3
Instruction ID: 1a459166396bdf75a12c7bad385c006eb34f9c69550657f0a510e6aa3311830a
Opcode Fuzzy Hash: 1885274ccc97a2dacb666ee2630ad8eb6904baff559d15ec5f39b79d0b32c9a3
Instruction Fuzzy Hash: F1E0C23186120CEFC704EFB4C945A9DBFB8FF04301F5040B9D90443260E731AAA4DB91

Uniqueness

Uniqueness Score: -1.00%

Function 052D1498, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6666739ab2014eb61e08e5f7c26c78436aeeeb761779ccb1b327e0daa0c93784
Instruction ID: f2a930307ff9d2340a28949b23e92d22cef074805b011fa98c521f47bbf74237
Opcode Fuzzy Hash: 6666739ab2014eb61e08e5f7c26c78436aeeeb761779ccb1b327e0daa0c93784
Instruction Fuzzy Hash: 41E08CB8D29208EFCB04DFA8D5459ADFBB8FF84300F1082A9D81963700CA742A50DF59

Uniqueness

Uniqueness Score: -1.00%

Function 049F5854, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 819c708fccb655e8722ede3b6d9f00a61ab0905596c359944b52c588d76cbfb2
Instruction ID: 8e649eff9e1f24c1a6a0d420c55a90702e4b3e86da4988b06d424481f8b9f61c
Opcode Fuzzy Hash: 819c708fccb655e8722ede3b6d9f00a61ab0905596c359944b52c588d76cbfb2
Instruction Fuzzy Hash: C2F01574D0A299CFCB14CFA48D1169DFBB1BB15300F0486EA9109E7281E7345A85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 049F8949, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5656d63a4401bc0b10cd57cbbdb5e61b1190becaa620b2f3b30c4d276db07784
Instruction ID: ff16b3334da719ffeb588e6370229f86a9385bdc42ec6487f0424ef0a332f3f4
Opcode Fuzzy Hash: 5656d63a4401bc0b10cd57cbbdb5e61b1190becaa620b2f3b30c4d276db07784
Instruction Fuzzy Hash: 77E0EE749183089FC744EFA8D18ABADFBF8AB44304F2441FEC85897661E7706A50CB42

Uniqueness

Uniqueness Score: -1.00%

Function 049F4E89, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 045c07c0885e403dc08c745e61b0ff09bca50c40fd447347d752b58a3a4c16f8
Instruction ID: fec86327fa52c7d8c629ec1b220f51b41e50d6e94db95e4cc3659d6cd26c15e9
Opcode Fuzzy Hash: 045c07c0885e403dc08c745e61b0ff09bca50c40fd447347d752b58a3a4c16f8
Instruction Fuzzy Hash: 45D0A7B146B1445FC301D7745D1A7AF3BB88B12300F2449BA9405D3591E1750805CA52

Uniqueness

Uniqueness Score: -1.00%

Function 052D1400, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d82e7e2ad0221a834735a46ba77a23546284bea43d1c546bf7f3303031b6b1a
Instruction ID: cd3b461d1f4f81aee1554c4213d6cfc6002e405e27be344cc41bbd6b1ce6caa9
Opcode Fuzzy Hash: 8d82e7e2ad0221a834735a46ba77a23546284bea43d1c546bf7f3303031b6b1a
Instruction Fuzzy Hash: EED01270D29208DBC704DFA4E94957EBF74BB45301F1041A8944923641CA711954DA99

Uniqueness

Uniqueness Score: -1.00%

Function 049F9078, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912a53e02582c0b6ad9a1a8802c2b5b1fb26de15a8db21cde1177c772fcd2c90
Instruction ID: 0d9c6fdd1f5ddf49767bea0a8d4c5420057aca0cfaceb569afa2921bd9683b2e
Opcode Fuzzy Hash: 912a53e02582c0b6ad9a1a8802c2b5b1fb26de15a8db21cde1177c772fcd2c90
Instruction Fuzzy Hash: 20D05E70E2920CDFC700EFF8D8456ADBBB8AB09315F6400A8CD0463351EA302A50EB91

Uniqueness

Uniqueness Score: -1.00%

Function 049FA5E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b59a13a7287006563ac89b1ce0e9a84fb30f908e86c097871573fa6b942f567
Instruction ID: f74b342c8583848da2b11de37ab83fc8c2ebe5c368a2c99d31db1c26c577f06f
Opcode Fuzzy Hash: 8b59a13a7287006563ac89b1ce0e9a84fb30f908e86c097871573fa6b942f567
Instruction Fuzzy Hash: C8D05E74D26208DFCB04EFE8E9466ADBF78AB09301F1001B9D90963741EA303A80DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 049F9B88, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9235e8a6494f1173f0f410ba22a174d3e5c3ae8cc1d4d7ef0de2fd730564ab1d
Instruction ID: f2f1b0fe3b20184bc0bf88891c2678b11919b155a4cf2e341ef20c2f02c4e394
Opcode Fuzzy Hash: 9235e8a6494f1173f0f410ba22a174d3e5c3ae8cc1d4d7ef0de2fd730564ab1d
Instruction Fuzzy Hash: D3E01774D38208DFC700EFA8D9856ACBBB8EB05326F2001E8D80457761E6316E44EB52

Uniqueness

Uniqueness Score: -1.00%

Function 052D03E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e2c56433670f8895bff671c991008ef68195b436f7244c206b278bf8de3dcb
Instruction ID: 4e2d58870bd8275cdedee771b34cee0d520df9731aab37d7e1c98d671750ff62
Opcode Fuzzy Hash: a8e2c56433670f8895bff671c991008ef68195b436f7244c206b278bf8de3dcb
Instruction Fuzzy Hash: 17D05B74D65108DFC744DFE8D5496ADFFB8EF45701F100099DC0953391EA705944CB55

Uniqueness

Uniqueness Score: -1.00%

Function 049F58A8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ecdc7ec9155915a0bf673acbd32126b718123ed0e0f93dc8d164acd9462d1b5
Instruction ID: 32881c3c74e2f5fb627b3cea28a14be06abe2682695b1195713852b99f217b95
Opcode Fuzzy Hash: 2ecdc7ec9155915a0bf673acbd32126b718123ed0e0f93dc8d164acd9462d1b5
Instruction Fuzzy Hash: 88E0B6319055AE9FCF41CF90CD009DEBB32AF46310F005851990A7B064D7712B9A9F90

Uniqueness

Uniqueness Score: -1.00%

Function 049F5522, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c60ef164aa99e5c129ac3ac181879c4a8eead24bceb566cff24f32200be9321
Instruction ID: 2db93135bd4705c093f59515aeeb94400c7d2bdc248c9b886c61b58b2b07415a
Opcode Fuzzy Hash: 3c60ef164aa99e5c129ac3ac181879c4a8eead24bceb566cff24f32200be9321
Instruction Fuzzy Hash: 54E0E534E152148FCB54CF94C98869DFBB1AB49320F2190E5E80AAB224D734AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 052D2B30, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6102c5e88852b79a24913750f76f3d0f25594e646180aec5cd5a3233927094fb
Instruction ID: d7b8ceff1ebcb4a17fe361d61444f06096e8cf286d08aee48eb923aa544e2e5c
Opcode Fuzzy Hash: 6102c5e88852b79a24913750f76f3d0f25594e646180aec5cd5a3233927094fb
Instruction Fuzzy Hash: 04D0223187E20CDBC300DFE8D8C2B6FF72CAF02618F10009CC408132219AB02900D2B5

Uniqueness

Uniqueness Score: -1.00%

Function 052D2998, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4a1d0af85c8ff3b906d36647df2d6dbc72ba3e08dff3be2a4a6cdc961d8220
Instruction ID: ef2b30b72d7f93f48f466c82f41241551f9e1fab9462c72ea03bc881d0301572
Opcode Fuzzy Hash: 4c4a1d0af85c8ff3b906d36647df2d6dbc72ba3e08dff3be2a4a6cdc961d8220
Instruction Fuzzy Hash: 8ED0A97082A208DBC318DBA48581BBAB32DEF42204F6000AC840802201CA725900C6BA

Uniqueness

Uniqueness Score: -1.00%

Function 049F1D9D, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9339d8cac7a1d4952a5c36fdf0d4d46b5b323076405209a1c15b53c56d71e5f1
Instruction ID: 98c9f2c45285426f2733dc3071c98fb10e61207d16df15a9fcce923868b631eb
Opcode Fuzzy Hash: 9339d8cac7a1d4952a5c36fdf0d4d46b5b323076405209a1c15b53c56d71e5f1
Instruction Fuzzy Hash: 58E07E74616314CFC754CF60D984898BB76FF09316F5045A8E4069B360CB35EA80DF00

Uniqueness

Uniqueness Score: -1.00%

Function 049FBA88, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599cef066b7a3589b99a295687d0db34aa063dcd90d25b251785ba5b9b412abf
Instruction ID: a2053575a1bb41f37f3435321c2ea8a8c28e5673552b0f42dd14c955850ad5be
Opcode Fuzzy Hash: 599cef066b7a3589b99a295687d0db34aa063dcd90d25b251785ba5b9b412abf
Instruction Fuzzy Hash: BCE05278A04359CBCB65CF24D884B48B7B9BB49200F1085D6E919A3354EA316E85DF10

Uniqueness

Uniqueness Score: -1.00%

Function 049F62EA, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dcf9242a23139e5b84d6c4fd52d816ec20a27c72b0d0f8c5c4d5d8c4f429b2c
Instruction ID: 7630ef44f1fd228fec69193c1684fe3b776b45db18a15b0572de7ddf74eb474c
Opcode Fuzzy Hash: 4dcf9242a23139e5b84d6c4fd52d816ec20a27c72b0d0f8c5c4d5d8c4f429b2c
Instruction Fuzzy Hash: BCE0E534A191148FCB60CFB4D988699F7F1BB48310F2491EA980EA7724D730AE81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 008F23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305054612.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2066a80782e45db9936a9ce42c039e78bcf80a38bd1470e1431348fc63bb57
Instruction ID: 10ff6696c9eeacf241c9d3def93b69c79f6c9663200a7b54ff28fcefaa377b62
Opcode Fuzzy Hash: 2a2066a80782e45db9936a9ce42c039e78bcf80a38bd1470e1431348fc63bb57
Instruction Fuzzy Hash: 27D05E79205AC14FD327CA2CC2A8BA53B94FF61B04F4644FAE800CB663C3A8D981D210

Uniqueness

Uniqueness Score: -1.00%

Function 008F23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.305054612.00000000008F2000.00000040.00000001.sdmp, Offset: 008F2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041596532e5df71f4e7b48a6143e88135f8c908061a2a4942599bdf3b0ea837b
Instruction ID: e2eab1d513025efeb1d439bf019536b41a26625c35ad3b2cc4f4c97f68be48ad
Opcode Fuzzy Hash: 041596532e5df71f4e7b48a6143e88135f8c908061a2a4942599bdf3b0ea837b
Instruction Fuzzy Hash: 9CD05E742006854BC716DB1CC698F6937D4FB41B00F0644E8AC00CB372C7B9DC81C600

Uniqueness

Uniqueness Score: -1.00%

Function 049F0070, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58162fff1e82feb308a20020565bca66dcaae7716d54cdf87f1fa87ec1f678f
Instruction ID: 87075eca5a8cd730deb2c09fa66d1251ccd064e7fc0c6d892b973eb0605b410e
Opcode Fuzzy Hash: c58162fff1e82feb308a20020565bca66dcaae7716d54cdf87f1fa87ec1f678f
Instruction Fuzzy Hash: 06C012704692089FC310EBB59D0A61A769C9B05306F044064980883651DA715510D6A6

Uniqueness

Uniqueness Score: -1.00%

Function 049F5AAA, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2271edd11336f823c91bcdb48cc0d1051253850401f57ed0265a3a77a0a4dc
Instruction ID: 7f8a7df3b4912750ae0ac7efce60c8c53f7f9819f1a539d91e9566b3fac86d42
Opcode Fuzzy Hash: 8e2271edd11336f823c91bcdb48cc0d1051253850401f57ed0265a3a77a0a4dc
Instruction Fuzzy Hash: 54E0EC38D1622A8FCBA0DFA4CA4869CBBF1FB46300F1094D5C80AA6754EB306A44AF10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 049FA610, Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

`5q, xrefs: 049FA815

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID: `5q
API String ID: 0-3867205651
Opcode ID: c3f747f812d4baa342bcb9749d4408a47e6cd86ee1a9314516fe1823383477b9
Instruction ID: 2c75d973eaf25b0808ac9118382fe75cf5986149a33b9e8ade3288ebd5ccafa1
Opcode Fuzzy Hash: c3f747f812d4baa342bcb9749d4408a47e6cd86ee1a9314516fe1823383477b9
Instruction Fuzzy Hash: 40515A70E00649CFD705EFBAEA4579DBBF6FB88304F148029D548EB26AEB701846DB51

Uniqueness

Uniqueness Score: -1.00%

Function 049F4499, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

Gz9, xrefs: 049F455E

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID: Gz9
API String ID: 0-1586353063
Opcode ID: 85b073fab83f0cf9bb971d7758b5f43534d835986e343bd95ab59b4a73f58d53
Instruction ID: c43ce62c8b217b11b5c878829d7a52e09643e896c45b514aae8c0b1245c3410d
Opcode Fuzzy Hash: 85b073fab83f0cf9bb971d7758b5f43534d835986e343bd95ab59b4a73f58d53
Instruction Fuzzy Hash: C151D8B4E0520ADFCB04CFA5D9815AEBBF2FF58304F14856AD515BB201D334AA41DF55

Uniqueness

Uniqueness Score: -1.00%

Function 049FA620, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

`5q, xrefs: 049FA815

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID: `5q
API String ID: 0-3867205651
Opcode ID: f2118c8209df1ca75b336947f209e9ef6d514081d2c314af45b67410466aa16f
Instruction ID: 89fdbae2a876037642c7554149b999b48c81f04272684614f5f09862e38a179e
Opcode Fuzzy Hash: f2118c8209df1ca75b336947f209e9ef6d514081d2c314af45b67410466aa16f
Instruction Fuzzy Hash: 42517B70E00649CFD704EFBAEA4579EBBF6FB89304F148029D548EB266EB701805CB51

Uniqueness

Uniqueness Score: -1.00%

Function 049FA85C, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

p, xrefs: 049FB877

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: 7616e1592412c06653c088882c4bc95e42c5ea7580c66488de2e5bafa8d5452f
Instruction ID: 4f896c6841443530d670c50e7f91e2903b8b6a1db403ac35a780756bc39ab23c
Opcode Fuzzy Hash: 7616e1592412c06653c088882c4bc95e42c5ea7580c66488de2e5bafa8d5452f
Instruction Fuzzy Hash: AD415FB1E056188BEB5CCF6BCD4178AFAF3AFC9300F14C5BA850DA6215EB3019868F15

Uniqueness

Uniqueness Score: -1.00%

Function 049F4831, Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

?}-{, xrefs: 049F4886

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID: ?}-{
API String ID: 0-853032627
Opcode ID: 0296878caeec60bcb4cc43cf2fda6a0a491bcc0d2cfcd8ac72cc51847f9cffa3
Instruction ID: 8e83807becaac74b84a9a3d4d5a45602ab70823aad0ceef1b51d64d9849efed3
Opcode Fuzzy Hash: 0296878caeec60bcb4cc43cf2fda6a0a491bcc0d2cfcd8ac72cc51847f9cffa3
Instruction Fuzzy Hash: 4B31F970E0520A9FCB08DFAAC8819AEFBF2FF88300F54C569D515B7244D7346A518F91

Uniqueness

Uniqueness Score: -1.00%

Function 049F4840, Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

?}-{, xrefs: 049F4886

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID: ?}-{
API String ID: 0-853032627
Opcode ID: 38b75a562c465879ac7b51b5483853dc2379d496bf29414c4c5766521fa7e35f
Instruction ID: ae2a155edf7e40087a90838dcdee2bc62b83805cedf2de6df45e90b72b6043e7
Opcode Fuzzy Hash: 38b75a562c465879ac7b51b5483853dc2379d496bf29414c4c5766521fa7e35f
Instruction Fuzzy Hash: 6531F670E0520A9BCB08CF9AC8815AEFBB2FF98300F54C56AC515B7254E734AA518F95

Uniqueness

Uniqueness Score: -1.00%

Function 052D04E9, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.308238114.00000000052D0000.00000040.00000001.sdmp, Offset: 052D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949a7d64377aa6e51ad1cd9afc56268e1213eb9cbc37e90919fe60ea7d5f9bdf
Instruction ID: 757a29d9db2705e707a1306bb058182f937018892242853bd54af22213435bd7
Opcode Fuzzy Hash: 949a7d64377aa6e51ad1cd9afc56268e1213eb9cbc37e90919fe60ea7d5f9bdf
Instruction Fuzzy Hash: 769132B4D15208CFDB04CFA9C588AADFBF2BF89314F288169D419AB260E7749941CF65

Uniqueness

Uniqueness Score: -1.00%

Function 049F775A, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f194dff34c3705be1151bfd38b05a911fecab82b2f9929ee826940293bff8932
Instruction ID: 4f738c975dceffe58a8ba91983a6bca1cc776189694c3d8df8d10cc053e61fa7
Opcode Fuzzy Hash: f194dff34c3705be1151bfd38b05a911fecab82b2f9929ee826940293bff8932
Instruction Fuzzy Hash: 54913374E04219CFDF14CFE9C984A9EBBB2FF49310F1085AAD509AB251E734AA45DF50

Uniqueness

Uniqueness Score: -1.00%

Function 049F77B8, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e499f30c68c2cc20be5e064a0b07c9251e577c9487170a868333ba957538db51
Instruction ID: 8924554bd02cce861217f9ffb6c20a44ca335029c3209d7423ce09c9784802ae
Opcode Fuzzy Hash: e499f30c68c2cc20be5e064a0b07c9251e577c9487170a868333ba957538db51
Instruction Fuzzy Hash: D681F274E04219CFDF14CFE9C984AAEBBB2FB49300F1084AAD509AB351E774AA45DF54

Uniqueness

Uniqueness Score: -1.00%

Function 049F37B0, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7904e8e08cd8ef6da7ac624880690471e81358d55f78f4134799e57e9e1e77ac
Instruction ID: 5e440872e7b29e7d3edf4474dc0910c761795e3a4f49db568382a28b796fa23a
Opcode Fuzzy Hash: 7904e8e08cd8ef6da7ac624880690471e81358d55f78f4134799e57e9e1e77ac
Instruction Fuzzy Hash: 3061BC74E15209EFCB54CFA9C48499DFBF1FB49310F54D9AAD819BB211D238AA81CF20

Uniqueness

Uniqueness Score: -1.00%

Function 049F37C0, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1600703a4cf5fb9a456b993bac19521bec9b00aa0e590f06ea7e48f9907a2a00
Instruction ID: 03dcd1cada4da9052c8d03761ba00d415b8cb5a69dbdc8277ff35cfe6c87a860
Opcode Fuzzy Hash: 1600703a4cf5fb9a456b993bac19521bec9b00aa0e590f06ea7e48f9907a2a00
Instruction Fuzzy Hash: 5761AC74E14209EFCB54CFA9C58499DFBF1EB49310F54D5AAE919BB210D338AA81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 049F4988, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a05df4e1628552fac12599194ea806b0e5549f31375dd86145394ee1d5fdf3a
Instruction ID: 25239580d77eb68dbbca015bbc92027303ba650d59e5437d0c72a38752064cfd
Opcode Fuzzy Hash: 5a05df4e1628552fac12599194ea806b0e5549f31375dd86145394ee1d5fdf3a
Instruction Fuzzy Hash: 91610374E1521ADFCF04CFA9D9409AEFBF2FF98304F10956AD555AB210E338AA418F54

Uniqueness

Uniqueness Score: -1.00%

Function 049F4978, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6974ddfde4e4a8a42badb2825d61d098626215df59bd761c87b319f7a62b2723
Instruction ID: aa6e22ca9ae707b892effcf67e06c51a502081c226c95d9cc106ef5761e87015
Opcode Fuzzy Hash: 6974ddfde4e4a8a42badb2825d61d098626215df59bd761c87b319f7a62b2723
Instruction Fuzzy Hash: 4B610274E1521ADFCF04CFA9D9809AEBBF2FF98200F10956AD555AB214E338AA418F54

Uniqueness

Uniqueness Score: -1.00%

Function 049F8BC8, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927eec61b9ffcd2a267205306b9a3f47f160658baa0e704a83c38090279375f3
Instruction ID: 18a3174768748cff51a1b437324b9da4ffb91c62b70315189ba8696daf92c8bc
Opcode Fuzzy Hash: 927eec61b9ffcd2a267205306b9a3f47f160658baa0e704a83c38090279375f3
Instruction Fuzzy Hash: 925134B4E15219EFCB45DFA4DA819AEFBB2FF48300F10956AD411A7251E734AA00CB65

Uniqueness

Uniqueness Score: -1.00%

Function 049F4208, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f00054bb8fd2ab092eefaad67ed83aa40e13c4df7575dda62a90da5ce3976c6
Instruction ID: 699b1ebf6a4dc3e254d760308ac2241ded1538d8a3d2574bc226c112863cd73d
Opcode Fuzzy Hash: 7f00054bb8fd2ab092eefaad67ed83aa40e13c4df7575dda62a90da5ce3976c6
Instruction Fuzzy Hash: 9251F774E1521AEFCB44CFD8D9809AEFBB2FF58310F208966E505AB215D370AA41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 049F41F8, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6423b86c0e6ae8903ce7030522e69aaa17336a71f462bc37191d5f89f87276
Instruction ID: 0be1fc18c74e95711d39f0a59aa1d225cc25f6f5e3c540917b63f28147def2ad
Opcode Fuzzy Hash: ea6423b86c0e6ae8903ce7030522e69aaa17336a71f462bc37191d5f89f87276
Instruction Fuzzy Hash: 37510A74E1520AEFCB44CF98D9809AEFBF2FF58310F148966D505A7215D334AA81CF95

Uniqueness

Uniqueness Score: -1.00%

Function 049F89D8, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ca0d64bab7134796f84abbac97e4773e0baaf682308fdf627a4a567e940097
Instruction ID: 0f398295bf1291950db86a4753ef64c1014b7c14e1fffd03d22b0dba6a866231
Opcode Fuzzy Hash: c1ca0d64bab7134796f84abbac97e4773e0baaf682308fdf627a4a567e940097
Instruction Fuzzy Hash: EA51F3B4E15209DFCB44DFA5CA816AEFBF2FF88300F10996AD511BB250E734AA018F55

Uniqueness

Uniqueness Score: -1.00%

Function 049F4BC8, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48bb5f9300d90ae9a43fe8676157f6cc10867abc3ddc55c71462648975e5f68a
Instruction ID: e01991e6d43ee535de3672e327723a06f753b09ebe8ad5b60ea447409ce383c2
Opcode Fuzzy Hash: 48bb5f9300d90ae9a43fe8676157f6cc10867abc3ddc55c71462648975e5f68a
Instruction Fuzzy Hash: A1413CB0D1520ADFCB04CFA5C5814EEFBB2EB99314F20956AC505AB214E335AB41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 049F35D0, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c4e08efa2401518ceee16e740eaa7a1774c0fec10a45eefedd2bdc4c566ac57
Instruction ID: cef303df75b7f2bd3f47119dd7bb91997081a55633461dc9eb67540c155d868b
Opcode Fuzzy Hash: 8c4e08efa2401518ceee16e740eaa7a1774c0fec10a45eefedd2bdc4c566ac57
Instruction Fuzzy Hash: 2A417E70D0510AEBCB14DFA5C9818AEFBB2FF84344F2499A9C502AB724D738AA41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 049F4BD8, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d700fafc884597d2a401bef0891642d0c67e64f10711ef01e684ee80b01ced51
Instruction ID: 6c8eb83e84bb85d26ee6620730617120db3ee53c6b5c2726f47c2bfc74d52be6
Opcode Fuzzy Hash: d700fafc884597d2a401bef0891642d0c67e64f10711ef01e684ee80b01ced51
Instruction Fuzzy Hash: 7541F970D1520ADBCB04CF95C9814EFFBB2FB98314F20A96AC505BB214E335AA81CB95

Uniqueness

Uniqueness Score: -1.00%

Function 049F7D88, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8111825ef9213b497aeb85058b4ff5b959ac95e353838702bad2e66d68a98d2
Instruction ID: 0c7611561f29a7f568db95344c51994b178296fbd7988802c4c13afb51fc9dfc
Opcode Fuzzy Hash: d8111825ef9213b497aeb85058b4ff5b959ac95e353838702bad2e66d68a98d2
Instruction Fuzzy Hash: AC310970E04209DFDB58CFAAC84069EFBF6BF89300F20C57AD519AB255E7346A429F54

Uniqueness

Uniqueness Score: -1.00%

Function 049F0099, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb772db4502d12580205432cfec5c6d774947d59961a1a2edc4d8c1809134b36
Instruction ID: 7fd56bb005f55e9f7d78fb3deab633d37b9f0376aaf96a181891c8528e9e74b7
Opcode Fuzzy Hash: eb772db4502d12580205432cfec5c6d774947d59961a1a2edc4d8c1809134b36
Instruction Fuzzy Hash: 5E31E971E016189FEB18CFAAD94469EFBF7EFC9310F08C0BAD508AA255D73459428B51

Uniqueness

Uniqueness Score: -1.00%

Function 049F7D87, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0302f0701b4ae95ba8a17f164b701f909d0d5f9e226cffb26bd56b680df9de46
Instruction ID: ef57f4d6dd36d823c3895971b556645fe2b51a7d222976d02670ae25354a52bb
Opcode Fuzzy Hash: 0302f0701b4ae95ba8a17f164b701f909d0d5f9e226cffb26bd56b680df9de46
Instruction Fuzzy Hash: 16310470E04209DFDB58CFAAC84069EFBF6BF89300F20C57AC519AB255E734A6429F54

Uniqueness

Uniqueness Score: -1.00%

Function 049F71C1, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a238130e044efdeee24bdd847f224896fd85616c7d205b5c960be4b37b5cdc76
Instruction ID: 343443d97c87ca5bc396956fad210eafef5874fe24b73613e4fe1b89a7f27d01
Opcode Fuzzy Hash: a238130e044efdeee24bdd847f224896fd85616c7d205b5c960be4b37b5cdc76
Instruction Fuzzy Hash: 9D3146B1E056099FDB08CFEAC9415AEFBB2FF89300F24C1AAD510AB265E7345602DF10

Uniqueness

Uniqueness Score: -1.00%

Function 049F71D0, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2cc847f598d740c5eb0110dba48484835da0dd0684dae9426dd5a73df59b104
Instruction ID: dd0df2b7f9ba52fb8b616025ba112de552d80696d29b9d661d9733d47298b32a
Opcode Fuzzy Hash: b2cc847f598d740c5eb0110dba48484835da0dd0684dae9426dd5a73df59b104
Instruction Fuzzy Hash: 5F2127B0E05609DBDB08CFEAC9416AEFBB6BBC8300F20C5BAD514AB254E7345601DF54

Uniqueness

Uniqueness Score: -1.00%

Function 049F6B60, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175c3eff3236d395429c488532f62722c126e4aff41a01b4bedc4da0116b0bca
Instruction ID: fce54716233feb8eeaf5a637b115836801a62d0bd6c99e96ad5a9545cccc92fa
Opcode Fuzzy Hash: 175c3eff3236d395429c488532f62722c126e4aff41a01b4bedc4da0116b0bca
Instruction Fuzzy Hash: 8B112CB0E056489FDB19CFB6C84529EBFF3EFCA200F24C1BAC414AB651D6744A128F41

Uniqueness

Uniqueness Score: -1.00%

Function 049F6B70, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.307821269.00000000049F0000.00000040.00000001.sdmp, Offset: 049F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6f8d682c1302afebbec5b2d4ee36b1cf627e03a767c017759b67f6ce1cf5f9
Instruction ID: 407fe13f51252ea639c91cec40a5a6d138de94ef220030fc5afbf761f12d5d11
Opcode Fuzzy Hash: db6f8d682c1302afebbec5b2d4ee36b1cf627e03a767c017759b67f6ce1cf5f9
Instruction Fuzzy Hash: 68110C70E05608CFDB08CFABC90019EFAF7AFC9300F24C57A8818A7215DB745A118F40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: doa8GHSloq.exe PID: 3860 Parent PID: 664 doa8GHSloq.exeCOMMON

Executed Functions

Function 05FE2568, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bee22c925d888fdaaf2a142ec99c6c49ec369df708456e040a875ee2dfaa87f
Instruction ID: 3c910b3dab0f7d54939b91ce43f45697481dd1e480e32023957c69dc4a90918a
Opcode Fuzzy Hash: 6bee22c925d888fdaaf2a142ec99c6c49ec369df708456e040a875ee2dfaa87f
Instruction Fuzzy Hash: E741D579904268CFCB64DF68C884BECBBB6BB49304F1080EAD509A7290DB795EC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1BB2, Relevance: 2.6, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

), xrefs: 05FE2282
(, xrefs: 05FE2276

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: ($)
API String ID: 0-2051389312
Opcode ID: 2c33b1c3135e4ed7ea0bcc042b88c5b824fe79c56e3ea08f8375a34c918819cb
Instruction ID: 46094b79780153c677af0d968d5094aa4758c9c13c9200e3c09cb654a3578bfc
Opcode Fuzzy Hash: 2c33b1c3135e4ed7ea0bcc042b88c5b824fe79c56e3ea08f8375a34c918819cb
Instruction Fuzzy Hash: A051B074A04228CFDB64DF69C884BECBBB6BF49304F1481EA9509A7290DB785AC1CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1E4F, Relevance: 2.6, Strings: 2, Instructions: 90COMMON

Download Yara Rule

Strings

), xrefs: 05FE2282
(, xrefs: 05FE2276

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: ($)
API String ID: 0-2051389312
Opcode ID: 3f6b1cbb3f2c7b7df62f52fc292532303af2fb39d709beaea04563be49fa24ef
Instruction ID: 9085a0e2a747c0579552dc9bc4cd2b4b7435ea29bbeec2d230cb6269df7604c9
Opcode Fuzzy Hash: 3f6b1cbb3f2c7b7df62f52fc292532303af2fb39d709beaea04563be49fa24ef
Instruction Fuzzy Hash: A141C374A052288FDB65CF68C8847ECB7B6BF45305F1081EAD509A7290DB795EC1CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05FE224F, Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

), xrefs: 05FE2282
(, xrefs: 05FE2276

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: ($)
API String ID: 0-2051389312
Opcode ID: cfc52d6f2f7e7fb1efcee328e4a3494f8d3dcf97e0a304ee9084df02e7c86a76
Instruction ID: 2367a09e5d9f96b33bf0da8f3cd63f2e304bdb24fb44165e0db08e0338f107eb
Opcode Fuzzy Hash: cfc52d6f2f7e7fb1efcee328e4a3494f8d3dcf97e0a304ee9084df02e7c86a76
Instruction Fuzzy Hash: 4E31C2759002698FCB64DF68C895BECBBB6BB45304F1081EAD509AB291DB795E81CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05D00199, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05D0020D

Memory Dump Source

Source File: 0000000E.00000002.331068920.0000000005D00000.00000040.00000001.sdmp, Offset: 05D00000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 98d7756da5704e806110529ad418a536dcdc448191c280038ee918fe9bf57431
Instruction ID: 22ea7c3ea869069cbb45f5718318d778760679ca39a66a4b53f8ff352af9fdf2
Opcode Fuzzy Hash: 98d7756da5704e806110529ad418a536dcdc448191c280038ee918fe9bf57431
Instruction Fuzzy Hash: 69215C714093C0AFDB238F25DC44A52BFB4EF17220F0985DBE9C48F163D265A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05D0052B, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05D00595

Memory Dump Source

Source File: 0000000E.00000002.331068920.0000000005D00000.00000040.00000001.sdmp, Offset: 05D00000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 080cc7edd11b0c23f47577804da052a71196d61ac14134fa1e553a40b9211e35
Instruction ID: 901dca236df55820ee73094382edaca99921be74f00eadbe2c88c2fb89c37ac3
Opcode Fuzzy Hash: 080cc7edd11b0c23f47577804da052a71196d61ac14134fa1e553a40b9211e35
Instruction Fuzzy Hash: 24119075409384AFDB228F15DC45F62FFB4EF06324F0884DEED854B1A3C265A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05D0055A, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05D00595

Memory Dump Source

Source File: 0000000E.00000002.331068920.0000000005D00000.00000040.00000001.sdmp, Offset: 05D00000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5c0af0e4219886346fe57e170f8dda2a6d0b798535235671922ee8522d90ff92
Instruction ID: f7cd47e2f1d1cd29b1e68c9e8cc84cca7be73d1a79f42062322e1c74ce1160c1
Opcode Fuzzy Hash: 5c0af0e4219886346fe57e170f8dda2a6d0b798535235671922ee8522d90ff92
Instruction Fuzzy Hash: EB019A35500240DFDB218F59DC88B66FFA4EF08320F08C4AEDD898B692C271E418CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 05D001D2, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05D0020D

Memory Dump Source

Source File: 0000000E.00000002.331068920.0000000005D00000.00000040.00000001.sdmp, Offset: 05D00000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a900cd0b4af871d71261fe14efed035c86551fec2b86eea845390212b16ce347
Instruction ID: 0c5872ed642576ba3a03ade93b6c713bf4e7ae152bd9acb8d01dabc24de0ccdb
Opcode Fuzzy Hash: a900cd0b4af871d71261fe14efed035c86551fec2b86eea845390212b16ce347
Instruction Fuzzy Hash: 69017835804240EFDB21CF55D988B65FBA4EF08320F48C49ADD890B662C275A458CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 05814EC0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

WinHelpW.USER32 ref: 05814EF0

Memory Dump Source

Source File: 0000000E.00000002.330450124.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false

Similarity

API ID: Help
String ID:
API String ID: 2830496658-0
Opcode ID: 0491ddcc46c54368df024529ee2cf0baf4d26688332608ca42e9ec47e9f75409
Instruction ID: 3ab656a225cf38cad6ac1b8eb359847b8436756a6fb4a4d2d27e161ca87770a6
Opcode Fuzzy Hash: 0491ddcc46c54368df024529ee2cf0baf4d26688332608ca42e9ec47e9f75409
Instruction Fuzzy Hash: 50E0D8708192845ECF15D7BC59165ADBFB49F03310F1400EECC84D6122E1304E24D76A

Uniqueness

Uniqueness Score: -1.00%

Function 05814ED0, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

WinHelpW.USER32 ref: 05814EF0

Memory Dump Source

Source File: 0000000E.00000002.330450124.0000000005810000.00000040.00000001.sdmp, Offset: 05810000, based on PE: false

Similarity

API ID: Help
String ID:
API String ID: 2830496658-0
Opcode ID: ebda156c58657102a4f6a9616ca55130343ee0567dba5bc4303d8b277d8fdc00
Instruction ID: ce7dd0f936c646c096d32973ca07a77936cbc39a274c0be0c3494d3f6e312ecc
Opcode Fuzzy Hash: ebda156c58657102a4f6a9616ca55130343ee0567dba5bc4303d8b277d8fdc00
Instruction Fuzzy Hash: 7AD0A7748151189ECB04EBB9550676DBBF89B00301F2004B9CC4492250E6301B2497A6

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1906, Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

', xrefs: 05FE20E1

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 26bc744d973050c48fd2e650907897bd6a7db2d2bbdd895ea3242396c4c78e15
Instruction ID: aa2f6a0e56410a91d65f4872b98fae603a25a9fdfbea1022ce66f45bc18d8883
Opcode Fuzzy Hash: 26bc744d973050c48fd2e650907897bd6a7db2d2bbdd895ea3242396c4c78e15
Instruction Fuzzy Hash: 2C81B274E002298FDB65DF68C885BECBBB6BB49304F1081EA9509B7280DB795EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1FA6, Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

#, xrefs: 05FE23E3

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 17fbb033418c1ad3d97b80fc6249062e5b0390da1637d021b861141cb6e13fbd
Instruction ID: c03554aa2beaa7be4cdf7dc81482564d83d898a831df5dbdaa0b8fc86a41e269
Opcode Fuzzy Hash: 17fbb033418c1ad3d97b80fc6249062e5b0390da1637d021b861141cb6e13fbd
Instruction Fuzzy Hash: 9161D279D04228CFDB64DF69C888BECB7B6BB49304F1085EAD509A7290D7794AC4CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FE239D, Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

#, xrefs: 05FE23E3

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 44233e3353d01a5ff181e1c4bb82671bc24504fb2f720b7693ceff705066f991
Instruction ID: b343e2cfec3d006ce17f2a9f585d7065532a79c8f3fd18bea31cab3d066f3747
Opcode Fuzzy Hash: 44233e3353d01a5ff181e1c4bb82671bc24504fb2f720b7693ceff705066f991
Instruction Fuzzy Hash: 6E51C274D00268CFDB64DF69C888BECB7B6BB49304F1480EA9509AB290DB795EC4CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05FE219E, Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

&, xrefs: 05FE1AD3

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: ccbbfafbc8b2b7a2397c53a2a7a1cc75f0706dfcdf7c4114fdc2f14bf770d8b6
Instruction ID: c87d5b1a289aa61eba9842ddb9b04175a3871baa61098cd8805d773c2675553e
Opcode Fuzzy Hash: ccbbfafbc8b2b7a2397c53a2a7a1cc75f0706dfcdf7c4114fdc2f14bf770d8b6
Instruction Fuzzy Hash: 4151D175A04228CFCB64CF68C884BECBBB6BB49304F1481E9D409A7290D7799E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1C4D, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

", xrefs: 05FE1C97

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 3cdb0b43417960792324fd81ff838c8742151126a2a428efb6bc72d8e4ce1257
Instruction ID: e3cb1c8bac565d0611ac2531f9ea1d2bb0c4c4eedacc4c05968244dfd3a052d4
Opcode Fuzzy Hash: 3cdb0b43417960792324fd81ff838c8742151126a2a428efb6bc72d8e4ce1257
Instruction Fuzzy Hash: 3851A174900268CFCB65CF68CC88BECBBB6BB49305F1081EA9509AB280D7795E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1FC3, Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

(, xrefs: 05FE1FD1

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 994b492f937b831c66568edbeac1b31519c2d241ea9c2141eeb93c54cbec1314
Instruction ID: 2bb3467dd3c5b11a4eef3b1cfbcee7fc7926eb5eb7c4f1a360abc3879d1d78c8
Opcode Fuzzy Hash: 994b492f937b831c66568edbeac1b31519c2d241ea9c2141eeb93c54cbec1314
Instruction Fuzzy Hash: E851C178D04228CFDB65DF69C888BECB7B6BB49304F1481EAD509A7290D7794AC5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1A26, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

&, xrefs: 05FE1AD3

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: dacbf53c3ac3af361e252779a7642139f335f56dce7ce7a68fb9e53850e87c84
Instruction ID: e030599cdd5c7843cae7877672939d92d98b29cec6ea461b720d9acda8b22b77
Opcode Fuzzy Hash: dacbf53c3ac3af361e252779a7642139f335f56dce7ce7a68fb9e53850e87c84
Instruction Fuzzy Hash: 7C51D075A00229DFCB64CF68C884BECBBB6BB49304F1481E9D409A7291DB799E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1AE2, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

+, xrefs: 05FE1D45

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: f6243d6a492af7b5954c713b2d0dea1aa8e15585f9707b18fb7c8b066705fc5b
Instruction ID: 399b8812cdea1d2d9d2cd5e820f1da9efd529f4af9908342335d107620fc3ad9
Opcode Fuzzy Hash: f6243d6a492af7b5954c713b2d0dea1aa8e15585f9707b18fb7c8b066705fc5b
Instruction Fuzzy Hash: 4E41F479904268CFCB64CF68C884BECBBB6BB45304F1485EAD40AA7290DB794EC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1D54, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 05FE1D5A

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: ec0803cbcd62cd2d6cbcf66b7239bc5c846e6663466709c39180465694524100
Instruction ID: dda5ab5d66209382f59b5f9be0a34ee62c6828c0a92556e047639f619f1ee2af
Opcode Fuzzy Hash: ec0803cbcd62cd2d6cbcf66b7239bc5c846e6663466709c39180465694524100
Instruction Fuzzy Hash: E441C879A00228CFCB65CF68C895BECBBB6BB49304F1484E9D509B7290D7795E81CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05FE2311, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

!, xrefs: 05FE238E

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 13b56f161e5cf6d7c64849d87cd5ee1d6f4da107e00edfe434065e5fb1224a93
Instruction ID: e5fa56b79d93e96f0e888e50b025e193fdebc03da7bcdb76df082244c67ae252
Opcode Fuzzy Hash: 13b56f161e5cf6d7c64849d87cd5ee1d6f4da107e00edfe434065e5fb1224a93
Instruction Fuzzy Hash: 4441C478904269CFDB65CF68C884BECB7B6BB45304F1081EAD409AB290DB795EC1CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05FE254A, Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

,, xrefs: 05FE1BA3

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 37f8afa781aa0a5f4170d6d257d3fd8b89d4a5caa0d75b8ca4d279ece3315b81
Instruction ID: 6573e97b7573457fc51737620c4768ac8c794975cf7bf2e422571e2ae4475303
Opcode Fuzzy Hash: 37f8afa781aa0a5f4170d6d257d3fd8b89d4a5caa0d75b8ca4d279ece3315b81
Instruction Fuzzy Hash: 1641C178905269CFDB64CF68C884BECBBB6BB45304F1081EAD409B7290DB799E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1CF5, Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

+, xrefs: 05FE1D45

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: 63a3664509a7b0f1ead80bb4b42627d45dedb2dc71251c87bdd75b66d959b33f
Instruction ID: 15d5e12d7bd261308b4f63872f5e119bb6e680da5a0db641cf9b7e1cc426e194
Opcode Fuzzy Hash: 63a3664509a7b0f1ead80bb4b42627d45dedb2dc71251c87bdd75b66d959b33f
Instruction Fuzzy Hash: 1A41C479900269CFCB64DF68C885BECBBB6BB45314F1081EA9509B7290DB795EC1CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1B5B, Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

,, xrefs: 05FE1BA3

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: bcc8cbe7cc268b687888938a9483bdfebe9be503c17fc62da52215e55501a2bf
Instruction ID: 2fc2307d5cc8a5e8dc50de99822ec696696d11bdc10f0168958136b362e3360c
Opcode Fuzzy Hash: bcc8cbe7cc268b687888938a9483bdfebe9be503c17fc62da52215e55501a2bf
Instruction Fuzzy Hash: DE41C474904269CFDB64CF68C894BECBBB6BF45304F1080EAD409A7290DB799E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05FE21C1, Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

-, xrefs: 05FE21E0

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: c2099ace02aef3e730ef501dda0f603bc2dd40c6694df52f56704febf7435188
Instruction ID: dfc50031554cd477942576b454261b911b7ecc69ef013524418458afb42f8bfc
Opcode Fuzzy Hash: c2099ace02aef3e730ef501dda0f603bc2dd40c6694df52f56704febf7435188
Instruction Fuzzy Hash: B331D575900229CFCB65CF68C8847ECBBB6BB49304F1085EAD509A7290DB799EC5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1DC8, Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

, xrefs: 05FE1DE4

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4252c30679bc271b08c9e23f68bd4ce7db49f826c7b260f068ca12dee175f244
Instruction ID: d5ac046f1c6ea7b77905cdf804dfd67247957a04f48f39bf79fe39541e78fa71
Opcode Fuzzy Hash: 4252c30679bc271b08c9e23f68bd4ce7db49f826c7b260f068ca12dee175f244
Instruction Fuzzy Hash: 5E31C575904229CFCB64CF68C884BECBBB6BB49304F2080EAD509A7290DB795EC1CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1E25, Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

*, xrefs: 05FE1E40

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: e317b92bdaa5c2cf5de2d36ff17a98e9c3827ddf1786c27016d0d7ee9cb2676a
Instruction ID: cba16b0c18e0f248ccf7ea9e02a36ac6b1e8e597707b95044a95d5a7007eef38
Opcode Fuzzy Hash: e317b92bdaa5c2cf5de2d36ff17a98e9c3827ddf1786c27016d0d7ee9cb2676a
Instruction Fuzzy Hash: D931B479904269CFCB65CF68C885BECBBB6BB45304F1084EAD509A7290DB795EC5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05FE123F, Relevance: 1.3, Strings: 1, Instructions: 6COMMON

Download Yara Rule

Strings

!, xrefs: 05FE124F

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 6a8797b00360db08ad85cff4cd9f0154abe5342faccc0cd4cd49f14e5f8bc163
Instruction ID: f361fba955a38d0286c1fd86098fd3132e5d1c9bc0db9242afbb1f664cdd584d
Opcode Fuzzy Hash: 6a8797b00360db08ad85cff4cd9f0154abe5342faccc0cd4cd49f14e5f8bc163
Instruction Fuzzy Hash: A4C09BB0955105CBD724CF60F04D55DBB7BA749315F10C115942113254DF745405DF21

Uniqueness

Uniqueness Score: -1.00%

Function 05FE14D0, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98d008636854040dc12471efeb96eb68e1a28d2a615aa21ba4e133b1c291030b
Instruction ID: 68d2933081808927053e90fb29f0efe94e5d27de59c75231cd02b066422df1ad
Opcode Fuzzy Hash: 98d008636854040dc12471efeb96eb68e1a28d2a615aa21ba4e133b1c291030b
Instruction Fuzzy Hash: 9E91CEB5D0A208CFDB14CFA9C549BEDBBF5BB09300F20516AD406BB290D7785A8ACF55

Uniqueness

Uniqueness Score: -1.00%

Function 05FE0990, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf06ff624c2929f719a6c59323cb2d6618f423e168110b32aceaad075ab646cd
Instruction ID: dc9d0448698e44e60feb1f5a2436e4d30c6d9b33af0d11e4ea33fa0296146f14
Opcode Fuzzy Hash: cf06ff624c2929f719a6c59323cb2d6618f423e168110b32aceaad075ab646cd
Instruction Fuzzy Hash: 51515A71D0620DDFCB00CFE9C549AAEBBFABF89314F249565D414B7240DBB88A40CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05FE0980, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910baf3f469635253e5cd2754d03b175439db8702ae12b52ac507c3e3b76c070
Instruction ID: 3969c0e0837f5782a5400c5599b5c5a1790c05722df9c676014b8e37248e7351
Opcode Fuzzy Hash: 910baf3f469635253e5cd2754d03b175439db8702ae12b52ac507c3e3b76c070
Instruction Fuzzy Hash: 434167B1D06209DFCB00CFE9C549AEEBBFABF49314F148565D414B7280DBB88A418B62

Uniqueness

Uniqueness Score: -1.00%

Function 05FE2502, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc63b1159ffd3b262291478c12624b24af7388afe0b79ab52e3baa1a3b5ea1a
Instruction ID: 41ed63d239573f427bff379efb1a46ec2e648dc3fb9f26dbb8fb15001968b0ef
Opcode Fuzzy Hash: 7cc63b1159ffd3b262291478c12624b24af7388afe0b79ab52e3baa1a3b5ea1a
Instruction Fuzzy Hash: 5D41C278900229CFDB65CF68C884BECBBB6BF45304F2081EAD409A7280DB795E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1F35, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00dba0e88170bcf7b082e570a03b72cc2c62c7a5bb9882adece23e26952db34c
Instruction ID: d4b12be47ac02b5d178c73c355a9bcbd7fba0c795288def3caf3a574c05a1cad
Opcode Fuzzy Hash: 00dba0e88170bcf7b082e570a03b72cc2c62c7a5bb9882adece23e26952db34c
Instruction Fuzzy Hash: A041D6759002288FCB64CF69CC84BEDBBB6BB49304F1484AAD509A7290D7799AC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05FE2130, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f758e19e78e2573e9dbe4b666da23c3c49e8df1ba579b961bc283d225b1f46
Instruction ID: c6f1c7eec934dfd71ec05c88442e5c8a58ab14adafe96b17aa4f93ac0cef5f62
Opcode Fuzzy Hash: b7f758e19e78e2573e9dbe4b666da23c3c49e8df1ba579b961bc283d225b1f46
Instruction Fuzzy Hash: EF41F77990026CCFCB64CF68C8857ECBBB6BB49300F1084EA9509A7290DB795EC1CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05FE20A4, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69efbdceb75e10c93ede32ab0b00694aaf9972dfe8f51b90d314fa8d714e6194
Instruction ID: d2fbe68b3b7d68c8be15ab382101265ce45e071785ebca3f944342384fc9205f
Opcode Fuzzy Hash: 69efbdceb75e10c93ede32ab0b00694aaf9972dfe8f51b90d314fa8d714e6194
Instruction Fuzzy Hash: AF41B279905229CFDB64DF68C884BECBBB6BB49304F1081EAD509A7291DB795EC1CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1EBE, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f43404645b08b0870639903ebab5e730aa1a2519ca3937068dcd7d79ddf5d75
Instruction ID: acb70588d7e41fe2d08cdb15dbe57811e2b1a0f018cbe4103b2a5b3ee8f85728
Opcode Fuzzy Hash: 3f43404645b08b0870639903ebab5e730aa1a2519ca3937068dcd7d79ddf5d75
Instruction Fuzzy Hash: C141A4789002698FCB65DF69C894BECBBB6BF45304F2481EAD409BB290DB755E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1DF3, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75909836d16f8740b4dd5029a991d976045dd6a0471c70eec89a3d56b47f898
Instruction ID: b7738c677e575f37d043aa7146563a26103d094f0b09ec79bbf76aa2c7e86d0e
Opcode Fuzzy Hash: f75909836d16f8740b4dd5029a991d976045dd6a0471c70eec89a3d56b47f898
Instruction Fuzzy Hash: 8431D674904269CFCB64CF68C894BECB7B6BB45304F1084EA9509B7280DB795EC1CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05FE20ED, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be4455eb256b9c2532f1e7e3d53c636a607adbc84ec54efb780bd40bc39d3f4
Instruction ID: 8497173729bd2499d4d37ac5d13c32a5a581a93d00d49a784f6722ecb782f14a
Opcode Fuzzy Hash: 6be4455eb256b9c2532f1e7e3d53c636a607adbc84ec54efb780bd40bc39d3f4
Instruction Fuzzy Hash: 5A31E278904269CFCB64CF69C884BECBBB6BB49304F1080EA9509B7290DB795EC1CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05FE0C58, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df962ba6b407f99f7345b3ddcb8b776f1bf396bcabf727c29ef819e270b3757
Instruction ID: 796ee4f1ad431ec55ce30c10a181896e1a48f867e6606bffad84d7cdbad68631
Opcode Fuzzy Hash: 6df962ba6b407f99f7345b3ddcb8b776f1bf396bcabf727c29ef819e270b3757
Instruction Fuzzy Hash: CB212775D0420A8FCB04DF98C5859EEBBB9FF49300F108155C815BB311DB786A01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05FE0C68, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fd657faaa3158fbb0738f7aa500372f2343d2b9b05a050d84b88522ed79003
Instruction ID: d82acbb451cb15a2e45faf63c21987c86efecdb3450d6158f09eeab9a4ec71f4
Opcode Fuzzy Hash: a0fd657faaa3158fbb0738f7aa500372f2343d2b9b05a050d84b88522ed79003
Instruction Fuzzy Hash: 75218075D0420A9FCB04DF98D599AEEBBF9BF48310F108169D815AB350DB78AA40DF91

Uniqueness

Uniqueness Score: -1.00%

Function 05FE142F, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c67658cb8b9890bb56b32ae650800bdb86bc5b2486467c70cdeb2c94d30b66c
Instruction ID: d4f4d30fbc52fb8202ac135c80702fe79958aa06ea47b6ce117e0f6460cb74fa
Opcode Fuzzy Hash: 2c67658cb8b9890bb56b32ae650800bdb86bc5b2486467c70cdeb2c94d30b66c
Instruction Fuzzy Hash: EAF0E57181A2489FCB45CBB0E5559EDBFB5EF4B301F11A1EAD899A3342CB381906DF14

Uniqueness

Uniqueness Score: -1.00%

Function 05FE29CF, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32fe9ff95be81395efc42bb6b621be494b6a62ba35cfb550a093f37b3934be4
Instruction ID: 7492b0a835c2d9b988be8188af54ad5a7f20931b999b64e64d04e7e8f48ae535
Opcode Fuzzy Hash: b32fe9ff95be81395efc42bb6b621be494b6a62ba35cfb550a093f37b3934be4
Instruction Fuzzy Hash: CFF0A0798091489FCB40CFA4C9416FCBFB5EB4A300F1482EAC86957352C6394B42EF10

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1488, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896907b3abb867b414d80c059b10aa91dbbbf4f77f1347442a94ff212abef223
Instruction ID: 4631662f02589fd52abaace64572d1986de21ae9c68b153db6be3e530549a98b
Opcode Fuzzy Hash: 896907b3abb867b414d80c059b10aa91dbbbf4f77f1347442a94ff212abef223
Instruction Fuzzy Hash: CAE06DB185A2089FCB15CFE4D5569EDBF74EB06300F11469AD81993342C6382642CB15

Uniqueness

Uniqueness Score: -1.00%

Function 05FE2A21, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a6029be0f8cd10139b1a2967888ef3ab675ba1cd72f5c2907965eff9d54b3f
Instruction ID: 4491c82bb4952086bbe5ef8b92ad8dbe0879f3708baccc9a1c784188123bee66
Opcode Fuzzy Hash: b8a6029be0f8cd10139b1a2967888ef3ab675ba1cd72f5c2907965eff9d54b3f
Instruction Fuzzy Hash: 4DE092B5904108DFC744CB94C5966ACBBB5EB5A304F2482D9C82D83352D63A9E02DB40

Uniqueness

Uniqueness Score: -1.00%

Function 05FE13F1, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63fc30d1fc30eff9242d0fbf457fa2f9d19b3ceaca8653c4f4405c1ac305156
Instruction ID: 88bd04b732d0dba2d66a0012cf3139fdcdcd45783b66ba6dcdcff7ef4bde79ed
Opcode Fuzzy Hash: d63fc30d1fc30eff9242d0fbf457fa2f9d19b3ceaca8653c4f4405c1ac305156
Instruction Fuzzy Hash: 55E0267121E3C48FD316DBA4E1199AD3F746F03209F1800D6C49843243C93A1806CB55

Uniqueness

Uniqueness Score: -1.00%

Function 05FE03D2, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db2564d2630fa0654d5573a4648ab32440e371312d0aa7ad40686fe5d44b89d
Instruction ID: c9c7a97b6fe0bd51312ee850175361756038fddaf092d1a7d673ce1de12ec975
Opcode Fuzzy Hash: 7db2564d2630fa0654d5573a4648ab32440e371312d0aa7ad40686fe5d44b89d
Instruction Fuzzy Hash: 1AE092355092888FCB02CFB8C951099BF72AA07214B2481C6CD4897253D2311E05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05FE2A69, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa6be372e78b739fdf1135fd213a79f361622da41d674614f48f69f16c45955
Instruction ID: 0ad9b94b9a72130aa8fc6e1c459727b0885633e79bf2d62ba6f4b4acff3e5e6c
Opcode Fuzzy Hash: 2aa6be372e78b739fdf1135fd213a79f361622da41d674614f48f69f16c45955
Instruction Fuzzy Hash: 18E0C27088A308AFCB99DAB8A8566FE3B7C6F87700F11119AC00993162E1380941E711

Uniqueness

Uniqueness Score: -1.00%

Function 05FE29E0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e15bfc306cab5a864ac19f2a0a0bb21088776684f28a86a492e1dae7eaf207
Instruction ID: e8f39d2563a04385962333fc1474e424357a5ee978ca8dbd8cfd69e1420fe4e4
Opcode Fuzzy Hash: 48e15bfc306cab5a864ac19f2a0a0bb21088776684f28a86a492e1dae7eaf207
Instruction Fuzzy Hash: 38E01A78D04208EFCB44DF98D541ABCFBB9EB48300F14C1AADC5957341D6359B51EB95

Uniqueness

Uniqueness Score: -1.00%

Function 05FE2A30, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc63f115ada6e6ce93e3b4547c8be69816571b5e854d2a59c2f8dad239eecc68
Instruction ID: 1db1e8835325189438390d77922904b25252efbeb60bacc651dfe0ecf12a7905
Opcode Fuzzy Hash: dc63f115ada6e6ce93e3b4547c8be69816571b5e854d2a59c2f8dad239eecc68
Instruction Fuzzy Hash: 61E04F74D04108EFC714DF98D542AACFBB8EB48304F1080A9C81857341D635AA01CB85

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1498, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2136bfe5ebb2fed0ad603fe176808c92d822405cfd2c87941882346b163edcae
Instruction ID: 185459c260d9653772d167913b8528087be9917ce25832efe411184a6bb0897b
Opcode Fuzzy Hash: 2136bfe5ebb2fed0ad603fe176808c92d822405cfd2c87941882346b163edcae
Instruction Fuzzy Hash: C0E08CB0C0520CEBCB14DFA9E04ADACFBB8EB45300F1082A9D80863300DA382A40CB45

Uniqueness

Uniqueness Score: -1.00%

Function 05FE1400, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94b045073f6ebdbb8255f8cd7151026a4dfaf6f0d053e6e4e5f26e9acdb5c64
Instruction ID: a8c2220295908461455ba8cf8a1660fae048d58fda1548b7cc15d32cf35f2df9
Opcode Fuzzy Hash: f94b045073f6ebdbb8255f8cd7151026a4dfaf6f0d053e6e4e5f26e9acdb5c64
Instruction Fuzzy Hash: 8BD05EB0D0A20CDBDB04EFA5E54EDADBF79BB46301F2041B9D81923341DB351A44DB99

Uniqueness

Uniqueness Score: -1.00%

Function 05FE03E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784a6f522a95e1d19e2deed100ed55d0f25cc2404963802a67e9539e0ed86a0f
Instruction ID: 52825f07a132c8cb497ecff1ce6664114f7a24d33137f0264e3cbf8480b973db
Opcode Fuzzy Hash: 784a6f522a95e1d19e2deed100ed55d0f25cc2404963802a67e9539e0ed86a0f
Instruction Fuzzy Hash: DDD017B0896208DFCB04EBA8E54AAACBBBCEB05201F1000A9D80963240EAB45A48DB55

Uniqueness

Uniqueness Score: -1.00%

Function 05FE2A78, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.332260735.0000000005FE0000.00000040.00000001.sdmp, Offset: 05FE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11684d113fec194d6b386ec11614ed248ab0dccb4491f5eb13358bd68b238fa8
Instruction ID: 28178b97c60de1464623fc39c60e82b0ec2e5aea2548f8bdfd90d56340850d57
Opcode Fuzzy Hash: 11684d113fec194d6b386ec11614ed248ab0dccb4491f5eb13358bd68b238fa8
Instruction Fuzzy Hash: DCD0223084A20CDBC324DAE8F847B7E772CAB02B00F2000A8840913201BA782900D295

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6268 Parent PID: 664 dhcpmon.exeCOMMON

Executed Functions

Function 06BF2568, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52a14f307ff2f375e6caa79321d779fcba3faba08a822b17dbc656bafdf9c6c
Instruction ID: f3641a7da715648ba633105c244234f56f90864490e88a75c546a15517b48d2e
Opcode Fuzzy Hash: f52a14f307ff2f375e6caa79321d779fcba3faba08a822b17dbc656bafdf9c6c
Instruction Fuzzy Hash: 2841B0B5914228CFDB64DFA8C8947ECBBB2BB49304F1080EAD509B7290C7755AC9DF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1BB2, Relevance: 2.6, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

), xrefs: 06BF2282
(, xrefs: 06BF2276

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: ($)
API String ID: 0-2051389312
Opcode ID: 90cd049ee983265aee8c879bf9e4424fcd05815ecbc1c33a54247b5acb28cfd7
Instruction ID: 853969d4b1c907840032442af166d17160bfe8ed4aec64fc0095477dd5469f17
Opcode Fuzzy Hash: 90cd049ee983265aee8c879bf9e4424fcd05815ecbc1c33a54247b5acb28cfd7
Instruction Fuzzy Hash: 9B51C1B5900228CFDBA4DFA9C894BECB7B1BB09304F1081EAD509B72A0CB755AC5CF11

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1E4F, Relevance: 2.6, Strings: 2, Instructions: 90COMMON

Download Yara Rule

Strings

), xrefs: 06BF2282
(, xrefs: 06BF2276

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: ($)
API String ID: 0-2051389312
Opcode ID: 429abae586df6c3b430d5f52a65dde589dad34cf373717024038a462876babb8
Instruction ID: df9c06d1c773109ccd7a33f3a55711a950050c2353a491cab57ed2b619845025
Opcode Fuzzy Hash: 429abae586df6c3b430d5f52a65dde589dad34cf373717024038a462876babb8
Instruction Fuzzy Hash: 4441B0B59512288FDBA4CF68C8947ECB7B2AB49304F1091EAD509B7290CBB55EC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BF224F, Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

), xrefs: 06BF2282
(, xrefs: 06BF2276

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: ($)
API String ID: 0-2051389312
Opcode ID: 9c01f1c615ffd05f7d6e7ff3cc2b6b1139c571a00a2ba7e4ac7a0a9a84edc439
Instruction ID: a79b3c6eceebf4970e727dace80b9a7f980da312197995af3b36dacb0dd63e3c
Opcode Fuzzy Hash: 9c01f1c615ffd05f7d6e7ff3cc2b6b1139c571a00a2ba7e4ac7a0a9a84edc439
Instruction Fuzzy Hash: 7331D0B5940228CFCBA4DFA8C894BECBBB2BB45304F1085EAC509B7291CB755E85CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05730199, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0573020D

Memory Dump Source

Source File: 00000010.00000002.336104747.0000000005730000.00000040.00000001.sdmp, Offset: 05730000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 58f0ad5f4c2557823b0191360e324b340662d72c9e47bd4539528404d1ce6665
Instruction ID: f2ddb4cd9f2e3cecb4dbf28cb0e067c7d18e12f437566c3a95902b51d404be1c
Opcode Fuzzy Hash: 58f0ad5f4c2557823b0191360e324b340662d72c9e47bd4539528404d1ce6665
Instruction Fuzzy Hash: 9C215C7140A7C09FDB238F25DC45A52BFB4EF17220F0985DAE9C48F163D265A858DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0573052B, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05730595

Memory Dump Source

Source File: 00000010.00000002.336104747.0000000005730000.00000040.00000001.sdmp, Offset: 05730000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6a159294ed09fcd2c59b8e7b463fc812fa2fdd75317602fe22b6219156da8369
Instruction ID: f9122437eed363eec392392489563bba2a4032c8be4d791d7cde9679e6869573
Opcode Fuzzy Hash: 6a159294ed09fcd2c59b8e7b463fc812fa2fdd75317602fe22b6219156da8369
Instruction Fuzzy Hash: 4611D071449380AFDB22CF15DC45F62FFB4EF16324F08849EED858B163C265A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0573055A, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05730595

Memory Dump Source

Source File: 00000010.00000002.336104747.0000000005730000.00000040.00000001.sdmp, Offset: 05730000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c4edd6974cd3e29ba6e32940be8d43f28fc4a18bc93e82ac191d431d0a87e29e
Instruction ID: d18b175e0bded4812182a724653bdb4febd2e71d8a5da3f0f4093de5e868d653
Opcode Fuzzy Hash: c4edd6974cd3e29ba6e32940be8d43f28fc4a18bc93e82ac191d431d0a87e29e
Instruction Fuzzy Hash: 2F019A31500640DFDB21CF5AD889B66FFA4EF18321F0884AADD898B612C271A458DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 057301D2, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0573020D

Memory Dump Source

Source File: 00000010.00000002.336104747.0000000005730000.00000040.00000001.sdmp, Offset: 05730000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cbca9a6ece6797dc0be2162e0010c2251428bf016607907f002c4b625441263a
Instruction ID: 394def93feff2497791dd9721533d26d5729688a8c166439425f9d503db11925
Opcode Fuzzy Hash: cbca9a6ece6797dc0be2162e0010c2251428bf016607907f002c4b625441263a
Instruction Fuzzy Hash: 370178358007409FDB21CF55D98AB26FBA0FF18321F08849ADD894B623C276A458DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1906, Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

', xrefs: 06BF20E1

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 3e1e1d52bff31840dd5291a4996553aa5bc01a295afba2d3d246dcb395d7b2ae
Instruction ID: fadef3942d8b6d3b7ebfc187d97826fdca0816f5c2a4204aad8ba7b452f8b7b9
Opcode Fuzzy Hash: 3e1e1d52bff31840dd5291a4996553aa5bc01a295afba2d3d246dcb395d7b2ae
Instruction Fuzzy Hash: 6581BFB5D50228CFDB64DF68C894BECBBB1AB09304F1081EA9509B7290CBB55EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1FA6, Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

#, xrefs: 06BF23E3

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 1d38d8629812693ace4e72e55d576c7c8a38bb9172fad707296f898676b25251
Instruction ID: 373303b239125b223492249f1baa4e7ed25efcb3a7346c65d458b9b496db0fab
Opcode Fuzzy Hash: 1d38d8629812693ace4e72e55d576c7c8a38bb9172fad707296f898676b25251
Instruction Fuzzy Hash: D961CFB5D10228CFDBA4DFA9C894BECB7B1AB49304F1090EAD509B72A0D7754AC8CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06BF239D, Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

#, xrefs: 06BF23E3

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 62c787f3778abaf950b6839b225d836699f0c00959edc8dfbb0a4552b26ecda9
Instruction ID: 75cc5d1afc5e360a5ec50d6a147662e1435e1a9fcd4d643c9aef1ab3207e3b74
Opcode Fuzzy Hash: 62c787f3778abaf950b6839b225d836699f0c00959edc8dfbb0a4552b26ecda9
Instruction Fuzzy Hash: C051CFB5D10228CFDB64DF69C894BECB7B2BB49304F1480EA8509B72A0DB755AC9CF11

Uniqueness

Uniqueness Score: -1.00%

Function 06BF219E, Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

&, xrefs: 06BF1AD3

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: 9c36ca7cced4b896b15cc8a09c3532a21917aae4b20c16ff777382f6d55ab6f1
Instruction ID: 607c38ea9f2410c5874fa639aedd68f30cd7637ea6e67a61a8cf9224ed84910e
Opcode Fuzzy Hash: 9c36ca7cced4b896b15cc8a09c3532a21917aae4b20c16ff777382f6d55ab6f1
Instruction Fuzzy Hash: C951A1B5910228CFDB64DFA8C994BDCBBB2BB09304F1481DAD509A72A1C7759E89CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1C4D, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

", xrefs: 06BF1C97

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 4b39c0c2bbcfb3974454751c41bb686ed298179f9a61cffcf344e57f8cb0531b
Instruction ID: 19b7d4439ace5770442633c282aaee83b10e7b4c3d7fbf8602320b298d8568c5
Opcode Fuzzy Hash: 4b39c0c2bbcfb3974454751c41bb686ed298179f9a61cffcf344e57f8cb0531b
Instruction Fuzzy Hash: 9C51BFB5910268CFDB64CFA8C894BECBBB1BB49305F1080EA9509BB290C7755EC9CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1FC3, Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

(, xrefs: 06BF1FD1

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: e2c1b22afed0db82a8337d24d60f3fc80322e03d7d70284e79fb300b334ef473
Instruction ID: 15a6b5710bbda299b30e9c8b0da931bf70e3e92e8cf7366818770d63509ede4e
Opcode Fuzzy Hash: e2c1b22afed0db82a8337d24d60f3fc80322e03d7d70284e79fb300b334ef473
Instruction Fuzzy Hash: 9A51C1B5910228CFDBA4CFA9C854BECB7B1BB09304F1485EAD508B72A0C7B54AC9CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1A26, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

&, xrefs: 06BF1AD3

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: 274bfa10c14807c2519aff2280b83e9631fc563f3d5790d23d4e2e547b1ed64c
Instruction ID: 550d0b7b74dd7aa4ff528874164637133a0cc1a878e742ec12184e033cb8fa18
Opcode Fuzzy Hash: 274bfa10c14807c2519aff2280b83e9631fc563f3d5790d23d4e2e547b1ed64c
Instruction Fuzzy Hash: D951C275900228CFDB64DFA8C894BDCBBB2FB09304F1481DAD509A7291C7759E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1AE2, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

+, xrefs: 06BF1D45

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: 18697ac6cf742b1bdc103f6b6f9f5243241c9e5baf886b89404246f98f9189b7
Instruction ID: ae86331ebd8e4d88ea6140632ede0e19ac695bdcb77fd68622c265068c6a1d42
Opcode Fuzzy Hash: 18697ac6cf742b1bdc103f6b6f9f5243241c9e5baf886b89404246f98f9189b7
Instruction Fuzzy Hash: 9F41D3B5910228CFDBA4DF68C8947ECBBB1AB05304F1485EAD509B72A0DB795EC9CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06BF2311, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

!, xrefs: 06BF238E

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: de0dc6f13dc8998d0dad626759265adf66fce55d6312e4dc72c38fd0f984fb2c
Instruction ID: df181866ea76edba4d7f520eae50d5061d2d293c45454008457fe19e59957858
Opcode Fuzzy Hash: de0dc6f13dc8998d0dad626759265adf66fce55d6312e4dc72c38fd0f984fb2c
Instruction Fuzzy Hash: B941BFB59502288FDB64CF68C894BECB7B2AB49304F1081EAD509B7290CB755EC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1D54, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 06BF1D5A

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 05b16580016a9ac39565942c93653eef6df8c306e26e1533722c4a4ecca081f3
Instruction ID: 44fa22f9229426efc08c64bf787e5158dc33b0c23fc8d49c6ec823674848b638
Opcode Fuzzy Hash: 05b16580016a9ac39565942c93653eef6df8c306e26e1533722c4a4ecca081f3
Instruction Fuzzy Hash: 4641B2B5950228CFDB64CFA8C894BECBBB2BB49304F1484EAD509B7291C7759E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 06BF254A, Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

,, xrefs: 06BF1BA3

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 1e0ab00f3f510c9f3edaf0a172e880b24b741f3fcf31b2a143f59e9987a47e32
Instruction ID: 332b52b17af955832dd7b3c6aff7d3318c7d2d49bd04436f5683714085ac3a67
Opcode Fuzzy Hash: 1e0ab00f3f510c9f3edaf0a172e880b24b741f3fcf31b2a143f59e9987a47e32
Instruction Fuzzy Hash: 5A41C1B5941228CFDB64CF68C894BECBBB2BB45304F1085EAD509B7290CB759E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1CF5, Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

+, xrefs: 06BF1D45

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: a991a281a48af945a5c8dbc376365f59fc059bd188b18ea8cd039b0694b6643b
Instruction ID: f94f399793cb87d70e6164739b983b32ed61e4f7c85d18557ec9f2fd01d16f78
Opcode Fuzzy Hash: a991a281a48af945a5c8dbc376365f59fc059bd188b18ea8cd039b0694b6643b
Instruction Fuzzy Hash: BC41BEB5900268CFCBA4DF68C894BEDBBB2AB45304F1085EA9509B7294CB755E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1B5B, Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

,, xrefs: 06BF1BA3

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6f04da4b0211bbf39c59965585baba894050df653a4250e693df109c83e17c31
Instruction ID: a75d3a91ef60e4bf537cbf1c8f32173cfd88be4d687f6bed7ba14341ea9cf3b4
Opcode Fuzzy Hash: 6f04da4b0211bbf39c59965585baba894050df653a4250e693df109c83e17c31
Instruction Fuzzy Hash: F141C1B5940228CFDB64CF68C894BECBBB2BB49304F1080EAD509B7290CB759E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BF21C1, Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

-, xrefs: 06BF21E0

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 726466bfa199090df1c7dacbb84005dcd1b27939b945a9680a73ac34041d7936
Instruction ID: e27cba35b948b4dd7a67e3dab32f59dfe4144ce8bfd62080c9519427813a6516
Opcode Fuzzy Hash: 726466bfa199090df1c7dacbb84005dcd1b27939b945a9680a73ac34041d7936
Instruction Fuzzy Hash: 5D31A2B5910229CFCB64DF68C8947ECBBB2AB09304F1485EAD509B7290DB759EC9DF01

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1DC8, Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

, xrefs: 06BF1DE4

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 44fb5c4c78f1407b17a453a097a5aa25c42b148db07467c93de9c2b7c59a28ca
Instruction ID: c06debb122e88c5723197446360f880cb404327d17ce557c4a19ffc5c5a6e740
Opcode Fuzzy Hash: 44fb5c4c78f1407b17a453a097a5aa25c42b148db07467c93de9c2b7c59a28ca
Instruction Fuzzy Hash: 8B3192B5940228CFCB64DF68D894BECBBB2BB49304F1084EAD509B7290CB755E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1E25, Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

*, xrefs: 06BF1E40

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: 158a63b94b947e51391c8cc7a5990b2a841c678ed59f2b9ea3aeb0209b0d8892
Instruction ID: 0d643628410da90fc6f4c7f6d3cb98a1a89e6faf17d5d7e7a694a280f9908486
Opcode Fuzzy Hash: 158a63b94b947e51391c8cc7a5990b2a841c678ed59f2b9ea3aeb0209b0d8892
Instruction Fuzzy Hash: A531A1B5900229CFDBA4DF68C894BECBBB2AB45304F1084EAD509B7290DB755E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BF123F, Relevance: 1.3, Strings: 1, Instructions: 6COMMON

Download Yara Rule

Strings

!, xrefs: 06BF124F

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 3af69ed5de0b3bd1a8ce292a79625352663e74c579905d74c379c941a5bd81b2
Instruction ID: 97945e76509a10a68d47bbb71cf33ec163a585bfe4c99ba8861ec70782f1dcc3
Opcode Fuzzy Hash: 3af69ed5de0b3bd1a8ce292a79625352663e74c579905d74c379c941a5bd81b2
Instruction Fuzzy Hash: BFC092F4D14105DFEB34EFA0E098AADB776AB4E305F20C10AA62223266CBB09855DF50

Uniqueness

Uniqueness Score: -1.00%

Function 06BF14D0, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f164f7934a067ca8b4f4eec372d43227e3d78306cf33ed6630d2ce13dc47947
Instruction ID: a891b9bc198064a89e46f0704b948eb373a9093995105722fdc69bf22334d8c8
Opcode Fuzzy Hash: 4f164f7934a067ca8b4f4eec372d43227e3d78306cf33ed6630d2ce13dc47947
Instruction Fuzzy Hash: 4491C1B4D15208CFDB94CFA8C5447EDBBF1BB09300F2055AAD606BB2A0D7745A89CF65

Uniqueness

Uniqueness Score: -1.00%

Function 06BF0990, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6568b4ebb986ab9fc654c58ef14cae9289ad8a5731611eee16fe3bcdbc7742f9
Instruction ID: 4ff142aae0d65b3422d9ea840235d33b04e5ea61f4c26c5e6baf1d08f18f149b
Opcode Fuzzy Hash: 6568b4ebb986ab9fc654c58ef14cae9289ad8a5731611eee16fe3bcdbc7742f9
Instruction Fuzzy Hash: B3515BB0D21208DFDB40EFE9C550AAEBBF2AF49324F14D5A5D514B7272D3748A48CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06BF0980, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4131e55f1e1d70f795766bf82e6f655f7c58b317db2537112453c22162aacd12
Instruction ID: 431a6945daa6fb0899353316917277da1482bdb3e92fd970d5f0f9f7e80236ea
Opcode Fuzzy Hash: 4131e55f1e1d70f795766bf82e6f655f7c58b317db2537112453c22162aacd12
Instruction Fuzzy Hash: C5415AB0D222089FDB40EFE9C5506AEBBF2EF49324F14D5A5D514B3272D7748A48CB61

Uniqueness

Uniqueness Score: -1.00%

Function 06BF2502, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14609e723de863b4b2d8d7d8147334c97abb14f2735d4dd4cabb42e7fc5cbf0
Instruction ID: d7295855b7c6bf41b8718eb5fe4bfe8f528b11f3deca8eefec9348992e130e57
Opcode Fuzzy Hash: b14609e723de863b4b2d8d7d8147334c97abb14f2735d4dd4cabb42e7fc5cbf0
Instruction Fuzzy Hash: BB41C2B5940229CFDB64DF68C894BECB7B2BB45304F2081EAD509B7294CB755E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1F35, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf99ef92f7a8ea9637c8a3d78f2aeefaa532f2565bf90b2a8c61d8b25fed765
Instruction ID: 1856af81097d0778de1e699ff9e52abb1905a6c9205d8886d3e177eefc998bd3
Opcode Fuzzy Hash: 5bf99ef92f7a8ea9637c8a3d78f2aeefaa532f2565bf90b2a8c61d8b25fed765
Instruction Fuzzy Hash: B941C4B5900228CFDB64CF68C894BEDBBB2EB49304F1484EAD509B7290D7759A85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BF2130, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c7bced017add77c6faa69607c5be9b052be52227d890c822ae9156ac7f00dc7
Instruction ID: cd48902d8e2e64b43dbf75dd7f070cfe19cc5d310df1fcad3e79fbbe6bffffef
Opcode Fuzzy Hash: 4c7bced017add77c6faa69607c5be9b052be52227d890c822ae9156ac7f00dc7
Instruction Fuzzy Hash: 1F41D1B5940228CFCB64DF68C8957ECBBB2AB09304F1484EAD509B7290CB755EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 06BF20A4, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e9539bc8401f884c22c1f329cbb8c00adb1f1d54b880e42253c719516adff4
Instruction ID: c277a902254fa50189d40ae7ed30a02f960172205578985d5812cb2d4c0e09d5
Opcode Fuzzy Hash: 45e9539bc8401f884c22c1f329cbb8c00adb1f1d54b880e42253c719516adff4
Instruction Fuzzy Hash: 3E41AFB5904228CFDB64DFA8C894BECB7B2BB49304F1081EAD509B7291CB755E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1EBE, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf5de695bb05dbbc4b8fdae869a87e544efbeb64731bea9c61aab8450c3a0d1
Instruction ID: a2d06203136d399e8d4882ab856a1bcb734d7b786e2b00c7797e3b3981c4d476
Opcode Fuzzy Hash: eaf5de695bb05dbbc4b8fdae869a87e544efbeb64731bea9c61aab8450c3a0d1
Instruction Fuzzy Hash: 0C41C2B5940229CFCB64DF68C894BECB7B2BB45304F2080EAC509B7290CB759E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1DF3, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a538f75ec38c09ab3eb43d11da776351e677add7f23b43d1edeccbaf56c489ba
Instruction ID: 871db69c15db4ef0c21bef4e29cc3bfd157e66d4a1ddb98408862f7af494085b
Opcode Fuzzy Hash: a538f75ec38c09ab3eb43d11da776351e677add7f23b43d1edeccbaf56c489ba
Instruction Fuzzy Hash: 5C31B2B5910229CFDB64CF68C8947ECB7B2BB45304F1084EA9509B7290CB759E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BF20ED, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d619252cf7c7b146b3951af27ffebad155c99d13995b9d574b9ac136eecba4
Instruction ID: f02f70de8ec32da80d49673e7dd779ad1fae525fee4e22add89605b8f3dc3518
Opcode Fuzzy Hash: 32d619252cf7c7b146b3951af27ffebad155c99d13995b9d574b9ac136eecba4
Instruction Fuzzy Hash: 5C31B0B5900229CFDB64CF68C894BECBBB2AB49304F1484EA9509B7290CB755A89CF41

Uniqueness

Uniqueness Score: -1.00%

Function 06BF0C58, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fa1fcdd38d510fb370d6e1b40cdb2e0802bde2cde85ab367fe781785dd568a5
Instruction ID: 9a1e8cf5f8ae9bd6ef8307a1b8f731915b433b3bef03572755b75e8a1fca48a6
Opcode Fuzzy Hash: 5fa1fcdd38d510fb370d6e1b40cdb2e0802bde2cde85ab367fe781785dd568a5
Instruction Fuzzy Hash: F82147B4D1520ADFCB44DF98C5909EEBBB0FF48300F10819AD901AB322D734AA49CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06BF0C68, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5b85a405cd2aac45cc46bf77d52c8981b7a6ca4b0ab50d1ed4aaa3e9bfecc7c
Instruction ID: 4794fc5acc948f34f318a9cb2dec39acadfbd10cf8c6dd24a8866c7194c3fb22
Opcode Fuzzy Hash: a5b85a405cd2aac45cc46bf77d52c8981b7a6ca4b0ab50d1ed4aaa3e9bfecc7c
Instruction Fuzzy Hash: 4221C3B4D1420ADFCB44DF98C5959EEBBB5EF48300F1080A9D915AB361DB34AA44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 06BF142F, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cf4c9fc596d9f1644e3d848eecd2213aadc858f7f4597690199ac55fac1184a
Instruction ID: d89369a4e911a35c90d690ac0d0c79f5dc64541dac71eb7b2edf481d09fbe497
Opcode Fuzzy Hash: 1cf4c9fc596d9f1644e3d848eecd2213aadc858f7f4597690199ac55fac1184a
Instruction Fuzzy Hash: ABF0A0B0C09208DFCB48DFA4E6485AEBB71EF8A304F2191EAD845A7711D7740E0ACF55

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1488, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33dd648e49c58b7927ddbdfb29237bb06a0635501395861d50d99b74a7b502ed
Instruction ID: ca1756e9b57b9e8395ddb85ecd0b47824266b3c61c9a7fa17b062e47fdfef82b
Opcode Fuzzy Hash: 33dd648e49c58b7927ddbdfb29237bb06a0635501395861d50d99b74a7b502ed
Instruction Fuzzy Hash: CBE0EDB1C06208DFCB08CFA8D5105ACBF34EB41300F2282EED800A3711C2381A49CF45

Uniqueness

Uniqueness Score: -1.00%

Function 06BF29CF, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e93447dcf5b41771420c6ac4a199ab3e80c9eec46e7d4947682354a32c5d00cc
Instruction ID: b78cc851b69ed90bb47929296e623a14529698ca9ccb9943d63278e890da3421
Opcode Fuzzy Hash: e93447dcf5b41771420c6ac4a199ab3e80c9eec46e7d4947682354a32c5d00cc
Instruction Fuzzy Hash: 17F058748052489FCB44CFE4C5406ACBB70AB49300F2481EAC84557762C6354B45EB50

Uniqueness

Uniqueness Score: -1.00%

Function 06BF13F1, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 751a8708c910668995eaa195a843c709374fe8c5cdc115969e25abaa6acd16a3
Instruction ID: 6d13a897b61db3e4b5e95b9403bfd68adcebbca7cfb831c0fb577a106ae6a3fc
Opcode Fuzzy Hash: 751a8708c910668995eaa195a843c709374fe8c5cdc115969e25abaa6acd16a3
Instruction Fuzzy Hash: 17E0DFB080A285CFCB19DFA4E40A9AEBF70AF82305F2002EAD00563252C6740A48CF65

Uniqueness

Uniqueness Score: -1.00%

Function 06BF03CF, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac4aaf4e7fefe9aee6431ced65a74913dbbd81681a177ad90ed148e9e0480a20
Instruction ID: 9543d9617442d8f9c039689dbdd3748f803e87d977fe304e466c2507a86d26d2
Opcode Fuzzy Hash: ac4aaf4e7fefe9aee6431ced65a74913dbbd81681a177ad90ed148e9e0480a20
Instruction Fuzzy Hash: 5EE0D87084B284CFD769DBB4D5555ADBF74DF0B209F1402DAD44553562C5700A48CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06BF2A21, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f2c114fcb8e2bf132144a1e89c4594b0b3eb5ce784596dd1b1a9bfd1d0c24fa
Instruction ID: 263e0f166e44591cbf10be3edad448756b0ab2372376c72f356c86627abf773a
Opcode Fuzzy Hash: 2f2c114fcb8e2bf132144a1e89c4594b0b3eb5ce784596dd1b1a9bfd1d0c24fa
Instruction Fuzzy Hash: 0EF06DB0D06108DFDB98DFD8D5816ACBBB0EF89304F2481EED85997362C6359A46CB41

Uniqueness

Uniqueness Score: -1.00%

Function 06BF2A69, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47014d0617bab70e2a68989bafad99cf4c7a59a13a55970145de8cd04f9fe160
Instruction ID: 31d0db98896a892802aed1e0611af556a0696350f269fca5e0bb3c013a6ca673
Opcode Fuzzy Hash: 47014d0617bab70e2a68989bafad99cf4c7a59a13a55970145de8cd04f9fe160
Instruction Fuzzy Hash: C2E0C2B0C9A3089FCBA9DBF494426FA3BB89F43300F2155DEC00653162C1340E46D711

Uniqueness

Uniqueness Score: -1.00%

Function 06BF29E0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3cbc3f2d4fa303ebabed143e7629859687f20ac7147d13d0efc9dbfc1ce307e
Instruction ID: d82e4db8e0342c63fed8f5074c15527e045680c6de2300f3432798fa144db520
Opcode Fuzzy Hash: c3cbc3f2d4fa303ebabed143e7629859687f20ac7147d13d0efc9dbfc1ce307e
Instruction Fuzzy Hash: FCE0E5B4D04208AFCB84DFD8D541AACBBB4EB48300F14C1EA985857352CA359A55EB95

Uniqueness

Uniqueness Score: -1.00%

Function 06BF2A30, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de1a5967d32e6d999260c8973543b42e24d988f11196006beb86cbb949dadad
Instruction ID: d7c648750e74a1fd24ca363a2fca95f6c888821257fd47838951ab843d8c7091
Opcode Fuzzy Hash: 9de1a5967d32e6d999260c8973543b42e24d988f11196006beb86cbb949dadad
Instruction Fuzzy Hash: 14E09AB4D05108EFCB54DFD8D5416ACBBB4EB49304F2481E9981857361D631AA45CB85

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1498, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cb6d634444ee7024824245f3b2644a341f2a5b1049059bc9221136ea339cbff
Instruction ID: 1d37345e60cb596ec7a199ad85d981c20695daa123819e6c917b9e08d3b57bcb
Opcode Fuzzy Hash: 5cb6d634444ee7024824245f3b2644a341f2a5b1049059bc9221136ea339cbff
Instruction Fuzzy Hash: 3FE0B6B4D05208EFCB44EFE8D545AADBBB8EB84304F1082ED991463751D6742A94CF85

Uniqueness

Uniqueness Score: -1.00%

Function 06BF1400, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8bc1246dcfd9d83f4111fc512d66a30f59f47cddd270363e63e7a91eda2f0b
Instruction ID: 4d446f84351a6c8c16f5570b6e1136e8573afa6306a417e84f8c5231942ce2e2
Opcode Fuzzy Hash: 5b8bc1246dcfd9d83f4111fc512d66a30f59f47cddd270363e63e7a91eda2f0b
Instruction Fuzzy Hash: F6D017B0815208DFCB18EFE8E54AAADBB78AB86305F2051E9890823251C6701A58CF99

Uniqueness

Uniqueness Score: -1.00%

Function 06BF03E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ed392fb3f3f2c75f94ec12aebee683c47d67d4b0cc0f354a5aa085ac5e4fc9
Instruction ID: 7f8c429ef94fa8a38fd1a028772e0f5906e9b01a3474c4d53563bb956ad11fa1
Opcode Fuzzy Hash: c8ed392fb3f3f2c75f94ec12aebee683c47d67d4b0cc0f354a5aa085ac5e4fc9
Instruction Fuzzy Hash: 65D05BB4C5510CDFC768EFE8D54595CFBB8DB09301F1000E9C90553351D6705948C755

Uniqueness

Uniqueness Score: -1.00%

Function 06BF2A78, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.336910266.0000000006BF0000.00000040.00000001.sdmp, Offset: 06BF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7776bcee198cd4fbd335e4af6310715213a053b43a123e087bc76f78bb803c7c
Instruction ID: ff0678aa5e7b17e200d4160466f6c5fd12f504fcc0f125e78177969d49e85a04
Opcode Fuzzy Hash: 7776bcee198cd4fbd335e4af6310715213a053b43a123e087bc76f78bb803c7c
Instruction Fuzzy Hash: D0D022B086620CDBC320DBE8D442BAE77ACDB02700F2010DC8508132119A306E14C295

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: doa8GHSloq.exe PID: 5356 Parent PID: 3860 doa8GHSloq.exeCOMMON

Executed Functions

Function 04EE23A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d468716f53109d39b6139a3ef2b275eb1700e9903d9945177fae6da9f3b62e
Instruction ID: 38ec9eb202a97ac0fe679c460ff4a6cafc24b9a7220a5c9d7f5f50e1fd885ff3
Opcode Fuzzy Hash: e5d468716f53109d39b6139a3ef2b275eb1700e9903d9945177fae6da9f3b62e
Instruction Fuzzy Hash: 4812CB30A00215CFCB24DF66C9846BDBBF6BF84308F1891AAD506EB355EB75AC45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 04EE2FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c36b97fe5d7243cb12873d0d996b9c3e559979747ee9e5128ff18ce6ac2823
Instruction ID: 036ad46e85aaac1c93bbf092ef2eed19c3bb33632a127afc05ba8c065b631c9d
Opcode Fuzzy Hash: b9c36b97fe5d7243cb12873d0d996b9c3e559979747ee9e5128ff18ce6ac2823
Instruction Fuzzy Hash: C481B131F005159BC714DB69D894AAEB7F3AFC8310F2A8075E815EB366EE35ED018B90

Uniqueness

Uniqueness Score: -1.00%

Function 04EE09A5, Relevance: 5.2, Strings: 4, Instructions: 177COMMON

Download Yara Rule

Strings

X1q, xrefs: 04EE0A98
X1q, xrefs: 04EE0AA2
X1q, xrefs: 04EE0A5A
X1q, xrefs: 04EE0A50

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: X1q$X1q$X1q$X1q
API String ID: 0-1201878573
Opcode ID: f4fc3a7feb42f25389cf215e58865ebc5473459490d4a8748ade373efa7219a0
Instruction ID: 7340f981a4183ad5371e4e44c576490489fd4ea182ec5cc89f4a4b79ee9273b6
Opcode Fuzzy Hash: f4fc3a7feb42f25389cf215e58865ebc5473459490d4a8748ade373efa7219a0
Instruction Fuzzy Hash: 3151D631B04265EFCB149BA5D854ABEB7F2FF44304F1485A9E446DB351EBB0AD02DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 04EE12A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$gq, xrefs: 04EE1349

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: $gq
API String ID: 0-815412418
Opcode ID: 505edf56fbb857eea7ecaa785ef1e9ed0fef5adb33d39221abe7021fb1f57e41
Instruction ID: 2ee9d2f2b6f9fb143d1c2f6e938b431ca4dab76ad1daf0e444bd681f27366729
Opcode Fuzzy Hash: 505edf56fbb857eea7ecaa785ef1e9ed0fef5adb33d39221abe7021fb1f57e41
Instruction Fuzzy Hash: 9E220434A00A55CFCB24DF29C980AAAF7F2FF88304F148599D85A9B756DB34AD85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 050001F4, Relevance: 1.6, APIs: 1, Instructions: 100synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0500019D

Memory Dump Source

Source File: 00000012.00000002.343924660.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b8a6f47e0d4eb1ffa1fb64b43f77b8cffa970379e3a7d089b094e450fe295203
Instruction ID: d5b02e4897bb747ef1bcc53d9c2507a5b54eb8d004e277a70311e899d26262eb
Opcode Fuzzy Hash: b8a6f47e0d4eb1ffa1fb64b43f77b8cffa970379e3a7d089b094e450fe295203
Instruction Fuzzy Hash: CD31B8755053849FE711CF14E859BA5BFA4FF46220F0880EFDD858F293D2759508C762

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00DCAAB1

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 02331fef45bf9445ae6418846da9c134c1ba0c4d9c6330916961c80956ddbdf7
Instruction ID: 616d5fe93070d892d28b6f2d09b267db31eeee9277312afd9b5f7ce1b9f992b1
Opcode Fuzzy Hash: 02331fef45bf9445ae6418846da9c134c1ba0c4d9c6330916961c80956ddbdf7
Instruction Fuzzy Hash: FB31D6724443846FE7228B25CD45F67BFACEF06310F08859AED80DB152D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,A8DEC9C8,00000000,00000000,00000000,00000000), ref: 00DCABB4

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 573814157e5683775ab88dc9d50f4ce59b056f1d78fdffb2d5c95d14c808c952
Instruction ID: 2d9656f24d1b98429711783d9d7641834c7408ba8b2a2538c66c125e1565109b
Opcode Fuzzy Hash: 573814157e5683775ab88dc9d50f4ce59b056f1d78fdffb2d5c95d14c808c952
Instruction Fuzzy Hash: D9318F721093846FE722CB25CC45FA6BFA8EF06314F18859EE985DB152D264E948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 050000F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0500019D

Memory Dump Source

Source File: 00000012.00000002.343924660.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 2361fe80b17c670d4b54813ff61700e08d72ac86cd5d60410a13c9c351b80eab
Instruction ID: 9d205f156439e7de09e9e04cd75ca3934ff60b0eca36baad5c5a22cc8ee7f292
Opcode Fuzzy Hash: 2361fe80b17c670d4b54813ff61700e08d72ac86cd5d60410a13c9c351b80eab
Instruction Fuzzy Hash: 293191715097806FE722CB25DD85F9AFFF8EF06210F08849AE984CB292D375A908C761

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAF50, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00DCAFEA

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: b150f08b7a14372f08fbb1eda8ef5573d892ff3ffcf55273b0c588438bc5c2b1
Instruction ID: ce4e4f87130ab556034cdf38c5bd3d401c32d73b2a670bdeea2202dfb50eb29e
Opcode Fuzzy Hash: b150f08b7a14372f08fbb1eda8ef5573d892ff3ffcf55273b0c588438bc5c2b1
Instruction Fuzzy Hash: 4D21817540D3C06FD3138B258C51B65BFB4EF87614F0A81DBE884CB5A3D229A919CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00DCAAB1

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 46e58e5dd263d192946d0601e67a81f4569f80a12d804d0e54b8ffecddc75476
Instruction ID: 1c9ef374961a25f7ee8e9bba2fcd299a11b2879dbb1bd33ca817082eec91cfec
Opcode Fuzzy Hash: 46e58e5dd263d192946d0601e67a81f4569f80a12d804d0e54b8ffecddc75476
Instruction Fuzzy Hash: 9A219272500204AFE7219F19CE45F6AFBECEF04310F14855AED85DB241D664E908CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 0500012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 0500019D

Memory Dump Source

Source File: 00000012.00000002.343924660.0000000005000000.00000040.00000001.sdmp, Offset: 05000000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 72f1a984e8adcfc25766b53497210d4bd2849998e90285d764b04a93068c1d9f
Instruction ID: 8437fae911cca5e36d676e33af91450e84ce6d7633891ca3ff13a3a3b831c419
Opcode Fuzzy Hash: 72f1a984e8adcfc25766b53497210d4bd2849998e90285d764b04a93068c1d9f
Instruction Fuzzy Hash: 22218E71504244AFF721DF29ED89BAAFBE8EF04310F18846AED498B282D775E504CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,A8DEC9C8,00000000,00000000,00000000,00000000), ref: 00DCABB4

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 32382c80e4df1b0773c264179ea5e2e79c98714bd14eb5df7ac6130108ba45a1
Instruction ID: 5b01e2b784c2d3d78eb400c151affd6c56bc2904fa1bbb3373922481af8211f9
Opcode Fuzzy Hash: 32382c80e4df1b0773c264179ea5e2e79c98714bd14eb5df7ac6130108ba45a1
Instruction Fuzzy Hash: BC216D71500208AFE721CE29CD85F66FBEDEF04715F18856AED45DB252D260E808CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00DCB841

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: dc04542cf6187a60cad934fbb402f2d00d298f0841f0e12e60732cfd9e3ce098
Instruction ID: d8211ec439b13f059a3ca3bd716cb301d51405ffcb9f8ffa1e6afd5c8eda4817
Opcode Fuzzy Hash: dc04542cf6187a60cad934fbb402f2d00d298f0841f0e12e60732cfd9e3ce098
Instruction Fuzzy Hash: A4218C724097C09FDB228B61DC51AA2BFB4EF17320F0D84DAEDC44F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DCA58A

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d6e8b9be4b6914372562a4b093d652adb65722d52057effc8116cd50baa4808f
Instruction ID: 1db55b51b8244d435721a0e94692fcc3882e635c551ce2e478b7b2dc5885ca6a
Opcode Fuzzy Hash: d6e8b9be4b6914372562a4b093d652adb65722d52057effc8116cd50baa4808f
Instruction Fuzzy Hash: BE117272409384AFDB228F55DC44F62FFF4EF4A324F08859EED858B162C275A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCBB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00DCBBB9

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9c8619009be828ada243405ada7868f61b96ba7aca991e25476474891e5ef350
Instruction ID: 4c325702ff451334c6a3da92ae90e767bbc2515560bd668760db6b30bbbc45f4
Opcode Fuzzy Hash: 9c8619009be828ada243405ada7868f61b96ba7aca991e25476474891e5ef350
Instruction Fuzzy Hash: E911BE364093C0AFDB228F25CC45B52FFB4EF16220F0885DEED858B563D265A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCBE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 00DCBE70

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: e555a146431118106a249d8b58272959e9c8e4bf724305df22e2e35de2582585
Instruction ID: b11e1c3bac1947808f62a2136ddd5000abb8ca5d24b72c4f10030c31f9f2455e
Opcode Fuzzy Hash: e555a146431118106a249d8b58272959e9c8e4bf724305df22e2e35de2582585
Instruction Fuzzy Hash: ED116D754093C09FD7128B259C44B61BFB4EF57624F0984DEED848F253D2695808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 00DCB78A

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 183e16ba3a5a70b42b8db753db39cc1242d38db0ac143f17b8361f42fc98af29
Instruction ID: 6889af6ee35551a2e822558038b8d68caa0c63100c4539b9fd13063435b16477
Opcode Fuzzy Hash: 183e16ba3a5a70b42b8db753db39cc1242d38db0ac143f17b8361f42fc98af29
Instruction Fuzzy Hash: 8B115C32409384AFDB228F55DC44A56FFF4FF49320F09859EED858B562C379A458CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCBEB4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 00DCBF0C

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: df7bb1397f408bac7de97a1b89286c0756877144cd0da430e317b6c395445765
Instruction ID: 6b52253d739cce65f3b591833d42744bfea4be45338da28f2fdec3a43050771e
Opcode Fuzzy Hash: df7bb1397f408bac7de97a1b89286c0756877144cd0da430e317b6c395445765
Instruction Fuzzy Hash: DE1191725053809FD711CF25DC85B56BFE8EF46220F0884AEED85CF252D275E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00DCA7BC

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 686d0300c129275cb0e8787752527e9a86f1dcb2053bd9810f4f63ae1dcb3ceb
Instruction ID: 919211e55db06635730b765ad2fe0676473119a8e7d90cd2c322fdad509d06ff
Opcode Fuzzy Hash: 686d0300c129275cb0e8787752527e9a86f1dcb2053bd9810f4f63ae1dcb3ceb
Instruction Fuzzy Hash: 14118F714493849FD712CF15DC44B52BFB4EF42225F0984EBED858F293D279A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00DCA926

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 9b6557090e96b22a48b65ae0a0ec0997e7e34925cfee1a58ac67d697778062fb
Instruction ID: 5a312d6d666883a8c292173f9800907c87eb7f5da5aa7a83c575c4adf0e67221
Opcode Fuzzy Hash: 9b6557090e96b22a48b65ae0a0ec0997e7e34925cfee1a58ac67d697778062fb
Instruction Fuzzy Hash: 49117C324097849FD722CF15DC85B52FFB4EF56320F09859AED858B262C379A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCBED2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNELBASE(?), ref: 00DCBF0C

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 76bdee2c70c3e4b2ec99032d6604f606476735a8eec2592b2aac6c179a3a7de0
Instruction ID: 112c67c84aa6f05dd0006ab85031ac356b18ed21ad894bd79dd02c92bf5e98fb
Opcode Fuzzy Hash: 76bdee2c70c3e4b2ec99032d6604f606476735a8eec2592b2aac6c179a3a7de0
Instruction Fuzzy Hash: D80169716002419FDB11CF29DD85B66BB98EF40221F1884AEED89CB742D275E8088E62

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 00DCB78A

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: b268477666831df79747e0f3c717962c796e03913734e8daab469a5d97a651ee
Instruction ID: b5a7b2b5da07a0179e1070824d7183d2fe829ecc8305106baf9b3bdd9a32ecf6
Opcode Fuzzy Hash: b268477666831df79747e0f3c717962c796e03913734e8daab469a5d97a651ee
Instruction Fuzzy Hash: FB0179324007409FDB218F55D945B66FBE0EF48321F1885AEEE898B662C375E418DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00DCA58A

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 3ceff96b3d63ab47042b996b284d5e0ea9a866fe280e9100b3789bb8b600ba9d
Instruction ID: 2ac4d68aae4302eddff2ce13b568f2464f3bb2006ee274c270f50d4bfc3b4803
Opcode Fuzzy Hash: 3ceff96b3d63ab47042b996b284d5e0ea9a866fe280e9100b3789bb8b600ba9d
Instruction Fuzzy Hash: 2F01AD324002449FDB218F59D944B56FFE0EF48321F18C59EEE898B652C275E418DF72

Uniqueness

Uniqueness Score: -1.00%

Function 00DCAF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00DCAFEA

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 08d614938773c091b5d27d7c05d49f381a4ba37a403ac2dfeb35bad77541e76c
Instruction ID: 6569520571fa1900d626a6ddb334c189224222af12a7bc89c58f2a178e5914fe
Opcode Fuzzy Hash: 08d614938773c091b5d27d7c05d49f381a4ba37a403ac2dfeb35bad77541e76c
Instruction Fuzzy Hash: B401AD75500200ABD250DF1ADC82F26FBE8FB88B20F14C15AED088B741E675F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00DCBB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00DCBBB9

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2c56aef55a0ada1f52ca49ae250fc83f284bdc8e4b7fb228ccce38231ffe97ca
Instruction ID: c085d3e6534c66f61e9d664af62cbb6b90410594a1142b373532c02530692ed7
Opcode Fuzzy Hash: 2c56aef55a0ada1f52ca49ae250fc83f284bdc8e4b7fb228ccce38231ffe97ca
Instruction Fuzzy Hash: 4C019E355002408FDB218F15D945B66FBA4EF14321F08809EED858B666C375E818DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 00DCA7BC

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e18d65ce90c691a86adeb57e4e52bf9d7bdf859ac8455ba271165cdee81b4e3f
Instruction ID: 5596d6a81930f8e2a110218be0915a0a1731e3764f45f87b0439be96f9492dc0
Opcode Fuzzy Hash: e18d65ce90c691a86adeb57e4e52bf9d7bdf859ac8455ba271165cdee81b4e3f
Instruction Fuzzy Hash: E201D1758002449FDB11CF19D988B65FFE4EF44325F18C4AADD488F642D278A808CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DCB806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 00DCB841

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 10816b46086bf4259e192cbdfd151a54e22b999ed5feeb29346087884ad47642
Instruction ID: 95988bb96da396ab1dd4e4a737d98d154e287acd35386cc5c3fe5eb0a88ee00f
Opcode Fuzzy Hash: 10816b46086bf4259e192cbdfd151a54e22b999ed5feeb29346087884ad47642
Instruction Fuzzy Hash: 93018B31800240DFDB218F56D985B65FFA8EF18721F08C49EED894B622D375E418DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00DCA8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00DCA926

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 314f64ace3013046a8d04160e06ee9e3c0f9168da8698e1b2edf4278dd36359e
Instruction ID: 3da5c01331cb09c26787a3ac0a837775a77f51ff9e693da3dfa3ee5810d9ce4a
Opcode Fuzzy Hash: 314f64ace3013046a8d04160e06ee9e3c0f9168da8698e1b2edf4278dd36359e
Instruction Fuzzy Hash: FD01AD314006448FDB218F09D986B61FFA4EF15325F08C5AADD8A4B652C275A808DF73

Uniqueness

Uniqueness Score: -1.00%

Function 00DCBE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 00DCBE70

Memory Dump Source

Source File: 00000012.00000002.342784479.0000000000DCA000.00000040.00000001.sdmp, Offset: 00DCA000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: d5a890bd864e951c9d5e3f791ecdbd730f43701a1242f5f6e03e411a0078b775
Instruction ID: 6316cba47fc807b3372dbfdff2b2a5bde8c2613e4ed5ed7ae9ce31cf5f5c180e
Opcode Fuzzy Hash: d5a890bd864e951c9d5e3f791ecdbd730f43701a1242f5f6e03e411a0078b775
Instruction Fuzzy Hash: D9F081358042848FDB118F05D985BA5FFA4EF14721F18C49AEE494B252D375E408CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 04EE20D0, Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

r*+, xrefs: 04EE230F

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 4f676dceb3105160e71f4bde31402d86e5524909d1ed0f06a07c7bd7ec8074de
Instruction ID: 66714b545c28535c5ca62bf463d6e66a44721811758ffa11aa542f3dd4f3da84
Opcode Fuzzy Hash: 4f676dceb3105160e71f4bde31402d86e5524909d1ed0f06a07c7bd7ec8074de
Instruction Fuzzy Hash: 99717130E09249CFCB04DFA5C8456BEBBB5FF48300F1495AAD612DB256E731AE41DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04EE02E8, Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

`5q, xrefs: 04EE03A5

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: `5q
API String ID: 0-3867205651
Opcode ID: 8b3d57087cedd09edd658dde17423d8237b866b16fcd97ca7af18d368b8db848
Instruction ID: 9b0cdf27cc1fc1461d235b8849cee8d7a12fd154c31f105e04a31b7254518019
Opcode Fuzzy Hash: 8b3d57087cedd09edd658dde17423d8237b866b16fcd97ca7af18d368b8db848
Instruction Fuzzy Hash: 76416D34B012168FDB18DF69C5547BEB7B3FF88310F249169E506AB395DB72AC018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0BC0, Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

hXMr, xrefs: 04EE0C78

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: hXMr
API String ID: 0-1185242784
Opcode ID: 1c5988423ffa4c2d0e61dd701a065965d2e6dd6a64c9c04da77cf4d7b65b8f56
Instruction ID: f867ac563f6fe86fae7ec0b38cccf27b0ba7cdfa08c497670c3f5986107cd055
Opcode Fuzzy Hash: 1c5988423ffa4c2d0e61dd701a065965d2e6dd6a64c9c04da77cf4d7b65b8f56
Instruction Fuzzy Hash: 1B41FA31B051188FC7159B6AC4146BE77E7FFC5310F1580AAE80AEF361DEB5AD058792

Uniqueness

Uniqueness Score: -1.00%

Function 04EE2D58, Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

, xrefs: 04EE2E76

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1af6441b8306d108f214640b8a7faefba93325bdffe6204363a1b13894de13ab
Instruction ID: b2fc73f8f1b9ee19b297af33bae9a3b947dbec2e5bfbe5167466f6b5e30efa20
Opcode Fuzzy Hash: 1af6441b8306d108f214640b8a7faefba93325bdffe6204363a1b13894de13ab
Instruction Fuzzy Hash: 9241C570F04225CBCB11DF6AC8805FEB766ABC0318B28D5B6C616DB755E731F8028B92

Uniqueness

Uniqueness Score: -1.00%

Function 04EE1458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$gq, xrefs: 04EE14C7

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: $gq
API String ID: 0-815412418
Opcode ID: 2c0728253a4806d127f397af05d1b2e5b56ffc43a37f2d7502ee37b029360e7d
Instruction ID: 7113ac24712e8755497605acf7136e33326732c159656ad18790d73211f7fabe
Opcode Fuzzy Hash: 2c0728253a4806d127f397af05d1b2e5b56ffc43a37f2d7502ee37b029360e7d
Instruction Fuzzy Hash: ED51E334A00259CFDB14DF65C894BADBBB2BF49304F5440E9D40AAB366DB35AE88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE1290, Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

$gq, xrefs: 04EE1349

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: $gq
API String ID: 0-815412418
Opcode ID: fc528dc6ea55b07e96e89ecdf7c5294af6badef246afe9fc5f5e30d207a649cc
Instruction ID: 0cacac6ab1503043afb9d942421eaad6c756dda7521f14e6771ecba6f5b3005d
Opcode Fuzzy Hash: fc528dc6ea55b07e96e89ecdf7c5294af6badef246afe9fc5f5e30d207a649cc
Instruction Fuzzy Hash: F2410534A04259CFCB60DF69C884BEDBBB1BB49344F1440A9D44AAB355DB30AD84DF61

Uniqueness

Uniqueness Score: -1.00%

Function 04EE05B9, Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

8$q, xrefs: 04EE05D6

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: 8$q
API String ID: 0-2903697390
Opcode ID: a1e9aa66c1f1fa1fb720d21f1724fd06765bc2cc77069ac9fa0c27eb56c6b57a
Instruction ID: cd4d3679ae9eed72103f6edced139ce83dbcb7ee1b5117c5326ec4b60e3076b2
Opcode Fuzzy Hash: a1e9aa66c1f1fa1fb720d21f1724fd06765bc2cc77069ac9fa0c27eb56c6b57a
Instruction Fuzzy Hash: 2001F4617051620FC719337E29226BF179B6FC5655B18012FF006EB3EAECA85C4753E6

Uniqueness

Uniqueness Score: -1.00%

Function 04EE05C8, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

8$q, xrefs: 04EE05D6

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID: 8$q
API String ID: 0-2903697390
Opcode ID: 0a7a56e11aefd9fcbed7467bac195b57229189573bde2a06abc42c563d487128
Instruction ID: 1d0455668b0c1bc9ccd9eef5ecc2ac58c26d69f52768a2a5767ce23e599dcee6
Opcode Fuzzy Hash: 0a7a56e11aefd9fcbed7467bac195b57229189573bde2a06abc42c563d487128
Instruction Fuzzy Hash: 04F090217001260BC609337E65126BF228FABC5A52F18443FF106E73A9EDA5AC4353F6

Uniqueness

Uniqueness Score: -1.00%

Function 00E202A8, Relevance: .4, Instructions: 432COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.342952491.0000000000E20000.00000040.00000040.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e7c99f985daf493c81f7bab49fa91f6100d244e92d63ddc151ad1a4e54f270
Instruction ID: c76006af6ce8e44e506d3c2449648d85e3de1ddd510c147b36457a9000d05280
Opcode Fuzzy Hash: 16e7c99f985daf493c81f7bab49fa91f6100d244e92d63ddc151ad1a4e54f270
Instruction Fuzzy Hash: 1431F3A698F3C05FD7138731AC24451BFB49E9322471E84EBD8C5CF5A3D219580ACB63

Uniqueness

Uniqueness Score: -1.00%

Function 04EE3B0B, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bbe3dae198a413b2238f52067629cb8c85889b9bab035deebbcdc28a25f34bc
Instruction ID: fb56a27a1df7094095f51a29a825bbeb093f6ea8b6e44052bc8ed53e0d76dff9
Opcode Fuzzy Hash: 7bbe3dae198a413b2238f52067629cb8c85889b9bab035deebbcdc28a25f34bc
Instruction Fuzzy Hash: 1651AC31600115CFCB15CF59D984AB9BBB2FF88314B29C5AAE90A9F266D731EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0681, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 563d73d2a3aa57fb3585159dfe4528cb1e7f882031a2a4dcdb1e63e332c4bf43
Instruction ID: 964e598cf88dc36165404bf6164512be4dccb7c0d4506b2de3fac1d0226fca4e
Opcode Fuzzy Hash: 563d73d2a3aa57fb3585159dfe4528cb1e7f882031a2a4dcdb1e63e332c4bf43
Instruction Fuzzy Hash: DF41673060A3928BC7057B75EC0D66D3B66BF81306B1855AAF402CB3B5EF604C019BB5

Uniqueness

Uniqueness Score: -1.00%

Function 04EE02D9, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6677d17e4474e920c0fa1baaec40317fe62f9dd2ef38236f3bcb175186719fe
Instruction ID: 882fcac32cd6784af39996757e38ca9fc5250e1e22a6ba868602ec88d85a5d14
Opcode Fuzzy Hash: b6677d17e4474e920c0fa1baaec40317fe62f9dd2ef38236f3bcb175186719fe
Instruction Fuzzy Hash: 7D419D30B002168FDB18CF69C194BBEBBB2EF89310F109469D402AB392DBB1BC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0006, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841b6d0c4cd8bbc91dc1a9a9a09b442cfd55ddfa16dc4cf34a9d75c5d341360a
Instruction ID: 36c92bb509d30e7f63a0eb71d6883066988e61a90ffb44bb0aad46c90c44f45d
Opcode Fuzzy Hash: 841b6d0c4cd8bbc91dc1a9a9a09b442cfd55ddfa16dc4cf34a9d75c5d341360a
Instruction Fuzzy Hash: 1F31447150E3C28FC706AB7488695583FB1EF53204B4944DFD482CB29BE6799C0AD763

Uniqueness

Uniqueness Score: -1.00%

Function 04EE2C58, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a5618cfb56e192955622a43a03297b21e3cf9c058844decac83e9d063600f0
Instruction ID: 0dd546762f3020080f22de317356b5db29fe0a36e49073eba17ad85a2095c07c
Opcode Fuzzy Hash: b4a5618cfb56e192955622a43a03297b21e3cf9c058844decac83e9d063600f0
Instruction Fuzzy Hash: E9212534708246DFC7159F2BD8849B9BBADFF46314B1951E7E246CB292DB21BC00D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 04EE21E9, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aeb75849e1f6633099efe3f832a8bda1290a441b94bea62033d2ef6a2c0969a
Instruction ID: 32ff4aeacede1962ff6e624320d3d5674e227c88a88e44112ce437bc7e162679
Opcode Fuzzy Hash: 0aeb75849e1f6633099efe3f832a8bda1290a441b94bea62033d2ef6a2c0969a
Instruction Fuzzy Hash: 5B313E70E08209DFCB44DFA6C5456FDBBB5FB48304F1058EAC502D7266EB30AA45DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04EE25DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac0b94698a85072ac5c7595226a54cb9b26844215b3377ee84ab73050bcb6e2
Instruction ID: 96fb17492b9201fc4d27e5e91d83eddde87edbc5a96782b0041d0eebc4f6ec4c
Opcode Fuzzy Hash: fac0b94698a85072ac5c7595226a54cb9b26844215b3377ee84ab73050bcb6e2
Instruction Fuzzy Hash: ED31AE30E00346CFDB20DF66C94466ABBB2BF44308F14D66AC105EB229DB74A949CF55

Uniqueness

Uniqueness Score: -1.00%

Function 04EE4190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe3949c02d9d6b5c9132c3051121932aa0e8c6ace31209e80e21d0f2f534ca93
Instruction ID: 003921bd391b002b4399fbb88abeab23a33a29d2971458cdf5bb1d08834f48fc
Opcode Fuzzy Hash: fe3949c02d9d6b5c9132c3051121932aa0e8c6ace31209e80e21d0f2f534ca93
Instruction Fuzzy Hash: 9F110631B002169BDB15EBB6D8456FF7AA6AFC8300B50413FD407D7286FE716800A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E2087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.342952491.0000000000E20000.00000040.00000040.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17161434fa9bfb99ed1371a4ecebe0a70d8304235eaf7c96d23397a28879e25
Instruction ID: 465c940ce422401a7e24b56fb33185e319662d2dca3fd054162e87a788209414
Opcode Fuzzy Hash: f17161434fa9bfb99ed1371a4ecebe0a70d8304235eaf7c96d23397a28879e25
Instruction Fuzzy Hash: 3B110634204284DFD319CB14E944B26FBD1EB88708F24C99CE9492B783C37BD843CA91

Uniqueness

Uniqueness Score: -1.00%

Function 04EE238F, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf75734352f91bfe869713b171693e42cf44faec2dd7276005cac4908b5dc59
Instruction ID: d347f44e159bcfa462f3c2332adae116fffa1a8947815a0cc05a16c194fc4464
Opcode Fuzzy Hash: bdf75734352f91bfe869713b171693e42cf44faec2dd7276005cac4908b5dc59
Instruction Fuzzy Hash: 45119170E04249CFCB148F66C945AFD7BB5EB44314F1016A9C212A7384EB701842EF51

Uniqueness

Uniqueness Score: -1.00%

Function 04EE1213, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9369e5867203ba4a3c5398b51e771e33381a25c07128f05fd84c7fb4c07a8127
Instruction ID: 562e5dde5356555bbf04b70f5737b274cde12706725b25bcd74111aece5566e3
Opcode Fuzzy Hash: 9369e5867203ba4a3c5398b51e771e33381a25c07128f05fd84c7fb4c07a8127
Instruction Fuzzy Hash: 710162303041508FC704972DD8589BDB7E6BFC9700B2440AEE406CB776DF719C49AB81

Uniqueness

Uniqueness Score: -1.00%

Function 04EE1218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4054a7548eec69d59b4274f1cdb252f27b31d56c6db909f37985ed3dba9a124
Instruction ID: acefdc209af1c814302c495843d7d1d70e393076a8eec7b6074820cfdc1b137c
Opcode Fuzzy Hash: d4054a7548eec69d59b4274f1cdb252f27b31d56c6db909f37985ed3dba9a124
Instruction Fuzzy Hash: EF018130304150CFC708A72DD8589BDB7EABFC9700B2440AAE006CB376DF71AC48A782

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0908, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d2b5963a1799ea6e74f74442e0e9e88d4d4e57d952e1113aba8243177368e6
Instruction ID: 5fd37c31754702c6dd4de9f49913d69fec0f4d0ff191b5cc2cd5d50d0a68d763
Opcode Fuzzy Hash: 55d2b5963a1799ea6e74f74442e0e9e88d4d4e57d952e1113aba8243177368e6
Instruction Fuzzy Hash: B5F02B31B4936C4FD7105AFAA9585FFBBD597D1360B015677CB07D3201FAE82843A291

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1a82837cfbdcdc59e9a903af594f042cbafc0c699c7985e6fecab590872e50
Instruction ID: 6d98345a440e362adced2ab99af2108930e72f81b3f89285ac10b54f3ce3c251
Opcode Fuzzy Hash: cc1a82837cfbdcdc59e9a903af594f042cbafc0c699c7985e6fecab590872e50
Instruction Fuzzy Hash: 0FE05532F152389ADB104EFBA9040FFBBA897C0260F0005238B0BA3200FAF568016292

Uniqueness

Uniqueness Score: -1.00%

Function 04EE418B, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 496de5ca79d57ba381803cb609dcf602be0abbc029cd6d30ac8582c7aaa9ddcf
Instruction ID: 973f2798d0a95a375865c2bc1046d972b26dbf9207f65100349445231ad8af3c
Opcode Fuzzy Hash: 496de5ca79d57ba381803cb609dcf602be0abbc029cd6d30ac8582c7aaa9ddcf
Instruction Fuzzy Hash: 4EE02235B09328DADF206ABB78490FFBFA4DBD5280700067BD40BC2181F6B26005A520

Uniqueness

Uniqueness Score: -1.00%

Function 00E20938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.342952491.0000000000E20000.00000040.00000040.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction ID: 7f1cfd9a33ee3171782fa2ca600226ed99694572d2dd83945a00cb046026d7a8
Opcode Fuzzy Hash: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction Fuzzy Hash: 8AF0FB35104644DFC216CB04D540B16FBA2EB89718F24C6A9E9491B752C3379812DA81

Uniqueness

Uniqueness Score: -1.00%

Function 00E205F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.342952491.0000000000E20000.00000040.00000040.sdmp, Offset: 00E20000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589c88f8ac57c49a5e1f61f35b71808504857e1fa06c3e3faa01c4fbeb51bc37
Instruction ID: a16b251e2bfe1d96a865f1774cf24c92fd5ada7729ff264378c9fb8913bc418d
Opcode Fuzzy Hash: 589c88f8ac57c49a5e1f61f35b71808504857e1fa06c3e3faa01c4fbeb51bc37
Instruction Fuzzy Hash: 25E092766406008BD650CF0AEC41856FBE8EB84631B18C07FDC0D8B700D679B508CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 04EE064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a369a21de342457c4eebbba373d42ab645a187b933aaba95a0db3d7e4ea327c
Instruction ID: d5445d1223eaf69b4fff56d9d211f1f80145c116a866c510314be803a58f1bfe
Opcode Fuzzy Hash: 9a369a21de342457c4eebbba373d42ab645a187b933aaba95a0db3d7e4ea327c
Instruction Fuzzy Hash: DCD0A7F284A754CFC7011BB13C0A1F43B24DB9620470448F3D40145822A9717943D711

Uniqueness

Uniqueness Score: -1.00%

Function 04EE2D20, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87216caaf456099576b909dc3f84f9d38f0d9a2f78bfb4c6d47ae8f1a981b5ee
Instruction ID: 1811901185cdef815cfa50d0b5b3419729049a4e2516cd5b86eaad6039507c2d
Opcode Fuzzy Hash: 87216caaf456099576b909dc3f84f9d38f0d9a2f78bfb4c6d47ae8f1a981b5ee
Instruction Fuzzy Hash: 83D0A735A4D284AEE2421B671C21FF83F088B39221F041BC7D36B440E57081E1015907

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0170, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a113d688bd8778dff5760fa324dcf234f992e573e24f7834d2a015cf37e89d14
Instruction ID: 2447ecaf36cd56559f43cf3654fe78bf4fdb4a688d1e187338e48ec091816bf8
Opcode Fuzzy Hash: a113d688bd8778dff5760fa324dcf234f992e573e24f7834d2a015cf37e89d14
Instruction Fuzzy Hash: C7D017B150A3508FCB16BB70A8A846C3B216E562293140BBED41AC77E5EAB2C480CA11

Uniqueness

Uniqueness Score: -1.00%

Function 04EE017B, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cd9495ba2ae696297f3eb4755206f9d27843a3481735b3914fb2895c2c23b5
Instruction ID: fef866b3252e8e740326d9c4b9f35e4e345311d34584e0c6760c46cd6ea8a285
Opcode Fuzzy Hash: a5cd9495ba2ae696297f3eb4755206f9d27843a3481735b3914fb2895c2c23b5
Instruction Fuzzy Hash: DCD0C931202308CFCB196B70F41D4687779AB8920571008BAE806CBB64DF36E881CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00DC23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.342762418.0000000000DC2000.00000040.00000001.sdmp, Offset: 00DC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f78164a13a3bb05b26931332b644155ed995711d7d9038b000a1eaa70cc88a
Instruction ID: 5056a5ab4785f2fdb9c1b966a9abb128d5025f23d8313172c7daf87285a42b65
Opcode Fuzzy Hash: e7f78164a13a3bb05b26931332b644155ed995711d7d9038b000a1eaa70cc88a
Instruction Fuzzy Hash: BFD05B792056C14FD3168A1CC169F553B94AF51704F4A44FDD8008B663C364D981D110

Uniqueness

Uniqueness Score: -1.00%

Function 04EE02AB, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dc80920dcdb203fa1d822145fc0a25ffdf42f021bf92ddfb94c8264d737bd3f
Instruction ID: d17daa74f949fb3a23e4c30ac96ca5d05bcb1bfda2a2e0b6b437164c4e62d452
Opcode Fuzzy Hash: 0dc80920dcdb203fa1d822145fc0a25ffdf42f021bf92ddfb94c8264d737bd3f
Instruction Fuzzy Hash: CDD0C931205A24C7C3A59B48FAA48E677E6FB8D700342896AF456D7B16DBB0BC058794

Uniqueness

Uniqueness Score: -1.00%

Function 04EE2D2B, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de15bef8f434c6f540484cce2d573243e47a1a52a58b791f577b2b9d67993012
Instruction ID: 38ad71fa1fc3ecae34b4770ac5b39600d3c48b2c1dadfff63e91a064cea3e9d0
Opcode Fuzzy Hash: de15bef8f434c6f540484cce2d573243e47a1a52a58b791f577b2b9d67993012
Instruction Fuzzy Hash: 18C08C3038D608EAE2442E87AC1DFF4371CDB4C701F40A4E2B30B8E0E4BA61F0016157

Uniqueness

Uniqueness Score: -1.00%

Function 00DC23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.342762418.0000000000DC2000.00000040.00000001.sdmp, Offset: 00DC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec479d7595b5f0e3bb7677de9ba57ef79839ac3108f7ae881c03acb292a128a1
Instruction ID: 1b267f7e6b877fe68e3b5e852921016994595b1bdceb082c1c5ea3c5ef27ddad
Opcode Fuzzy Hash: ec479d7595b5f0e3bb7677de9ba57ef79839ac3108f7ae881c03acb292a128a1
Instruction Fuzzy Hash: CFD05E343102824BC716DB0CC698F6937D4AB41B00F0A44ECAC008B662C7B9DC81C610

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e0ea82cb7d81d2cddb79d95b1005898316e6c00e70b95d27a23e26003485f1
Instruction ID: e73abeb27b352b780396818506d1e710bbad99658bcd034faa87e5e72fc57da5
Opcode Fuzzy Hash: 47e0ea82cb7d81d2cddb79d95b1005898316e6c00e70b95d27a23e26003485f1
Instruction Fuzzy Hash: CAD01230202304CFCB182B70E41D42C33BAAB8820A70008BEE806C7768EF36E880CA90

Uniqueness

Uniqueness Score: -1.00%

Function 04EE2EC0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb09c960ceed3509a35961943069363393336f680c1e1b17532e9074b04e0f0c
Instruction ID: a0bffa1ff5fcf0dfac2127edeccf1e07f6df1d35a6be1a187fe0ac89601eeb6e
Opcode Fuzzy Hash: eb09c960ceed3509a35961943069363393336f680c1e1b17532e9074b04e0f0c
Instruction Fuzzy Hash: E8B092312543091BEB509BB67848B66738C8780619F4820A2B90CC5A10E656E4E02150

Uniqueness

Uniqueness Score: -1.00%

Function 04EE0660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.343665199.0000000004EE0000.00000040.00000001.sdmp, Offset: 04EE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913177386bfc7da520571977f515b1bc9ac0e7454a1f23b0a6086dac9a3723e8
Instruction ID: 6f7135ae2f6a3fafd9d2976e3a19a850f3d901a8798ba0972d75510b15e4d4e4
Opcode Fuzzy Hash: 913177386bfc7da520571977f515b1bc9ac0e7454a1f23b0a6086dac9a3723e8
Instruction Fuzzy Hash: 1BC02B7018A325CFC20417723C05579731957C0304700DC33940210530A9B27491A821

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6528 Parent PID: 6268 dhcpmon.exeCOMMON

Executed Functions

Function 02C83850, Relevance: .8, Instructions: 759COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf7c5874df1b10ef461fcc6cc9b7459d1d6b5fc3faf99145cf8ff68345defd0
Instruction ID: 4eb5c532e6054efe2b6c5114d6c9923f91c2164172d6d57d740958dfefa02130
Opcode Fuzzy Hash: dcf7c5874df1b10ef461fcc6cc9b7459d1d6b5fc3faf99145cf8ff68345defd0
Instruction Fuzzy Hash: 9E520571A04285CFCB15DF69C8849AEBBB2FF85708B19C5EAD8059F212D731ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02C823A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46165b4ed63a2f3c4064d6b4448148edb6ba0734fa5a08606bab8dec3d7c56f6
Instruction ID: 9ea971634046ac7e21fedfea3fa3e3df0dd07e0a372589a49161a8b6758faea3
Opcode Fuzzy Hash: 46165b4ed63a2f3c4064d6b4448148edb6ba0734fa5a08606bab8dec3d7c56f6
Instruction Fuzzy Hash: EE12BF30A00295CFD724EF2AC9886ADB7F2FF84318F54C12AD816DB251DB749D86DB52

Uniqueness

Uniqueness Score: -1.00%

Function 02C82FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2db263dca489951ee2558ee20866785aa3662e3cbcb3653744d133d8cb57b8
Instruction ID: b57b0cd157d0b98cd07ac0f500c9f237873d665066506d144bba8d20df46a524
Opcode Fuzzy Hash: 9b2db263dca489951ee2558ee20866785aa3662e3cbcb3653744d133d8cb57b8
Instruction Fuzzy Hash: E3819B31F001559BD704EB69D894AAEB7E3AFC8714B2AC0B9E415EB366DF349D018B90

Uniqueness

Uniqueness Score: -1.00%

Function 02C809A5, Relevance: 5.2, Strings: 4, Instructions: 175COMMON

Download Yara Rule

Strings

X1q, xrefs: 02C80AA2
X1q, xrefs: 02C80A50
X1q, xrefs: 02C80A98
X1q, xrefs: 02C80A5A

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: X1q$X1q$X1q$X1q
API String ID: 0-1201878573
Opcode ID: a117cf1c3aa4e1b53aaeaeb8284ad9fe44a18075d5b9ab75bf6da4ce985fbbb7
Instruction ID: 0ae5bf6ccda9fb3b92b3b50cdb6071dd903c2ac15a13023535810f33ece1905f
Opcode Fuzzy Hash: a117cf1c3aa4e1b53aaeaeb8284ad9fe44a18075d5b9ab75bf6da4ce985fbbb7
Instruction Fuzzy Hash: CE51B531B00215DFCB14ABA5D854ABEB7F2FF84308F21C569E506DB260EB34AD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02C80688, Relevance: 2.6, Strings: 2, Instructions: 125COMMON

Download Yara Rule

Strings

Yyq^, xrefs: 02C80702, 02C80707
Zyq^, xrefs: 02C806A1, 02C806A6

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: Zyq^$Yyq^
API String ID: 0-1334131137
Opcode ID: 10732a16071a960044b13ca1bc7d6ae003a49cc91c5dfb5d76ae10cc68274d62
Instruction ID: 87b9fa2610335d61d373b7890c92c1ba3ad2bbf5ae505e95414f543bfe2374ca
Opcode Fuzzy Hash: 10732a16071a960044b13ca1bc7d6ae003a49cc91c5dfb5d76ae10cc68274d62
Instruction Fuzzy Hash: D94189306283498BD7057B36EC1DA6D3B66BF81706B15857AF402CB2B1DF344C4AAF92

Uniqueness

Uniqueness Score: -1.00%

Function 02C812A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$gq, xrefs: 02C81349

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: $gq
API String ID: 0-815412418
Opcode ID: 9636d0fa454c269944a798744ce3e3268c80e586ad019f12866404a11c622b98
Instruction ID: 458af552e199db3ebf7ed13a9b214649f138f1ff88cf7092c7b2ee74873d53e4
Opcode Fuzzy Hash: 9636d0fa454c269944a798744ce3e3268c80e586ad019f12866404a11c622b98
Instruction Fuzzy Hash: 61221534A00616CFCB24DF25C584A6AB7F2FF88304F14C5A9D85A9B715DB39AD8ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 02E900F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 02E9019D

Memory Dump Source

Source File: 00000013.00000002.346599659.0000000002E90000.00000040.00000001.sdmp, Offset: 02E90000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: ef5b09b9de36ad0fe5286b6bdfc4955fa1a2d541e35965201e95cda727e34d63
Instruction ID: b806b621fa176350f096e19a373dadeaad124b2777cc3d296f946f5547be7147
Opcode Fuzzy Hash: ef5b09b9de36ad0fe5286b6bdfc4955fa1a2d541e35965201e95cda727e34d63
Instruction Fuzzy Hash: 903191715097806FE722CB25DD85B56FFE8EF06214F08849BE984CB292D375A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 02E9012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 02E9019D

Memory Dump Source

Source File: 00000013.00000002.346599659.0000000002E90000.00000040.00000001.sdmp, Offset: 02E90000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: c2b48882fb4ce33163b9bcdecbc412a488318f3ee559c2f37977872f7958768d
Instruction ID: 2545598c657b78cb8f78aaef9e16a66a10fcdc9d3414bdb95ecfbc4699c83d27
Opcode Fuzzy Hash: c2b48882fb4ce33163b9bcdecbc412a488318f3ee559c2f37977872f7958768d
Instruction Fuzzy Hash: 6521BE71500240AFEB21DF2ADD85B6AFBE8EF04324F04C46AED488B242D371E504CA75

Uniqueness

Uniqueness Score: -1.00%

Function 02C820D0, Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

r*+, xrefs: 02C8230F

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: b844ef0c08c0c7d9154d443ce79dc4cec08c845bd8ca853b75b728b165b82624
Instruction ID: b14dbab5de3a0a982264f69d52c5bed25dfa0d0b531b984b2c0d2ccb8acf3ff2
Opcode Fuzzy Hash: b844ef0c08c0c7d9154d443ce79dc4cec08c845bd8ca853b75b728b165b82624
Instruction Fuzzy Hash: B7716034A08289DFCB44EBA5C9996BEBBB1FF85314F20C06AC9069B251D7349E45CB53

Uniqueness

Uniqueness Score: -1.00%

Function 02C802E8, Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

`5q, xrefs: 02C803A5

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: `5q
API String ID: 0-3867205651
Opcode ID: d530ffb7c4236f9be0e025090e5202ec306a76cd16effc650633db697b785ff4
Instruction ID: 7d55f767b2e0ab87da79fd7e4375908e33e6b9fbbcdd8e793b2633dcd43e0aa5
Opcode Fuzzy Hash: d530ffb7c4236f9be0e025090e5202ec306a76cd16effc650633db697b785ff4
Instruction Fuzzy Hash: C3519034A052058FDB09EF69C5A07AD7BF2FF89314F148069D54AAB362DB35AC09CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02C82D58, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

, xrefs: 02C82E76

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 69afa0fd8ee70916c2370dd885fd3c73e8cd783d89496680f3c56a9239957780
Instruction ID: 5703b3b6d130f799b2a241f2f72ada3314de12a601091d66857cdfd8e3fee26e
Opcode Fuzzy Hash: 69afa0fd8ee70916c2370dd885fd3c73e8cd783d89496680f3c56a9239957780
Instruction Fuzzy Hash: 4141C872E042C59BCB10EF69C8885AEBB72EBC121AB15C47BC816DB605D335D942C757

Uniqueness

Uniqueness Score: -1.00%

Function 02C80BC0, Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

hXMr, xrefs: 02C80C78

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: hXMr
API String ID: 0-1185242784
Opcode ID: a6a279ecd37d766108f797cc424ddef4b7ef873a470e15d142d8133bfbfac6ab
Instruction ID: 69cba05db698e18ad5d9b09a371517d1f5ff7adfee574cd583a04f03b3e50187
Opcode Fuzzy Hash: a6a279ecd37d766108f797cc424ddef4b7ef873a470e15d142d8133bfbfac6ab
Instruction Fuzzy Hash: A8412931B045088FC7159F69C4146AE77E6AFC5314F15C06AE906EF361CEB59D0EC792

Uniqueness

Uniqueness Score: -1.00%

Function 02C81458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$gq, xrefs: 02C814C7

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: $gq
API String ID: 0-815412418
Opcode ID: 0e996081c58e24982c0a6fc9ad4bacdab2a6e0a9d05b1950e9acc13aa9e7aff6
Instruction ID: 4a12bad23070aef2198903d6c1fd5daf4c7074fb4e45fa6eaa4e86464e32f085
Opcode Fuzzy Hash: 0e996081c58e24982c0a6fc9ad4bacdab2a6e0a9d05b1950e9acc13aa9e7aff6
Instruction Fuzzy Hash: 64510434A00259CFDB14DF65C898B9CBBF2BF49304F1480A9D40AAB361CB799E89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C81290, Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

$gq, xrefs: 02C81349

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: $gq
API String ID: 0-815412418
Opcode ID: 4b915b9fda176cfd5e0efe2a5dff32dd3d05f745ae4c247e2f0d0187e3eeaaff
Instruction ID: 49d7bcaf216f374b04575a585ed9b3a675f8d45ba1f0003570dd62c86dbffaec
Opcode Fuzzy Hash: 4b915b9fda176cfd5e0efe2a5dff32dd3d05f745ae4c247e2f0d0187e3eeaaff
Instruction Fuzzy Hash: B0410574A04219DFCB50EF66D884BADBBF1BB49344F0480A9D40EAB351DB749D86CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02C805B9, Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

8$q, xrefs: 02C805D6

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: 8$q
API String ID: 0-2903697390
Opcode ID: 657a7917f5d683c43f3e3200539e15c1b2d71305399083b1f5a51c059e20fd4b
Instruction ID: 14b29375b44892837f4b8ea40974850a6b9c7789fa034602b753c71975e05c6b
Opcode Fuzzy Hash: 657a7917f5d683c43f3e3200539e15c1b2d71305399083b1f5a51c059e20fd4b
Instruction Fuzzy Hash: E90126303052610FC716333E64111BE379B9FC6651F1840AEF002DB3A6CD696C4793E6

Uniqueness

Uniqueness Score: -1.00%

Function 02C805C8, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

8$q, xrefs: 02C805D6

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: 8$q
API String ID: 0-2903697390
Opcode ID: 509c966fd46703f3d71277364bc2216c6da9231256acc1c36e1176ad4d4c090b
Instruction ID: ee9e1f8ae808472595f64acc92dce04463928e3eb45feacd0812dd4d4e4dfbb2
Opcode Fuzzy Hash: 509c966fd46703f3d71277364bc2216c6da9231256acc1c36e1176ad4d4c090b
Instruction Fuzzy Hash: 87F0B4713000240BCA09337E65125BF228F9BC5A52F54403EF106D73A9DD79AC4753EA

Uniqueness

Uniqueness Score: -1.00%

Function 02C82BF8, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 482655ca4b4c9bf28a46b737a14cf5be2d719199968c8e8a9e586bc17afd79d0
Instruction ID: e2f67102846c70af10c66f78b855d574c5cd86a1b308125f356a6137e428ab3c
Opcode Fuzzy Hash: 482655ca4b4c9bf28a46b737a14cf5be2d719199968c8e8a9e586bc17afd79d0
Instruction Fuzzy Hash: 0B41E13010D7D58FD31667399C9C978BFB0AF42208B19C1ABDA96CB1A2C7618C06C793

Uniqueness

Uniqueness Score: -1.00%

Function 02C80170, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba53763b7a486ec460ded40d72602cc961d0400f022dc40d8d99fbd5402d384
Instruction ID: c374135f82a070dd419a69644b30d5cf1b09bd858ac6f1941d9ccb66017409f6
Opcode Fuzzy Hash: cba53763b7a486ec460ded40d72602cc961d0400f022dc40d8d99fbd5402d384
Instruction Fuzzy Hash: D931D2747063459FEB129B78D840B263BB9FF86748F1440AEE441CF392EA75AC05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02C802DB, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94369b5295b2c4e3e97e5b2a5ac9bc4bf11fa988b86b16c585800d896598b0d7
Instruction ID: 35f73838b3f63c703ff7cbc6a625e64ede55ceff15362af869a7c13808e6954b
Opcode Fuzzy Hash: 94369b5295b2c4e3e97e5b2a5ac9bc4bf11fa988b86b16c585800d896598b0d7
Instruction Fuzzy Hash: A1418E34B05205CFDB19DF68C1A4BAE7BB2FF89314F148069D506AB3A1DB31AD48CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02C80006, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84217c99d1e1d33920fcfb4bf07a59a417c6b61f001589bcd83ed00beb7473bd
Instruction ID: 6c6ac88642b95c9ce1574e070e9b10e3a544cc5e37c31ef11c602daa656468d7
Opcode Fuzzy Hash: 84217c99d1e1d33920fcfb4bf07a59a417c6b61f001589bcd83ed00beb7473bd
Instruction Fuzzy Hash: CF313A7050D3C59FDB47AB7499650583FB1AE42304B4584ABD0C1CB2A7EB789C4ADB53

Uniqueness

Uniqueness Score: -1.00%

Function 02C821E9, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5dad2c3215fda5d01e0c290f75272ddf34ec72bad8048c42270f0022e0559c
Instruction ID: f4532f93e832a03b1cb9aba0167d3109f7376dedf0a59393cd5374bcf66cd479
Opcode Fuzzy Hash: bc5dad2c3215fda5d01e0c290f75272ddf34ec72bad8048c42270f0022e0559c
Instruction Fuzzy Hash: D7314A70D08249DFCB84EBA9C5496BDBBF1FB45328F1080AAD842A72A1D7359E45CB53

Uniqueness

Uniqueness Score: -1.00%

Function 02C825DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaeb40980e9543df367f24a438e71be803121abb12aaac9a2f8c31a21bcd1746
Instruction ID: c18c103b43bbde768dee708c958aa7a92747e3c255731f3fdb0b9b6c23b5062b
Opcode Fuzzy Hash: aaeb40980e9543df367f24a438e71be803121abb12aaac9a2f8c31a21bcd1746
Instruction Fuzzy Hash: 76319070A00289CFDB61DF66C94875ABBF2FF85318F10C12AC405AB261DB789989DF52

Uniqueness

Uniqueness Score: -1.00%

Function 02C821F8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eb729b4a4db2d1543219eee2ec5338b62563af77a06f24c4a0fcae7671bb650
Instruction ID: 035c16aa61708263d9368c7cd42624dc3be80cbb94311c8736d823b09d6af34e
Opcode Fuzzy Hash: 5eb729b4a4db2d1543219eee2ec5338b62563af77a06f24c4a0fcae7671bb650
Instruction Fuzzy Hash: 0E211B30D08249DFCB44EFA6C5496BEBBF1FB45328F10806AD802A72A1DB359E45DB53

Uniqueness

Uniqueness Score: -1.00%

Function 02C84190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7419b6768b5ba2078d54ff92c28f4784fb976e4e767927031a44e61d2fcdaac2
Instruction ID: 2fe0b16d660fb4aa1add2969de504817dcea03952bd853091b6159a5ab306cc1
Opcode Fuzzy Hash: 7419b6768b5ba2078d54ff92c28f4784fb976e4e767927031a44e61d2fcdaac2
Instruction Fuzzy Hash: 60113332A0421A8BCB2CFBB2D8455BF7AABAF85344B50813AD407A3241DE759800C7A3

Uniqueness

Uniqueness Score: -1.00%

Function 02CD0844, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346545505.0000000002CD0000.00000040.00000040.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d90a86ae744c094ff99a09d821bfd49cdea7a7e5d0d8618f292663163565a6
Instruction ID: 3169c66dc82677b4531a26c17a48a2bea9c058b10d63d5452f9feaa29ec7a114
Opcode Fuzzy Hash: 77d90a86ae744c094ff99a09d821bfd49cdea7a7e5d0d8618f292663163565a6
Instruction Fuzzy Hash: 31218E351097C49FD3038B28C850B55BFB1EF87714F1986DED9888B6A3C33A991ADB52

Uniqueness

Uniqueness Score: -1.00%

Function 02CD087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346545505.0000000002CD0000.00000040.00000040.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5151e3c7b114c509a20eba2ceca75739e572ba29527c33ef03c34032710929
Instruction ID: 9a0400b1082566ed3ff2dc20c6ab4a2bb59a26698ca0cbb7ce90f796829026ee
Opcode Fuzzy Hash: 8e5151e3c7b114c509a20eba2ceca75739e572ba29527c33ef03c34032710929
Instruction Fuzzy Hash: 9111D634644284DFD315CB58D944B26BBD5EF88718F28C9ACEA494B743C77BD813CA91

Uniqueness

Uniqueness Score: -1.00%

Function 02C811DF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8902dcf0cc686744347e5a206053da3707a3b7301b871f245fb3a61621cc152
Instruction ID: 58174722bd38e921ceb8c88b8a227b0b92fb8fc72be3e0c08c8fe9607ec6ef34
Opcode Fuzzy Hash: c8902dcf0cc686744347e5a206053da3707a3b7301b871f245fb3a61621cc152
Instruction Fuzzy Hash: 541152303092809FC746A73AD5189697FF5AF8760571D81EBD04ACB273CAA54C4ECB52

Uniqueness

Uniqueness Score: -1.00%

Function 02C8238F, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a945cf3ebe1862ce99828c6ab8d341aa444f3915b9945563c97cfef71cff4f
Instruction ID: c8cd067029aa5b510b25576d7a44c45388e0011e921a49649a56343595cfcdc7
Opcode Fuzzy Hash: a5a945cf3ebe1862ce99828c6ab8d341aa444f3915b9945563c97cfef71cff4f
Instruction Fuzzy Hash: 1B11C1348092D9DFC725AF76C5586ADBFB1EB85308F1080AEC946A7341DB710946CF52

Uniqueness

Uniqueness Score: -1.00%

Function 02CD05CF, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346545505.0000000002CD0000.00000040.00000040.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53fff0531b34dcdf5723d166f180d83545a6811dce81d8331f019d0b62c32e41
Instruction ID: 118fe326b56fa29e7a681f28c517ba36a15edca4970105cde253110447235147
Opcode Fuzzy Hash: 53fff0531b34dcdf5723d166f180d83545a6811dce81d8331f019d0b62c32e41
Instruction Fuzzy Hash: BA01D6725097806FD7128B169C45862FFA8EB86620749C59FEC498B653C129A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 02C81218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369448b28924546958faa343507a2aff7eb218752b7db3aa9e3f0ba5a3a22518
Instruction ID: bfa63ad4b3772e276e92460115122a28762283577e1a648c83e991ae514aad5e
Opcode Fuzzy Hash: 369448b28924546958faa343507a2aff7eb218752b7db3aa9e3f0ba5a3a22518
Instruction Fuzzy Hash: 7D013630314050CBC648E72ED15896977E6FFC5714B1880AAE50ACB775CFB59C4ACB86

Uniqueness

Uniqueness Score: -1.00%

Function 02C84180, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3bef7b06ce8fbebaa654dc63ff14f75416454defb235011ddfbc60c6792d2c
Instruction ID: 57d29a834c16ecbbfce764d59986c8dba2f1581aed5c9a6991b296c19cb1db31
Opcode Fuzzy Hash: ec3bef7b06ce8fbebaa654dc63ff14f75416454defb235011ddfbc60c6792d2c
Instruction Fuzzy Hash: 4BF0273560E3C95ECB26B3726C484BFBF789D8319830081FFD487C2052E5754009C721

Uniqueness

Uniqueness Score: -1.00%

Function 02C80908, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3165e1923c60f691028474d340d3f70a30fe042db2722487f9e1bc09186425e
Instruction ID: fde60363bebb9d73f7636c59c17af5511063f3b9d021fbd1acf741959bee2f94
Opcode Fuzzy Hash: b3165e1923c60f691028474d340d3f70a30fe042db2722487f9e1bc09186425e
Instruction Fuzzy Hash: C1F02E309193548FD750ABF6895596F7FF49F56344F0585ABC80397260C6781C09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02C80918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5808138c6d9862806d1a03d28cb43a675c4675d7cb936582165d18a4ddc046a2
Instruction ID: 81b64e436273bc60782b612f5a48e9311073d8602955199c2ede5579a1482f98
Opcode Fuzzy Hash: 5808138c6d9862806d1a03d28cb43a675c4675d7cb936582165d18a4ddc046a2
Instruction Fuzzy Hash: 8FE05532E252189ADB107AF799050AFB7A89780258F008527C907A3200DA744809C2D2

Uniqueness

Uniqueness Score: -1.00%

Function 02CD0938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346545505.0000000002CD0000.00000040.00000040.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction ID: f6e153ff0bcf754741e6c1f11b628abc0f2b1ab2b10559f6e6210a2dec26f845
Opcode Fuzzy Hash: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction Fuzzy Hash: B7F03135144644DFC316CF04D940B16FBA2FB89718F24C6ADE9490B752C337D913DA81

Uniqueness

Uniqueness Score: -1.00%

Function 02CD05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346545505.0000000002CD0000.00000040.00000040.sdmp, Offset: 02CD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb00d59c210fe3a6c780ca08cad3a0d66f78068837b6b7ed1d2a30ef36490473
Instruction ID: 7f5a514e1fab31424fd6a77c9705962c59b4e49d298d719b8e8f3fb18154ac03
Opcode Fuzzy Hash: eb00d59c210fe3a6c780ca08cad3a0d66f78068837b6b7ed1d2a30ef36490473
Instruction Fuzzy Hash: 5EE092B66406004BD650CF0AED41862FBD8EB88631718C07FDC0D8B700D575B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 02C802A0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9afbf67893a51ba8190d553c7cad0f9ad35a560ba4ccc70c1a2e360636f1f38
Instruction ID: ac743966f447022d0dc74a716cc8ebe6b0f7910ffc00c0446067bd2871296812
Opcode Fuzzy Hash: c9afbf67893a51ba8190d553c7cad0f9ad35a560ba4ccc70c1a2e360636f1f38
Instruction Fuzzy Hash: 16E0EC3410E7C48FC353973595564557FF0AE47604315888FD0D6CB5A7C660AC0DC712

Uniqueness

Uniqueness Score: -1.00%

Function 02C8064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4071eee0022bd63009f102c7ccfbd6cb2857bcd27bff66cfe5bd96bdbd25a3
Instruction ID: d3e57043f5f4d1ac34a162f95b12643075272bb721c86a181577c2cb3f404071
Opcode Fuzzy Hash: 7d4071eee0022bd63009f102c7ccfbd6cb2857bcd27bff66cfe5bd96bdbd25a3
Instruction Fuzzy Hash: DBD0A7B288E390CFC7415B711C174E47F60DFA3215F14C5BBD84186822D1762A8BDF92

Uniqueness

Uniqueness Score: -1.00%

Function 02C82D20, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf10ea05969e4afa9a1789c614d6621dfb00894caacdaf3a0ba66d136ff15f3
Instruction ID: 3609f2f6103192a0545c7fc6f3ef8d3af0c39b041c9526787d2abcb6cd2f1d85
Opcode Fuzzy Hash: bdf10ea05969e4afa9a1789c614d6621dfb00894caacdaf3a0ba66d136ff15f3
Instruction Fuzzy Hash: 6BE0173404E3C4AEC363277A582AB653F309B1B219F1886EBD48ACE0A3E042110AC753

Uniqueness

Uniqueness Score: -1.00%

Function 02C80180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc6c68255417fbeba00e5b549e1e87fcffcca317b9a77721dbed26c4046b56e
Instruction ID: ea6a4578f5f4338b503720d61c115840c33a7ffb72e8857bad3077f8c8303db4
Opcode Fuzzy Hash: 8bc6c68255417fbeba00e5b549e1e87fcffcca317b9a77721dbed26c4046b56e
Instruction Fuzzy Hash: 2BD01230200308CFCB092B71E41941C3379AB44205300087DD806C7760DF36EC81DA40

Uniqueness

Uniqueness Score: -1.00%

Function 02C80660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 282ce535592accb59bf198f53b3d5a31bacfdad894249ad4778ad5b0512449e1
Instruction ID: 7b539699d0652712032e9c143edb93d131294e4ddaf5529f4ea18f04c2efff7f
Opcode Fuzzy Hash: 282ce535592accb59bf198f53b3d5a31bacfdad894249ad4778ad5b0512449e1
Instruction Fuzzy Hash: 67C09B7108D368CFC25477725D0543973195BD1319F50C436DD1104135897278D5D955

Uniqueness

Uniqueness Score: -1.00%

Function 02C82EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.346475277.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a28f9bc7dec931d513ae292931e5730da9b31d61f7365f4e87303c3fd4c657
Instruction ID: ec5c8cddf2b834d3401509a130b665e38f73c446ea66b50453b7a77d3150ede4
Opcode Fuzzy Hash: 24a28f9bc7dec931d513ae292931e5730da9b31d61f7365f4e87303c3fd4c657
Instruction Fuzzy Hash: E6B0123120828D0B274067BA2C0CB12338C568040B34000669C0CC0000F640D0D03145

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 6520 Parent PID: 3352 dhcpmon.exeCOMMON

Executed Functions

Function 04BC0AB0, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3617e944688b9a17b330cd1622d6704c227d3999de45d0f9ca5ff48cd6290b5
Instruction ID: 81841d1646592e0067df3247bbcd251d7c5558b5b3a0fdedd2c757222f6d1890
Opcode Fuzzy Hash: f3617e944688b9a17b330cd1622d6704c227d3999de45d0f9ca5ff48cd6290b5
Instruction Fuzzy Hash: 5CA155B1E09209DFCB04DFE9D894A9EFBF1FF88304F14846AD405AB211E7389A068F51

Uniqueness

Uniqueness Score: -1.00%

Function 04BC0B48, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cc1be8678670cb5e658a1bf1ea86915d564bfc6f8456621c52ab4f34b00348
Instruction ID: 0b9c80b17bb4966735a67122a014b17694a04b39bd0dd007bf087d37c52580a1
Opcode Fuzzy Hash: 59cc1be8678670cb5e658a1bf1ea86915d564bfc6f8456621c52ab4f34b00348
Instruction Fuzzy Hash: 1C81E070E05209DFCB04DFE5C994AAEBBB2BF88304F10856AD406BB254DB38AA01CF55

Uniqueness

Uniqueness Score: -1.00%

Function 04BC9840, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a803a5edcb40601e8d287fa4c2fd2c7f5effee23945e6b6a8175c445d56d91
Instruction ID: 649428594bb53ed04f1155274b01570b7b83778d539bc83dfffcae5e43048bb4
Opcode Fuzzy Hash: 07a803a5edcb40601e8d287fa4c2fd2c7f5effee23945e6b6a8175c445d56d91
Instruction Fuzzy Hash: A671F2B0E05208CFEB04DFA9C584AAEFBF1FF48304F24859AE409B7215D774AA81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04BC8490, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dde2c62d12d8f8b659621a9490c32e1d23569faaa57823ce34a2978981cadc
Instruction ID: d365a9f8faf0351a870d494792232bdde8e0e6fbce901b427aaef493a04169c0
Opcode Fuzzy Hash: 61dde2c62d12d8f8b659621a9490c32e1d23569faaa57823ce34a2978981cadc
Instruction Fuzzy Hash: B4514AB4E05209DFCB04DFA9D5846AEBBF1FB89301F1084AED406A7254E7346A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04BC12AA, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48705b15ce3a7a87e92cba6f6850b354f27ef4a1845805f515535e518cf5eb06
Instruction ID: 28007c47f350826b19611a4b0c452ed8dd7908c78847018b59cb6547cb3d946a
Opcode Fuzzy Hash: 48705b15ce3a7a87e92cba6f6850b354f27ef4a1845805f515535e518cf5eb06
Instruction Fuzzy Hash: 1A5125B1D05209DFCB08CFA9C5846AEFBF2EF89304F14906AD455BB251D738AA41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05882568, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d08ed05b8f16943b8e6d38d8fae43be9d0bfe3de99cc5f871ba692d16289e0
Instruction ID: 3aa7ca119bea6b469cbba422d5a85b012a7e0171c95bb86b30f3a2399e9f230a
Opcode Fuzzy Hash: d2d08ed05b8f16943b8e6d38d8fae43be9d0bfe3de99cc5f871ba692d16289e0
Instruction Fuzzy Hash: 1D419279904268CFDB64DF64C884BECBBB2BB49304F5080EAD80AA7291DB755E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04BC1C10, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e65830cc7ba5304911202556fc854fc3ca5bfc8fd5a8835433b0aee285aa373
Instruction ID: ef8d105136652d7a1860620313065d584960a1004d87a0d70b5f6ae0918b2d00
Opcode Fuzzy Hash: 5e65830cc7ba5304911202556fc854fc3ca5bfc8fd5a8835433b0aee285aa373
Instruction Fuzzy Hash: ED21FBB1E016188BEB18CFAAD8547DEFBB2BFC8304F14C07AD509AA254DB751A46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05881BB2, Relevance: 2.6, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

(, xrefs: 05882276
), xrefs: 05882282

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: ($)
API String ID: 0-2051389312
Opcode ID: 25b3d355a4fb71b23e348dc2cd01056f56899562240718540ad207398ecbd34a
Instruction ID: d495489eb3ab9fbea43b8ba86723342da5ac1f1a5b82d9a4e8a6f6b80f1b0a62
Opcode Fuzzy Hash: 25b3d355a4fb71b23e348dc2cd01056f56899562240718540ad207398ecbd34a
Instruction Fuzzy Hash: 2051A074904228CFDB64EF69C884BECBBB2BB49304F5481EA940AB7291DB755EC1CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05881E4F, Relevance: 2.6, Strings: 2, Instructions: 90COMMON

Download Yara Rule

Strings

(, xrefs: 05882276
), xrefs: 05882282

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: ($)
API String ID: 0-2051389312
Opcode ID: 6a86086f07e8b6147b9898b14357c938b15de0df267c37118098a26162f98fd0
Instruction ID: 0f060dbef6b4d67de161c05956a029742fde7975557e32e45a60768cea810119
Opcode Fuzzy Hash: 6a86086f07e8b6147b9898b14357c938b15de0df267c37118098a26162f98fd0
Instruction Fuzzy Hash: C241A0749052288FDB64DF68C884BECBBB2FB49304F5481EAD80AA7291DB755EC5CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0588224F, Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

(, xrefs: 05882276
), xrefs: 05882282

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: ($)
API String ID: 0-2051389312
Opcode ID: 33260beb232e963625320c855a82757215dcdcd355c61ebb1255689263276bcc
Instruction ID: ddf03d2be24e85d5873107710d8bc53aa6a16ea154b464a049a31970d92e1759
Opcode Fuzzy Hash: 33260beb232e963625320c855a82757215dcdcd355c61ebb1255689263276bcc
Instruction Fuzzy Hash: 3431A0789042688FCB64DF68C995BECBBB2BB45304F5481EAD40ABB291DB755E81CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00ACAC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00ACACD1

Memory Dump Source

Source File: 00000014.00000002.336846591.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 7926cfe906be16255cdf49bd4c6f7e83c21c6c67aaeea817663a69ce62c56279
Instruction ID: dcc374b88f9554ae07b0868c4f188bcff02ab74118b94a86d8987a33f0a04f91
Opcode Fuzzy Hash: 7926cfe906be16255cdf49bd4c6f7e83c21c6c67aaeea817663a69ce62c56279
Instruction Fuzzy Hash: 3631D4725043846FE7228F25CD45FA7BFACEF06310F0885AAED819B152D265A909CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00ACAD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,E5E19A37,00000000,00000000,00000000,00000000), ref: 00ACADD4

Memory Dump Source

Source File: 00000014.00000002.336846591.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 67db1597a790926f3609fb31e6e5262a9c2b2e0a4a65621b14b90c7c1a5eedfd
Instruction ID: c5f5c99e92ce2fd9b755064330b1ce4220546dfcf81dcc588b504057849432cb
Opcode Fuzzy Hash: 67db1597a790926f3609fb31e6e5262a9c2b2e0a4a65621b14b90c7c1a5eedfd
Instruction Fuzzy Hash: F631B3715083845FE722CB25CC85FA2BFB8EF06310F09849AE985DB153D264E948CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ACA2AC, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00ACA346

Memory Dump Source

Source File: 00000014.00000002.336846591.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: eeeee800332c3ae2bdd812e1fbf1922bb1908ce8cfedfeb3445be48c91213372
Instruction ID: 9b35935f782909b719176b802b48fcbad62a24df69198b587b575c90a58e828e
Opcode Fuzzy Hash: eeeee800332c3ae2bdd812e1fbf1922bb1908ce8cfedfeb3445be48c91213372
Instruction Fuzzy Hash: 9321B57540D3C06FD3138B259C51B62BFB8EF47614F0A80DBE884CB5A3D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00ACAC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 00ACACD1

Memory Dump Source

Source File: 00000014.00000002.336846591.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4c1e1a9cd757a8ab615d77b07f2bdb3a7f0c8e7f01aae7e654c92ac1c8507efa
Instruction ID: f1102fd83df95bd3ea812dcc9cfb634a3b44c66cc92fab8491761e4c9590596c
Opcode Fuzzy Hash: 4c1e1a9cd757a8ab615d77b07f2bdb3a7f0c8e7f01aae7e654c92ac1c8507efa
Instruction Fuzzy Hash: 3E21F372500208AFE722DF59DD85F7BFBECEF18310F14855AED859B241D625E9088BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00ACAD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,E5E19A37,00000000,00000000,00000000,00000000), ref: 00ACADD4

Memory Dump Source

Source File: 00000014.00000002.336846591.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 914a73695fce8a6dd82906cd09580286c145748ff2859f7eee68192176e99550
Instruction ID: 8c9543dfa83ee343559a2cace548d605521a2e71e95a359f5ac7aff9b72ed920
Opcode Fuzzy Hash: 914a73695fce8a6dd82906cd09580286c145748ff2859f7eee68192176e99550
Instruction Fuzzy Hash: A821A171600208AFE722CF25DD84FB6BBECEF14711F14845AED469B651D760E808CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00ACB42D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00ACB4A9

Memory Dump Source

Source File: 00000014.00000002.336846591.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 6f894439f9a6b6c35e1049ecd4daafeaa2a5e1e596132637b563b92d64591dc4
Instruction ID: c31344ccaf4bce5be5d7238f084adf5dcbe742033c47b7e808ae6cd53b53b1e2
Opcode Fuzzy Hash: 6f894439f9a6b6c35e1049ecd4daafeaa2a5e1e596132637b563b92d64591dc4
Instruction Fuzzy Hash: C3218EB55093805FD7228F25DD45B62BFE8EF16714F09808EED84CB293D365A908CB72

Uniqueness

Uniqueness Score: -1.00%

Function 055B0199, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 055B020D

Memory Dump Source

Source File: 00000014.00000002.339357713.00000000055B0000.00000040.00000001.sdmp, Offset: 055B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: db9272255c1d53021cf1569dfed1c1048f7f57a1b34b01f53d257f454d2fe675
Instruction ID: 46b0cc35a21c8f7e9a5347a250997e59c063e6634cc3e5e88f05c59af79ba1ca
Opcode Fuzzy Hash: db9272255c1d53021cf1569dfed1c1048f7f57a1b34b01f53d257f454d2fe675
Instruction Fuzzy Hash: 60214A714093C09FDB238F25DC44AA2FFB4EF17220F0985DAE9C48B163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00ACA5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ACA666

Memory Dump Source

Source File: 00000014.00000002.336846591.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5bce099ed6652e04250d2da88c054044174db4d23ab08ea1ab7a1b707da24476
Instruction ID: 3c2a07b374d111140936f7746b12fbf4341b105ae230fde57af3b0706b77557e
Opcode Fuzzy Hash: 5bce099ed6652e04250d2da88c054044174db4d23ab08ea1ab7a1b707da24476
Instruction Fuzzy Hash: B011A271409380AFDB228F50DC44B62FFB4EF5A320F08849EED858B162D235A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 055B052B, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 055B0595

Memory Dump Source

Source File: 00000014.00000002.339357713.00000000055B0000.00000040.00000001.sdmp, Offset: 055B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 94d493f0d25cc1c1de30ac424b478d1cb5e7bb8e0e890d28e8ab09c0762ecd6e
Instruction ID: 321fee8b5d5abea9120d271dcce6b0da81936875f384addd8d5f59c09d645607
Opcode Fuzzy Hash: 94d493f0d25cc1c1de30ac424b478d1cb5e7bb8e0e890d28e8ab09c0762ecd6e
Instruction Fuzzy Hash: 55118E754093849FDB228F15DC45B62FFB4FF06224F08849EED858B5A3D265A518CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00ACAAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00ACAB46

Memory Dump Source

Source File: 00000014.00000002.336846591.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 2495f6a1d969070a3bcba6dc92e011fb9cb580cce51265a037144500a94d7d01
Instruction ID: cf05d4d704076c829963e704b394526fe78372b0f46937541a859db80efbc611
Opcode Fuzzy Hash: 2495f6a1d969070a3bcba6dc92e011fb9cb580cce51265a037144500a94d7d01
Instruction Fuzzy Hash: 46117C354097849FD722CF15DC85B52FFB4EF16320F09849AED898B262D275A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00ACA42A, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00ACA480

Memory Dump Source

Source File: 00000014.00000002.336846591.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 51dc8b7bf6361a9161aa44e588657c6db7843f71aa53760816f7a85f48178db0
Instruction ID: c40f5ae2c4ef6b7c8dc1e01c608a37be8fc96e8213a1ee6b33abbc80fe5b617b
Opcode Fuzzy Hash: 51dc8b7bf6361a9161aa44e588657c6db7843f71aa53760816f7a85f48178db0
Instruction Fuzzy Hash: D9118E754093C49FD7128B15DC88B62FFA4EF56320F0980DEDD858B263D279A848CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00ACB45E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 00ACB4A9

Memory Dump Source

Source File: 00000014.00000002.336846591.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 7e4c539242a22a9d21b3450dc1542a8946382e53b4f2100a487d7df28904f081
Instruction ID: 0024c239142e2730fc3fad3a530656316e90102f9c55e6543e66a086c7d70d6d
Opcode Fuzzy Hash: 7e4c539242a22a9d21b3450dc1542a8946382e53b4f2100a487d7df28904f081
Instruction Fuzzy Hash: AF0180755042408FDB20CF19DA86B22FBE8EF14721F18849DDD498B643D376E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00ACA622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00ACA666

Memory Dump Source

Source File: 00000014.00000002.336846591.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a5c88ff141db908a5054c4a245326af9bfdecd2dfdbb294394570161c5bf222a
Instruction ID: 70e29ac00226cf22b6826cf70e3ec1ab069d54d4323ba83727ba3a5199c81c32
Opcode Fuzzy Hash: a5c88ff141db908a5054c4a245326af9bfdecd2dfdbb294394570161c5bf222a
Instruction Fuzzy Hash: 780180318006449FDB22CF55D944B66FFE4EF58320F18C9AEDE894B612D375A418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 00ACA2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 00ACA346

Memory Dump Source

Source File: 00000014.00000002.336846591.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 587d4813df830b705b1515802991753b23a2a09e1616b44f88ba3d084d915a22
Instruction ID: 86083d775cbd1f8a724a9435ce452e9778f0ee70be6e0a9d28e77224ddc0fb07
Opcode Fuzzy Hash: 587d4813df830b705b1515802991753b23a2a09e1616b44f88ba3d084d915a22
Instruction Fuzzy Hash: 9E01A275500200ABD250DF1ADC82B26FBE8FB88B20F14C15AED084B741E631F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 055B055A, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 055B0595

Memory Dump Source

Source File: 00000014.00000002.339357713.00000000055B0000.00000040.00000001.sdmp, Offset: 055B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 328c87982391fa367e214450feb2c9bd13747d60527f8e2bb569f35756e92293
Instruction ID: 5370d6efd63f4b55d26c0eca6da40abb727180440663838b7ef3af2c3a9a121e
Opcode Fuzzy Hash: 328c87982391fa367e214450feb2c9bd13747d60527f8e2bb569f35756e92293
Instruction Fuzzy Hash: 38019235500240CFDB21CF55D988B66FFA4FF08320F08849ADD454B6A2D271A518CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 055B01D2, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 055B020D

Memory Dump Source

Source File: 00000014.00000002.339357713.00000000055B0000.00000040.00000001.sdmp, Offset: 055B0000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 90d8df635457492824ea795d6207189c8c8d605685a0779e2a4ddc6654e9bf72
Instruction ID: 224a8f4ab329d4461f4a66927c54c67661023209c356c9c5ad2ab38ac9832fdd
Opcode Fuzzy Hash: 90d8df635457492824ea795d6207189c8c8d605685a0779e2a4ddc6654e9bf72
Instruction Fuzzy Hash: 3A018F35800240DFEB21CF45D988B66FFA0FF08320F08C49ADD894B662D2B5A41CCFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ACAB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 00ACAB46

Memory Dump Source

Source File: 00000014.00000002.336846591.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 687aba9c9ab0a43f1f071f541d0a2a7f1e9dfcfb4dae3856fa4a7e0673598d28
Instruction ID: 43b3dc2ad56d774755729c0044f0de17fface60f3b6887a122594d9e0763b751
Opcode Fuzzy Hash: 687aba9c9ab0a43f1f071f541d0a2a7f1e9dfcfb4dae3856fa4a7e0673598d28
Instruction Fuzzy Hash: 0E01AD354006448FDB21CF05D984B21FFA0EF14725F08C49ADD8A4B652C275AC08DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00ACA44E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00ACA480

Memory Dump Source

Source File: 00000014.00000002.336846591.0000000000ACA000.00000040.00000001.sdmp, Offset: 00ACA000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 5c0a861f2ed393572e685813b53ab0b6c0275740c2d4720b1ce1bb961ef877df
Instruction ID: d07430fef59a82cffbb572f327c977be440e491e493eaaf4c4412ee691f5ab0d
Opcode Fuzzy Hash: 5c0a861f2ed393572e685813b53ab0b6c0275740c2d4720b1ce1bb961ef877df
Instruction Fuzzy Hash: 91F0A4358042488FD711CF05DA88B71FFA4EF14325F18C0AEDD894B216D2B5A848CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 05881906, Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

', xrefs: 058820E1

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 648b721aefeddff917c19235a52f5420e846ac877b3b3c376699a0907701e998
Instruction ID: f4785afa428f2f6b1db086674b2da5a1cadcc4f5067839ee5ba3c2e62520c6b6
Opcode Fuzzy Hash: 648b721aefeddff917c19235a52f5420e846ac877b3b3c376699a0907701e998
Instruction Fuzzy Hash: 1981A274904228CFDB64DF68C988BECBBB1BB09304F5081EA980AB7280DB755EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05881FA6, Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

#, xrefs: 058823E3

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: cef95f8544fba8c46c31faf5c1b2eaa964e901a37eb2a6718a5084ef037e4129
Instruction ID: f0725b7a922c43d75146098852a121eb9e65b9ac5afe52c831edaa7795466304
Opcode Fuzzy Hash: cef95f8544fba8c46c31faf5c1b2eaa964e901a37eb2a6718a5084ef037e4129
Instruction Fuzzy Hash: 3B61B174905228CFDB64EF69C884BECB7B2FB49304F1481EA940AA7290D7755EC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0588239D, Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

#, xrefs: 058823E3

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: b4fe26906bd86791fada38a7533912c5915d65820c8e9ab54a48eb1d11cf673c
Instruction ID: 1ca3d238cef900811299a659568988b4434bd562cc00ffafbeb45042441b1732
Opcode Fuzzy Hash: b4fe26906bd86791fada38a7533912c5915d65820c8e9ab54a48eb1d11cf673c
Instruction Fuzzy Hash: AE51B174900268CFDB64EF69C984BECBBB2BB49304F5481EA940AB7290DB755EC5CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0588219E, Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

&, xrefs: 05881AD3

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: 4d4970d3b7d72f602bb5427bb019578de5958b55148bacffd3ec54f7d5b00748
Instruction ID: 3a949bc6f57e51a4b475de867899faa8490cb78a6c96ebe863862829f109b0df
Opcode Fuzzy Hash: 4d4970d3b7d72f602bb5427bb019578de5958b55148bacffd3ec54f7d5b00748
Instruction Fuzzy Hash: A151A275904228CFDB64DF64C984BECBBB2FB49304F1481EAD80AA7291DB759E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05881C4D, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

", xrefs: 05881C97

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 75c94a9f31ebb1c031d032a0773504f217f855ed1d3cd7d8e672bd969f691c9f
Instruction ID: ed984800d559840f5b22315441e930cd7d4ac95b67580a89e402209b45ca3b67
Opcode Fuzzy Hash: 75c94a9f31ebb1c031d032a0773504f217f855ed1d3cd7d8e672bd969f691c9f
Instruction Fuzzy Hash: 1E519274904268CFDB64DF68CC84BECBBB1BB49305F1481EA940ABB294D7755E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05881FC3, Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

(, xrefs: 05881FD1

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: c0e071bc9d0c2fbbdc7f8b9bcd1892368cc6ff005fa26c084d4684da168b2a26
Instruction ID: bfede5fc613f7e2ae353a2170a018e07008f53bdd17547567c24a1ed7e88d3ed
Opcode Fuzzy Hash: c0e071bc9d0c2fbbdc7f8b9bcd1892368cc6ff005fa26c084d4684da168b2a26
Instruction Fuzzy Hash: 3851A274904228CFDB64EF69C848BECB7B2FB49304F5481EA980AA7291D7755EC5CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05881A26, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

&, xrefs: 05881AD3

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: 22f564eba69457636e63c1d6c44e7e959771baa8c692e8eec89931aba4b25f06
Instruction ID: 04c303a0178d2b885d2d463b086a1250c7ca32fcb4d740cc61d945d77a3f851b
Opcode Fuzzy Hash: 22f564eba69457636e63c1d6c44e7e959771baa8c692e8eec89931aba4b25f06
Instruction Fuzzy Hash: 5E519275904228DFDB64DF68C984BECBBB2FB49304F1481E9D80AA7291DB759E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05881AE2, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

+, xrefs: 05881D45

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: 84784d16205ead69a283ca6b41f82efa8c42c5769cd48e42faa8e07e88358215
Instruction ID: edc3f022427a556da80fe257d3516978d8246eeb1545531adf029aa23ccb0cee
Opcode Fuzzy Hash: 84784d16205ead69a283ca6b41f82efa8c42c5769cd48e42faa8e07e88358215
Instruction Fuzzy Hash: 2E41C279904228CFDB64DF64C888BECBBB1FB45304F5485EA980AA7291DB759EC5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05882311, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

!, xrefs: 0588238E

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 6586c1a920fe9eaa89084bbd1f80e98382d197a3a88c8f6b362baf0a20d122ec
Instruction ID: c4a149636e47ef80119742d3eacae16d29b2ae17f417e1baba7d8ba3876fb61d
Opcode Fuzzy Hash: 6586c1a920fe9eaa89084bbd1f80e98382d197a3a88c8f6b362baf0a20d122ec
Instruction Fuzzy Hash: 904190789042688FDB64DF68C894BECB7B2BB49304F5481EAD80AA7290DB755EC5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05881D54, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 05881D5A

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: bce34f9f69a50ab052a08d6010950e1030155b85f55a508797a0cee36969400b
Instruction ID: 66dd2820b6e4e027e8f86d91a1a3a5e3ff40e425ec90817972595855d3ece281
Opcode Fuzzy Hash: bce34f9f69a50ab052a08d6010950e1030155b85f55a508797a0cee36969400b
Instruction Fuzzy Hash: EA41A479904228CFDB64DF64C994BECBBB2FB49304F1484AAD80AB7291D7759E85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA6EC, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

srUS, xrefs: 00ADA708

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID: srUS
API String ID: 0-974505231
Opcode ID: 3c104824d005163624918d023c37797e329d5f776278bc0e6da1df39195bb405
Instruction ID: 0594083552e5fea5a8f5637986a67a7b27a3922955e6a6a4b53e2e19cbcbceaf
Opcode Fuzzy Hash: 3c104824d005163624918d023c37797e329d5f776278bc0e6da1df39195bb405
Instruction Fuzzy Hash: 993180B6509340AFD311CF15ED41A57FFE8EB89620F18C95FFD8997212D235A508CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA944, Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

srUS, xrefs: 00ADA960

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID: srUS
API String ID: 0-974505231
Opcode ID: f92307987d6e030c27738367355cd90c621c54f1cd84c6f50bd20f999736d645
Instruction ID: da61a6c079f19b434606ee6bf06cb09051c435b56b36ed202f06f1799d0c4b21
Opcode Fuzzy Hash: f92307987d6e030c27738367355cd90c621c54f1cd84c6f50bd20f999736d645
Instruction Fuzzy Hash: 7D2193B6908340AFD311CF19EC41A57FFE8EB88620F04C96FFD4997312D231A9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0588254A, Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

,, xrefs: 05881BA3

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 3a0f70c5745209722550342884213f9bf346ef5e59a3c50ecd7a83a6b9195efd
Instruction ID: e82fb7b132d1b629420dbf21d4e08b9b7a6b5de37014fc5b2f39380b1ae3be82
Opcode Fuzzy Hash: 3a0f70c5745209722550342884213f9bf346ef5e59a3c50ecd7a83a6b9195efd
Instruction Fuzzy Hash: 4E419274905228CFDB64DF68C894BECBBB2BB45304F1481EAD40AA7290DB759E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA81A, Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

srUS, xrefs: 00ADA834

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID: srUS
API String ID: 0-974505231
Opcode ID: 0faa5f6eef49a3862ee02af60ab57db4fd55cb7e4632147d4e8c4ed571636507
Instruction ID: 2e3dfa4601784b2b3024ebcde70bccba09544d1269ae63160c1a9ea658ce2e5e
Opcode Fuzzy Hash: 0faa5f6eef49a3862ee02af60ab57db4fd55cb7e4632147d4e8c4ed571636507
Instruction Fuzzy Hash: B3218F76509340AFD701CF19EC41A57FFE8EB89620F08C96FFD4997212D235A9088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA5C0, Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

srUS, xrefs: 00ADA5DC

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID: srUS
API String ID: 0-974505231
Opcode ID: 8e9c5cf023f817f42a4863f28871570d8b29b5785a97506c6cc778b027d371f3
Instruction ID: 5d828475a98ab21cdd44da3fa7e66bf14516e6985bebd19eb2f7ce22a99aa291
Opcode Fuzzy Hash: 8e9c5cf023f817f42a4863f28871570d8b29b5785a97506c6cc778b027d371f3
Instruction Fuzzy Hash: 3921C176509340AFD7118F46EC41956FFA8EB85630F18C89FFD499B212D276A5088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 05881CF5, Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

+, xrefs: 05881D45

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: a843978cecefeb21598f77146632a030224e2e904ffb693cd1d433b935aae9d7
Instruction ID: a12b737229f617ff14b0a77e5201284877f9540f10761821f6c7600e847ced0a
Opcode Fuzzy Hash: a843978cecefeb21598f77146632a030224e2e904ffb693cd1d433b935aae9d7
Instruction Fuzzy Hash: 1A41D378904268CFCB64DF68C985BECBBB2BB45304F1481EA940AB7294DB355EC1CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05881B5B, Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

,, xrefs: 05881BA3

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 23bd1942ba60da872814e78998796b22bfa68ddb3687aa818fa5745d6054a8c1
Instruction ID: 765f728567f22fab67246e9cfddaffd6d09779df15e77a480fd3f05052d114e4
Opcode Fuzzy Hash: 23bd1942ba60da872814e78998796b22bfa68ddb3687aa818fa5745d6054a8c1
Instruction Fuzzy Hash: BB41A378904228CFDB64DF68C894BECBBB2FB45304F1480EAD40AA7295DB359E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA191, Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

srUS, xrefs: 00ADA1AC

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID: srUS
API String ID: 0-974505231
Opcode ID: dada96b29e8568eb1799c9b61adef8651bd35b85734a5772b6128e65fe515df5
Instruction ID: 68a16da8b87e79765e1492bb18de260ab19b08c55cb264c2bdbcbfd6827cbd9c
Opcode Fuzzy Hash: dada96b29e8568eb1799c9b61adef8651bd35b85734a5772b6128e65fe515df5
Instruction Fuzzy Hash: 162104766093406FC7118F09EC41E62FFA8EB85630F08C59FFD499B212D235B5088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 058821C1, Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

-, xrefs: 058821E0

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: e2b345b8f8256b6e23cc7c503d5fc2558c12de87f88753802d6f925c4ac6ec92
Instruction ID: 750ab45694b335d81857cfbe3b80cc2b3f003dc78fa77c415c297987a94632f2
Opcode Fuzzy Hash: e2b345b8f8256b6e23cc7c503d5fc2558c12de87f88753802d6f925c4ac6ec92
Instruction Fuzzy Hash: A931A379904228CFCB64DF64C984BECBBB1BB09304F1485EAD40AA7290DB759EC5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05881DC8, Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

, xrefs: 05881DE4

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fd1c8538440254394cfc94c1b6f1419d12fc1f8e55f8ff8fcda4e72fabbb84a3
Instruction ID: c9d59f0b49d9b504f42b134b2d485c88453af18aaefd79dbd221017149444153
Opcode Fuzzy Hash: fd1c8538440254394cfc94c1b6f1419d12fc1f8e55f8ff8fcda4e72fabbb84a3
Instruction Fuzzy Hash: 4D318574904228CFCB64DF64C895BECBBB2BB45304F5484EAD80AA7291DB755E85CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05881E25, Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

*, xrefs: 05881E40

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: *
API String ID: 0-163128923
Opcode ID: 9d09cb179a2443dcc6ee41deabe08d4762125a80f41c94f31cd5729e193413cf
Instruction ID: 3cf734be3a3136a01f80aa36e4877c0f064a230e53550f79f035dff887ed4301
Opcode Fuzzy Hash: 9d09cb179a2443dcc6ee41deabe08d4762125a80f41c94f31cd5729e193413cf
Instruction Fuzzy Hash: AC31A278904228CFCB64DF68C884BECBBB2BB45304F1480AA980AA7290DB755E85CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0588123F, Relevance: 1.3, Strings: 1, Instructions: 6COMMON

Download Yara Rule

Strings

!, xrefs: 0588124F

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 6eb29497aa461d57debe87ed90c03f419d5d9f89d05d34263bcfb5bd1cff8009
Instruction ID: 7d596e377f2a9b391e97e8695433265c8bda8a9f75acf147ee93afe54014658c
Opcode Fuzzy Hash: 6eb29497aa461d57debe87ed90c03f419d5d9f89d05d34263bcfb5bd1cff8009
Instruction Fuzzy Hash: EDC09BB0905108CBD714DF90F48C55EB772E749305F10C106A85263250CB70E805CF10

Uniqueness

Uniqueness Score: -1.00%

Function 058814D0, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4805049701d8846058aa7cf1e4993354d10095a3c75f859cff83219eb0f46b
Instruction ID: 0847d36bf4703c0fd1cfc36de04ce6e49a16cd5a7e832fdf1b2bd5d08608c6e2
Opcode Fuzzy Hash: 7e4805049701d8846058aa7cf1e4993354d10095a3c75f859cff83219eb0f46b
Instruction Fuzzy Hash: 31919DB4D09218CBDB10EFA8C589BADBBF1FB08304F20556AD806A7280DB745E4ACF55

Uniqueness

Uniqueness Score: -1.00%

Function 04BC0E09, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e0c6dbdcad637632e88b5459ef51c0e84688a4aa0cdf8ca3351403ef91e8b8
Instruction ID: ae11551bcb9605e19f4f8f79e71639d185572b5463af533b236a4e886cacdd78
Opcode Fuzzy Hash: c0e0c6dbdcad637632e88b5459ef51c0e84688a4aa0cdf8ca3351403ef91e8b8
Instruction Fuzzy Hash: 8591E675E0124A8BDB04EBA8C684ACDBBF2FF88304F258569D505BB356D730AD42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04BC8E08, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c78d2c68a255b028147ca8d8c16ea9457272566ce96dc7c4ba8d350e51ac786
Instruction ID: 3a2d9d31bd3d81863ccd6f15f4ba1cb4bedc8305809f8822a5651ec8842dd5d7
Opcode Fuzzy Hash: 0c78d2c68a255b028147ca8d8c16ea9457272566ce96dc7c4ba8d350e51ac786
Instruction Fuzzy Hash: C871E574E05219DFDB44EFA9D884AAEBBF2FF49301F10846AD41AAB250DB346942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04BC90AA, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ead1e0251905080b4f053ab69955913c31f678cb4ef8b0bfba671feca983744
Instruction ID: 34361c22c46fd0be82576d4e81a936ca0c05d6761e544df879de31394262693e
Opcode Fuzzy Hash: 8ead1e0251905080b4f053ab69955913c31f678cb4ef8b0bfba671feca983744
Instruction Fuzzy Hash: 3C5118B4E05208EFEB04DFA9D4897EDBBF1AF49315F1491AED416A3250E7382942CF11

Uniqueness

Uniqueness Score: -1.00%

Function 05880990, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eeb82d09d71c03801b6726f6c458dcc776d98f77f4a8984c4544b3fce0fa21a
Instruction ID: 027f5594d3c17131352e7ada4ea8a4d64e1ddcfb304373a904a1c75cd8df0bc6
Opcode Fuzzy Hash: 4eeb82d09d71c03801b6726f6c458dcc776d98f77f4a8984c4544b3fce0fa21a
Instruction Fuzzy Hash: A8512770E46208DFDB04EFA9C548ABEBBF2EF49318F2495A5D814F7241D3749E488B61

Uniqueness

Uniqueness Score: -1.00%

Function 04BC9830, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f0b9ef34a464ac1014f8d7ecc82866fa745fb8037fadef12cc49bb0463ff40
Instruction ID: 3fa9a805881d46b10916d6c2682fa7c734016a370d29e2067fa12b5682f237a0
Opcode Fuzzy Hash: a2f0b9ef34a464ac1014f8d7ecc82866fa745fb8037fadef12cc49bb0463ff40
Instruction Fuzzy Hash: EC51F6B0E05208CFEB04DFA9C5846EEFBF1FF89300F1485AAD409A7254E7346945DB55

Uniqueness

Uniqueness Score: -1.00%

Function 04BC95E6, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14cad8a4c8087df512c8c3a370ff2c46cb42f648702a35d45c490b7f961c7dd9
Instruction ID: 58a8ecdc152e0e850e548b5ea1e50a58b570b4c26998f3d240d8f7155635d113
Opcode Fuzzy Hash: 14cad8a4c8087df512c8c3a370ff2c46cb42f648702a35d45c490b7f961c7dd9
Instruction Fuzzy Hash: F5518DB4E05219CFEF10DFA5C980AADBBB2FB49300F20946AE519BB241D7356A45DF10

Uniqueness

Uniqueness Score: -1.00%

Function 05880980, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe8765fc3476895792ca4946c0ed399256e23da8aec73163796d4e0885d384a
Instruction ID: 9ddf6d597337a0a393e14fa5e649ae5529afe658791df118a97d569b0159271c
Opcode Fuzzy Hash: efe8765fc3476895792ca4946c0ed399256e23da8aec73163796d4e0885d384a
Instruction Fuzzy Hash: 91412470E42208DFDB00EFA9C948BBEBBF2EF49318F5495A5D814F3280D3749A488B51

Uniqueness

Uniqueness Score: -1.00%

Function 04BC9738, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 181495d9c4cb587b91adab668c0158ccfdaab41f278a0bfb8cff5e4565f1ab40
Instruction ID: efc1fffd22749626d5253a84a9c0956b4284d641ca98f9ad8c0c7096b1df409b
Opcode Fuzzy Hash: 181495d9c4cb587b91adab668c0158ccfdaab41f278a0bfb8cff5e4565f1ab40
Instruction Fuzzy Hash: F041A0B4E45219CFEF20CFE4C584AADBBB1FB49314F24946AE429B7241E734AA45CF10

Uniqueness

Uniqueness Score: -1.00%

Function 05882502, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029b3c225949d06a4a8061c2a8d88b9bb9ed020a217728522ec49a55d2e0b245
Instruction ID: 3852150cad1f472abdcd9cf2a7a124fcf0c16554319098b34bd2eece87cd5133
Opcode Fuzzy Hash: 029b3c225949d06a4a8061c2a8d88b9bb9ed020a217728522ec49a55d2e0b245
Instruction Fuzzy Hash: 72419578904228CFDB64DF64C884BECB7B2BB45304F1481EAD80AB7295DB755E85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04BC9AA9, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b89b9097d486a6c48746323de1b217a552585933096fb47d3c1db5c8125d5a5
Instruction ID: 2aa3eb3d1953fffe6145ba5858e23d1bdf36b94c075be42ff545cd645389239b
Opcode Fuzzy Hash: 1b89b9097d486a6c48746323de1b217a552585933096fb47d3c1db5c8125d5a5
Instruction Fuzzy Hash: 2F31F470B05294DFDB15EBA889907AEBFB2BF85700F2540EED405AB292DA346D05C762

Uniqueness

Uniqueness Score: -1.00%

Function 05882130, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 019590452f94954c8d02be283adf59c699c6b35edcbf1602f3e3dc0bfb11a17f
Instruction ID: 239f0690e0272016aac4d13f1b26289b1ca1b9770a31276b8c022085c387b980
Opcode Fuzzy Hash: 019590452f94954c8d02be283adf59c699c6b35edcbf1602f3e3dc0bfb11a17f
Instruction Fuzzy Hash: 0741C478904268CFCB64EF64C885BECBBB2BB49304F1484EA950AA7291DB755EC1CF41

Uniqueness

Uniqueness Score: -1.00%

Function 05881F35, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf2e6b82a0552b306ecea6e9765c2618e9757b0eb1f80112a8730a7e394fb20
Instruction ID: 44d1a71f61258511311aea7bd4e101861f4aad67e35d57b917356b3a57288edd
Opcode Fuzzy Hash: bbf2e6b82a0552b306ecea6e9765c2618e9757b0eb1f80112a8730a7e394fb20
Instruction Fuzzy Hash: F641B675904228CFDB64DF64C884BEDBBB2FB49304F1485AAD80AA7291DB759EC5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 058820A4, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec3cf8a99c8e12e6b5c2ac8547b66e1b06c1be5cf874c5a0a838c563a037365
Instruction ID: 0dde55a57479ddcdcfc239551457720421d524d58d22862c15b34bfa757ee259
Opcode Fuzzy Hash: 4ec3cf8a99c8e12e6b5c2ac8547b66e1b06c1be5cf874c5a0a838c563a037365
Instruction Fuzzy Hash: F6419378904228CFDB64DF68C884BECB7B2BB49304F1481EAD40AA7291DB755EC1CF01

Uniqueness

Uniqueness Score: -1.00%

Function 05881EBE, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc03ab2a684452ad5ac6d2b3c15cb9659380a0f6e379f5475d2a330bd0a3471
Instruction ID: b3252769cbf88a6cac7c2cebd8d42d86b900b7e0cdb21120fbacad1a43473568
Opcode Fuzzy Hash: 1dc03ab2a684452ad5ac6d2b3c15cb9659380a0f6e379f5475d2a330bd0a3471
Instruction Fuzzy Hash: 85418578904269CFDB64DF68C894BECB7B2BB45304F2481EAD40AB7295DB355E81CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA3AA, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7db413f00f774bf57ed0b584e7235ceb483cb171ec96cab894fb63ad803a84
Instruction ID: 026f7cce444b9eec296f6dcc4d20c575755636dab1323d26500a69054cd9d509
Opcode Fuzzy Hash: 2e7db413f00f774bf57ed0b584e7235ceb483cb171ec96cab894fb63ad803a84
Instruction Fuzzy Hash: 6821C1B6509340AFD7118F16EC41A52FFE8EB85630F08C99FFD499B212D236A504CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ADAAC8, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e38a0dc19d1a772f182d55278e58497257b4e7ce46174bef351f7bb31d63b57
Instruction ID: ac62a6ce5af242c95285bee8f68a1d17e98c1cba94e106a2f2cfef4d78851249
Opcode Fuzzy Hash: 0e38a0dc19d1a772f182d55278e58497257b4e7ce46174bef351f7bb31d63b57
Instruction Fuzzy Hash: E0313AB550E3819FD302CF259850956BFF4EF9A214F0889DFE8C8DB252D2759908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 04BC1471, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e06a5d3e1bed3a39a0caefea13e8ec4707383331fa0137a8f8fdd0f89ed76b02
Instruction ID: ab174329a5741b483ab99bd2e18dd2de37efc66ae1219dc2ef4aaf7b5965df5d
Opcode Fuzzy Hash: e06a5d3e1bed3a39a0caefea13e8ec4707383331fa0137a8f8fdd0f89ed76b02
Instruction Fuzzy Hash: BC31EAB4E05109DFCB48CFA9C5809AEFBF2EF49300F1095AAD415AB751D778AA42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 04BC1480, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7cbac0e5068e6433626de0a5000a5efde6e1064d54e1826699aeac6ab6dd8c
Instruction ID: c4181c83d292feef88039c4062a3d4995ac98742334d2a2d8543d3cb41572ad2
Opcode Fuzzy Hash: 0a7cbac0e5068e6433626de0a5000a5efde6e1064d54e1826699aeac6ab6dd8c
Instruction Fuzzy Hash: 0031D9B4E0520ADFCB44CF99C5809AEFBF6FB48300F1095AAD815A7755D738AA41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 04BC93EA, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3f2c0ab859fef74a365bfbc30744c79fd5755f0947419026c0d1bf6f468d72
Instruction ID: 1af537fb8f27a1e016d1a3e13b9cccb1c193b4161d508000b7531b65b5357eae
Opcode Fuzzy Hash: 9c3f2c0ab859fef74a365bfbc30744c79fd5755f0947419026c0d1bf6f468d72
Instruction Fuzzy Hash: B93114B4E05218DFDB04DFA8D9846AEBBB1FB88300F1081AAD815A3350EB342941DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA716, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb91f1bd75aaaf61194d1c7686c2fab3ecbc12fdebfe6388b70ffa1efc51890
Instruction ID: 08288483dc8dd4c6c0b9a04e1ceab76ba40ad0cb878167e44f8de77cc9711db7
Opcode Fuzzy Hash: 6fb91f1bd75aaaf61194d1c7686c2fab3ecbc12fdebfe6388b70ffa1efc51890
Instruction Fuzzy Hash: 0F212FB6544300AFD210CF09ED41E57FBE8EB88670F14C96EFD5997311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA96E, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb59e4f746983c224b73c7ac92d81e80734fe068e996f1a73fbdeec950f38f7e
Instruction ID: 0df5301780fad724852c78120f555ad9242f99f9bbb53093ee784f79d22087eb
Opcode Fuzzy Hash: eb59e4f746983c224b73c7ac92d81e80734fe068e996f1a73fbdeec950f38f7e
Instruction Fuzzy Hash: 2C212CB6544300AFD210CF0AED81A57FBE8EB88670F14C96EFD4997311D276A9149BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA842, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a1d7287e420c0cc025347526a5d3ea2f9969f4cea091c428792b87bb9d4d5f
Instruction ID: 198dff4d9710b50cf9353cfb82c5fa95868fe0f4d7d2cee91eebd35114a15cb0
Opcode Fuzzy Hash: 89a1d7287e420c0cc025347526a5d3ea2f9969f4cea091c428792b87bb9d4d5f
Instruction Fuzzy Hash: 27213EB6544304AFD310CF0AED81A57FBE8EB88670F14C96EFD4997311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 05881DF3, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5604b766a7f2b27b39278ed57c0f3ec2829c01f521729666cb9339c0a79c6a
Instruction ID: 596022bff8747761443b3135160b48d39c9acdc4b190868ff05c0f935b6cf1c6
Opcode Fuzzy Hash: ff5604b766a7f2b27b39278ed57c0f3ec2829c01f521729666cb9339c0a79c6a
Instruction Fuzzy Hash: 4931A574904228CFCB64DF68C894BECB7B2BB45304F1485EA940AB7291DB755EC1CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04BC8CA8, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93103d53af8d3682d9d56a2192bd765a4cd17faa8aa7e559ba3a9d1ac79cbec3
Instruction ID: 42c97073bf694b7372816168e11673bef67381a7c1179dfb776f798be1958038
Opcode Fuzzy Hash: 93103d53af8d3682d9d56a2192bd765a4cd17faa8aa7e559ba3a9d1ac79cbec3
Instruction Fuzzy Hash: 2F21B070909249DFCB02FFA4D9846AE7F72FF4A312F108ADED80267156E3746951EB41

Uniqueness

Uniqueness Score: -1.00%

Function 058820ED, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f39d8031aa6fa80b1dcc5199cb66f843b91d58f9bd87ee2471c492a8141d39c
Instruction ID: 484a159c4e8ca8d1e7e606e23fbca1749237d10b42284d6ffe4389e51eea910f
Opcode Fuzzy Hash: 6f39d8031aa6fa80b1dcc5199cb66f843b91d58f9bd87ee2471c492a8141d39c
Instruction Fuzzy Hash: 5D31A578904268CFCB64DF69C884BECBBB2BB45304F1485EA940AB7291DB755EC5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA5EA, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd907cb7c8c211cb3366e4c9d95ec164f4c42acc4e11188efdad1f9c8f5bfc46
Instruction ID: 89174349e3b9e70564ba336608304cddaa4ef82734f99adfc0abe1bf220824f9
Opcode Fuzzy Hash: cd907cb7c8c211cb3366e4c9d95ec164f4c42acc4e11188efdad1f9c8f5bfc46
Instruction Fuzzy Hash: F711B676544200BFD6108F0AEC41D67FFE8EB88670F18C96EFD495B311D276B5149BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA3D2, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675e29789892ced38643c033070b70de5a0c5dc4c19cf70ea8af959de6c29121
Instruction ID: 604a4ec31cc3704ac65fe3748c0718953d2eb74c979aa5481d3abce35a2a8dac
Opcode Fuzzy Hash: 675e29789892ced38643c033070b70de5a0c5dc4c19cf70ea8af959de6c29121
Instruction Fuzzy Hash: 0711E676504200BFD2108F0AEC41E67FBE8EB88630F18C86EFD095B311D272B5048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 04BC15B1, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c8e14077bec60a04d3f75612ede14c8d873fe7ae578a2cd51a3bec79577e830
Instruction ID: a69d11ec844b63c219fe02099facab5ce3d29c72eb7b0c18fc493cae91f5161f
Opcode Fuzzy Hash: 1c8e14077bec60a04d3f75612ede14c8d873fe7ae578a2cd51a3bec79577e830
Instruction Fuzzy Hash: 39212A70E04209DFCB04CFA9C6819AEFBF1FF89304F2589AAD415BB216D734AA018F51

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA640, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5be2e9131d866f8687b3723e4f32778c8d8c39dd7bfeee3d5a9f45792ae9d9d0
Instruction ID: e36bf887be98e9c3da86cea313c7b2be93e59ab9c6016220fb07a6e3b792089b
Opcode Fuzzy Hash: 5be2e9131d866f8687b3723e4f32778c8d8c39dd7bfeee3d5a9f45792ae9d9d0
Instruction Fuzzy Hash: A3215EB550D380AFD702CF15DC51956BFF4EF86620F0989DEF8889B253D235A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA1BA, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 031d2017d2d85c6e1e82a30a9016a9242975469a64a04f0101c57c1d13a2f512
Instruction ID: 2f4008556e650f7030e7a15c53eeba6c5735797040737b2a00245497bd679c8d
Opcode Fuzzy Hash: 031d2017d2d85c6e1e82a30a9016a9242975469a64a04f0101c57c1d13a2f512
Instruction Fuzzy Hash: 5A11C676644204BFD6108E0AEC41E62FBA8EB84B71F18C56BFD095B201D176B5149BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00AF0820, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336996518.0000000000AF0000.00000040.00000040.sdmp, Offset: 00AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccaabc6ff8a2b4abe68c1f7b6f9bdb7c986c95abad3ea3600b57f9bce2a09ff7
Instruction ID: 6a7eb3acc60c66b04812d8a598c7753962c08b53e00c963fab2a0dc25968698e
Opcode Fuzzy Hash: ccaabc6ff8a2b4abe68c1f7b6f9bdb7c986c95abad3ea3600b57f9bce2a09ff7
Instruction Fuzzy Hash: 42216D3500D7C08FD3038B608861A65BFB1EF47304F2986DBD9C48B5A3C22A9816DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04BC83B0, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a84de57929c4aea124149ba5d319c2820ee6bf80f4c9512b2843475ad8c2df1
Instruction ID: 7f6a551289821e02e168ed3833261acab291b610f4c5343fd94752a7f54509e4
Opcode Fuzzy Hash: 4a84de57929c4aea124149ba5d319c2820ee6bf80f4c9512b2843475ad8c2df1
Instruction Fuzzy Hash: F6210874E04109EFCB04EFE9D5846AEBBF2FB88302F5094AAD815A7354E7346A01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00AF0724, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336996518.0000000000AF0000.00000040.00000040.sdmp, Offset: 00AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4735585773a8a5352109fcdc717c38e40eff7862f3fb8f616c747250085431
Instruction ID: 908ae734ea234e74e876a459aaeb6b67e7d8ceb68808a319818d925670f38169
Opcode Fuzzy Hash: bc4735585773a8a5352109fcdc717c38e40eff7862f3fb8f616c747250085431
Instruction Fuzzy Hash: 5E2129355097C58FC702CB20C850B55BFB1EB56314F2986EFD9899B663C33A980ADB92

Uniqueness

Uniqueness Score: -1.00%

Function 00AF075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336996518.0000000000AF0000.00000040.00000040.sdmp, Offset: 00AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77289109606de6dfaee7e973d0281ae15493340fae486bbda9c63fc4ea73e358
Instruction ID: 3d3f21d9e1401a3bc66ae62e663b168f8c7ca1010a1de9fa241bbea8455e4975
Opcode Fuzzy Hash: 77289109606de6dfaee7e973d0281ae15493340fae486bbda9c63fc4ea73e358
Instruction Fuzzy Hash: 31119034204688DFD715DB94C984F36BBA5AB48708F24C99CFA491B653C77BA802CA91

Uniqueness

Uniqueness Score: -1.00%

Function 04BC83A1, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f5e708f19f21e31f8c2c37138c04d46a5b1195355a4015700650f46ac90aa4
Instruction ID: 283b47aff35058aa63abe1d98725d5f8b6040281631806b88b2ddbc819898ed9
Opcode Fuzzy Hash: b5f5e708f19f21e31f8c2c37138c04d46a5b1195355a4015700650f46ac90aa4
Instruction Fuzzy Hash: DF214DB4E05109EFCB04EFA9C5846AEBBF2FB88301F1095AAD415A7254D7345A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04BC8829, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 503c9472f869d0fa267b037548273f4d691548d59e31cbbadad693ed4ece0d6b
Instruction ID: 9590b37c3e2a550ac22663391376d90b5878da6e977609084b109dd3fd6cbea9
Opcode Fuzzy Hash: 503c9472f869d0fa267b037548273f4d691548d59e31cbbadad693ed4ece0d6b
Instruction Fuzzy Hash: D62124B4D09249DFCB04DFA9D980AAEBBB0FF89302F1084AAC402A7650D7349A41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05880C58, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73dbad2aba236330e35e316d1fa7f7da393355f98259808518e77d0175ae46c8
Instruction ID: 03ef7bcd752e2741622fdaaf159fb8bfe8002030fc63c4031519a0a6d530ae05
Opcode Fuzzy Hash: 73dbad2aba236330e35e316d1fa7f7da393355f98259808518e77d0175ae46c8
Instruction Fuzzy Hash: 6521FF74D0421ADFCB04EF98C585AFEBBB6EF48304F10806AD805AB351D734AE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04BC8838, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1708577f52bdae0665c50bef1523428c414edfddc7bc989a39d43b8ad940e155
Instruction ID: 7eca5760acccac790155177e1483dcce428bac8c59f0f9c8241ba248ac2ab32d
Opcode Fuzzy Hash: 1708577f52bdae0665c50bef1523428c414edfddc7bc989a39d43b8ad940e155
Instruction Fuzzy Hash: BD2123B4D05209DFCB04EFA9D981AAEFBB0FF89302F1084AAD405A7650D734AA41DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00ADAB09, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c88c3165c0be61340e4e0bb284208cd8b4a3ff3573d81c1119c1f8c385c480b
Instruction ID: 860c6756d1bba103b66339f8c0ef6195143e18687918448ec03613c7ec80578f
Opcode Fuzzy Hash: 0c88c3165c0be61340e4e0bb284208cd8b4a3ff3573d81c1119c1f8c385c480b
Instruction Fuzzy Hash: 1411D7B5908301AFD340CF19D981A5BFBE4FB88664F04896EF898D7311D231E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 05880C68, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd9a7f517aaa0cff2d427d2b12937e01dfec4d6e15c049c9ffb4ca73fadc9e7
Instruction ID: 6fa2d5628d50eba9e87fbbace496bac45e23eca1d61fb76383f99c0b77b722e8
Opcode Fuzzy Hash: ecd9a7f517aaa0cff2d427d2b12937e01dfec4d6e15c049c9ffb4ca73fadc9e7
Instruction Fuzzy Hash: CF21AF74D04209DFCB04DF98C5999BEBBF6EF48300F108169D815AB350DB34AE44DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04BC3018, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b840286040fbd313cb4c2626d2105416a1bbcd38afeeb7ec490d59305fafaf
Instruction ID: 78d43d42324ea03e7e21a9239b9ee30472dc51aad854d7377ee13cf2d659b502
Opcode Fuzzy Hash: 80b840286040fbd313cb4c2626d2105416a1bbcd38afeeb7ec490d59305fafaf
Instruction Fuzzy Hash: 75115C71D05208AFCB04CFA5D5816ADFBF0EF49300F54D5AEC815AB212D734A641DB45

Uniqueness

Uniqueness Score: -1.00%

Function 04BC0006, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f6008d0b1e8d67f9a79dc37a9f4c62693cd4d22d6b8665329ce2f701d15196
Instruction ID: a90f71d545ab7b136cfd7dfc2adedb41dac53f75b245c2c19e9e3015d3c88d8b
Opcode Fuzzy Hash: 24f6008d0b1e8d67f9a79dc37a9f4c62693cd4d22d6b8665329ce2f701d15196
Instruction Fuzzy Hash: 2E01E9A280E3C49FC7039BB458656557FB05F63206F1A45EBD986CB1A3E118091AC767

Uniqueness

Uniqueness Score: -1.00%

Function 04BC4DC8, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d6f3bc633162421b91ac29fff67956eef18ef026c4d20ee0fb3318ab047c2d
Instruction ID: 076d8b06d12347e3e0b3fa07fa90d40f146b53eac3bb0cd618c620ba102adc68
Opcode Fuzzy Hash: 17d6f3bc633162421b91ac29fff67956eef18ef026c4d20ee0fb3318ab047c2d
Instruction Fuzzy Hash: C9117971C46208EFCB04EFA4E6A556DBFB0EB8A311F1099AAC403E7250D7789B01DB06

Uniqueness

Uniqueness Score: -1.00%

Function 04BC8C4F, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2789170e573b4c5781364ab9c3cd3112d70c48995f95f3012dec0c47003ca709
Instruction ID: b57539e8f5705b07b74daf8390b726a1fd7dd13c5cebef9ddacf9111656ddc41
Opcode Fuzzy Hash: 2789170e573b4c5781364ab9c3cd3112d70c48995f95f3012dec0c47003ca709
Instruction Fuzzy Hash: 57115EB5D05248AFCF06DFA4C980AFEBFB2EF98300F10409AD81563352D7315A11DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA118, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d685e61d89f12e30c2572d02bcea4d31d8e1cb69146d82e71fd1936bff35a15
Instruction ID: fd1e104c4f2fbeb9806b016cdf5364fa3dc59967ea4edecc8aba2ca41e1fc68e
Opcode Fuzzy Hash: 8d685e61d89f12e30c2572d02bcea4d31d8e1cb69146d82e71fd1936bff35a15
Instruction Fuzzy Hash: DC01D47640D3C06FD3134B255C95AA2BF78EF43620F0984CBED848F153D1166909D7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04BC4DD8, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3170844b6bf95f3eff2fabed1ce58b39791d2f32abfb766ed972bb0f32432222
Instruction ID: 426f73038d59ad76d29ace292d09ef1ca62884bc2064c3d82281decbfe772b93
Opcode Fuzzy Hash: 3170844b6bf95f3eff2fabed1ce58b39791d2f32abfb766ed972bb0f32432222
Instruction Fuzzy Hash: F3019231D45208EBCB14EFE4E6A555DFBB1EB8A301F1098AAC007E7250DB34AB41DB46

Uniqueness

Uniqueness Score: -1.00%

Function 04BC4F01, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d05585df677135d3bd94ec5cbfe39e747e0c71ed3cac0bce62f11c180cb1a5
Instruction ID: 8e36465f6b2167f79016bb1523d0f1f3a462db3f0cd8812bb95540e7c5c27640
Opcode Fuzzy Hash: f6d05585df677135d3bd94ec5cbfe39e747e0c71ed3cac0bce62f11c180cb1a5
Instruction Fuzzy Hash: 97012D70D15209EFDB04CFA5D5D169DFBB1EF86200F1495FED10AAB254EA34AB40CB15

Uniqueness

Uniqueness Score: -1.00%

Function 04BC9BB8, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cacbf6ec4a7aa51327f36561feac283fb7ab3a01f7b58adcb763398d6d04cf88
Instruction ID: a8a5375bfa1a30b8b38af9b77ec56139af1a7304172cd38a31c52f1b2d96effc
Opcode Fuzzy Hash: cacbf6ec4a7aa51327f36561feac283fb7ab3a01f7b58adcb763398d6d04cf88
Instruction Fuzzy Hash: 910169B0D29248EFCB05DFA8C48169CBFB1EF46300F2041EED80597661D6356945DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00AF05D0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336996518.0000000000AF0000.00000040.00000040.sdmp, Offset: 00AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e3db96d3d41ae979c7a226b96ecaf7a163facbea611aebcfdaecfca5caf4fc9
Instruction ID: 76a164c454eadeed3980d368f838d136de6dd9898571cf8e6bb0f13b17e10d5f
Opcode Fuzzy Hash: 4e3db96d3d41ae979c7a226b96ecaf7a163facbea611aebcfdaecfca5caf4fc9
Instruction Fuzzy Hash: 9C01D6755497805FC7128F1AEC40853FFF8EF8623070984ABEC89CB212D129A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04BC4F10, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1895567342b387109111554736b544ec4fe54f2f39d7c75587975c7f8321f9
Instruction ID: 98412fea4ab6626a788f27bf16e12d5b7c9076f41b0ddbe12fcb0ebfb19f1270
Opcode Fuzzy Hash: 1b1895567342b387109111554736b544ec4fe54f2f39d7c75587975c7f8321f9
Instruction Fuzzy Hash: 9B015A30D15209EBDB04CFA5E2D159DFBB4EF8A200F1095EAD00AAB214EA34BB40DB45

Uniqueness

Uniqueness Score: -1.00%

Function 04BC898A, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 515a68b7bb34af54eba9bf08a484cffd4cf1a5edf02e15bd7c1d3a205b9a4801
Instruction ID: 102802cea6fb22d4dfebd7806f8bbff6ca416ac03e77aea949edf4e4d9dbbdb3
Opcode Fuzzy Hash: 515a68b7bb34af54eba9bf08a484cffd4cf1a5edf02e15bd7c1d3a205b9a4801
Instruction Fuzzy Hash: C201BC70D053089FC745EBA8C4457ACBFB0EB05304F1042EEC854977A1D6742905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04BC30E0, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85dc986d2106f836b8392c517efb6a269ff44473bfa952f7d5475c2759cdcd39
Instruction ID: 941dcc180fa006f50bc619dbda12ca78cbe6510f9d418b3ee3300f79bf38f4d2
Opcode Fuzzy Hash: 85dc986d2106f836b8392c517efb6a269ff44473bfa952f7d5475c2759cdcd39
Instruction Fuzzy Hash: 0101FB78E01108AFCB04DBA9C995F9DBFF1EF88300F05C1A9D909AB361D6309A51CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04BC8778, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff86d6573086256e81cfb637bfc7a9c6435be97546f9d12f02f17858e98c6dc
Instruction ID: b107fa873228ba76b5e2764bd6e342b4201edff4618f7524eeef8da3a4f6de80
Opcode Fuzzy Hash: 9ff86d6573086256e81cfb637bfc7a9c6435be97546f9d12f02f17858e98c6dc
Instruction Fuzzy Hash: 02F0AF72E041199FCF06DFA8C8406EFBB72EF85301F00816EE9117B261D775192ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04BC30F0, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2c0a1e2b99570c9af945c458de4566181b98d4223e558e9d7624cb8c488030
Instruction ID: 750f67aa8b9dd68489ad48374949d085b97c8c557f155bf249b081a9ff63bb51
Opcode Fuzzy Hash: ac2c0a1e2b99570c9af945c458de4566181b98d4223e558e9d7624cb8c488030
Instruction Fuzzy Hash: 73F09C78A01208AFCB04DFA9C999E5DFFF1EF48300F55C1A9D909AB361D634EA51DB41

Uniqueness

Uniqueness Score: -1.00%

Function 04BC8788, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0527db953b772f7258e42e914ac3e2abb0ec530ea05c04f059e857ef133867
Instruction ID: 4e95896a283dd5a4326213ef91f5ae545c0979f97f58923611389231d23066d3
Opcode Fuzzy Hash: 2e0527db953b772f7258e42e914ac3e2abb0ec530ea05c04f059e857ef133867
Instruction Fuzzy Hash: 39F03A32D001199BCF06EFA8D8445EFBB76EF89311F00806AE9103B250CB76691ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AF0818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336996518.0000000000AF0000.00000040.00000040.sdmp, Offset: 00AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction ID: 2cab27a48a5d77d6ae06f312d77347664fc1551b946fcc942ce4dbcaa41c2122
Opcode Fuzzy Hash: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction Fuzzy Hash: 1BF0FB35104644DFC216CB40D940F25FBA2EB89718F24C6A9E9490B752C337A813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 04BC503A, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef29e2cfec6c75bfb817717021ab2cb1628429d6e9f625b543a3c5f1a5989b3c
Instruction ID: 1517d8d471702c2cf8a733766f2c79696af5c6954140461eb363faa07d60f9f6
Opcode Fuzzy Hash: ef29e2cfec6c75bfb817717021ab2cb1628429d6e9f625b543a3c5f1a5989b3c
Instruction Fuzzy Hash: E0016D34A01124CFCB04CFE4CD88A9DB7B2FB8C301F0088AAD50AAB354D7746D458F00

Uniqueness

Uniqueness Score: -1.00%

Function 04BCA08C, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5d2cb3e1e10e0c1c701bfdaca43d95c787067aa2d09adf99d37400c2cdf84e
Instruction ID: a0c9a65d6bed40d5df85a2e909f6f2104100b172d95dd1e852d314768ac3f93d
Opcode Fuzzy Hash: db5d2cb3e1e10e0c1c701bfdaca43d95c787067aa2d09adf99d37400c2cdf84e
Instruction Fuzzy Hash: 6501A274A1011ECFDB60DF28EA99B98BBB1FB49300F0085A9E84AD3645DB706E818F50

Uniqueness

Uniqueness Score: -1.00%

Function 0588142F, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4598ad842f666c5f7959e6ec4cc3733e3430445034c5e78cee4be02121efe7b
Instruction ID: ea396f2ab1d39839e00a9d2b342b02778e8e9ab835559ffcb1a2e9a3ada6bb68
Opcode Fuzzy Hash: f4598ad842f666c5f7959e6ec4cc3733e3430445034c5e78cee4be02121efe7b
Instruction Fuzzy Hash: 77F03770D49208DFC704EFA4D599AAEBF75EF46305F1041A9DC5593341DB306905DF49

Uniqueness

Uniqueness Score: -1.00%

Function 04BC01C0, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1269f9c503426117eb6d113b10da61d4a787cb94568d182ae4f2fa4c1ca87ee
Instruction ID: fab43bca81df2c153e1caa5abdcba837346bfc31250c5f955ec27e8b35213978
Opcode Fuzzy Hash: b1269f9c503426117eb6d113b10da61d4a787cb94568d182ae4f2fa4c1ca87ee
Instruction Fuzzy Hash: E6F06230E16219EFCB44DFA4EAC499CF7F2FB49300F00559AE40AAB244E7309E418F00

Uniqueness

Uniqueness Score: -1.00%

Function 00AF05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336996518.0000000000AF0000.00000040.00000040.sdmp, Offset: 00AF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b08377c94e4a4c38d1c000b10e1e4bec3bb657ca68fed918339159f0267b41
Instruction ID: de8c544de35804af8af81bf16deb30333c07190e8fecd0b0260749a043189448
Opcode Fuzzy Hash: 12b08377c94e4a4c38d1c000b10e1e4bec3bb657ca68fed918339159f0267b41
Instruction Fuzzy Hash: C4E09276A406004BD650CF0AED81462FBD8EB88630B18C07FDC0D8B700E535B508CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 058829CF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6a4957283fe2af082d4b22585924da98694247731cd138312fbcbd6e71d213
Instruction ID: 3e43c770f7dfa41100e4e4c57d8311cee5154b3333722f489a029ca3c1274c1c
Opcode Fuzzy Hash: 9c6a4957283fe2af082d4b22585924da98694247731cd138312fbcbd6e71d213
Instruction Fuzzy Hash: 52F08C3580924CEFC741DF98CC41AADBFB4EF49300F1481AADC5997342C6359A46DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04BC8DBA, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34229afa8c1906e2952812c6035fd127b5c9489e61e495b20334fbb2bbe7d37c
Instruction ID: c728b725a708fac27f023e1bac8f5b5195f0651996840ba06dbf8cba111bdff4
Opcode Fuzzy Hash: 34229afa8c1906e2952812c6035fd127b5c9489e61e495b20334fbb2bbe7d37c
Instruction Fuzzy Hash: FCE09270D5A108EBCB08EFA4D8855FEBF32EB56312F10919ED80623251D7301A45EB61

Uniqueness

Uniqueness Score: -1.00%

Function 04BC6787, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab3d76e6a86bb7c106a8d253480bea82122305576069e8a7551cf140464513c
Instruction ID: c19cb9eb10016fe33738d156b8af5cf1bacaf19fb2b45ec9abae7fc924044e96
Opcode Fuzzy Hash: aab3d76e6a86bb7c106a8d253480bea82122305576069e8a7551cf140464513c
Instruction Fuzzy Hash: 83F0B239A013189FDB04CFA4CA84BE9B7F2EF49300F1180A5E50AAB676D735AE45DF01

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA6A3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a1a17cd57bd3b1a4a7bb9612cd7f8b9cb1dfb10e30f5b32540195c2d515b3d
Instruction ID: 4a0e160bf38cec118152dc7308895ae8c969ec959a3e59bd81f2414592c78255
Opcode Fuzzy Hash: 16a1a17cd57bd3b1a4a7bb9612cd7f8b9cb1dfb10e30f5b32540195c2d515b3d
Instruction Fuzzy Hash: D5E0D8729412006BD2108F06AC86F22FB98EB54A30F04C56BED085B302E0B5B5048AF1

Uniqueness

Uniqueness Score: -1.00%

Function 00ADAB6B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee5690146b825601b317bb5d872afa69e6188a97e9f3c2812661a5c26fc4964d
Instruction ID: d4dc3fc90dc812c9d04f55506998cc291c2c69e701a715cfe596b00304f319c8
Opcode Fuzzy Hash: ee5690146b825601b317bb5d872afa69e6188a97e9f3c2812661a5c26fc4964d
Instruction Fuzzy Hash: 72E0D8729513006BD2108F06AC86B22FB98EB54A30F04C56BED085B302E071B5148AF1

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA363, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb2e9b0b92af3014249f6554b9de7e92bffe9da01ca6b539b0f55b4b98ecd1f
Instruction ID: db274f7416b2c22df03797031c82311bbb7a73c189a2580e2dbfb39660a91b0c
Opcode Fuzzy Hash: edb2e9b0b92af3014249f6554b9de7e92bffe9da01ca6b539b0f55b4b98ecd1f
Instruction Fuzzy Hash: B5E0D8719412046BD2508E06AC86B22FB98EB44A30F48C467ED085B302E175B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA8FB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93647cb1778c5b85bb684821ce085d5df1159e7e73d8aaf52cee63c7b7dd3d18
Instruction ID: deec2a6e4ffb2e9467482a8b138f316026de3c141238615aa804d35cba22f59a
Opcode Fuzzy Hash: 93647cb1778c5b85bb684821ce085d5df1159e7e73d8aaf52cee63c7b7dd3d18
Instruction Fuzzy Hash: 48E0D8729412006BD2109F06AC86F23FB98EB54A30F04C46BED085B302E072B5048EF1

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA57B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d11f3cda13b3b376349100878d267f29bc2dbb1a089bd05da3463b8c492d733
Instruction ID: 83ceda1518cd8c0966e80df3c162283181f82f7f2939cac66a8a7b0da4826663
Opcode Fuzzy Hash: 0d11f3cda13b3b376349100878d267f29bc2dbb1a089bd05da3463b8c492d733
Instruction Fuzzy Hash: 02E020719413006BD2108F06EC86B22FF9CEB44930F44C467ED085B302E075B5048EF5

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA14C, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec72a5d7ce972ae7aed3f68c63b0b9a1ba13632d06a9c9bf0afe839f39aed774
Instruction ID: 0cfccbe2691efd8138d3728b38acac400f278df40e09a31b73dffb7cb639cb5b
Opcode Fuzzy Hash: ec72a5d7ce972ae7aed3f68c63b0b9a1ba13632d06a9c9bf0afe839f39aed774
Instruction Fuzzy Hash: 13E020719413006BD2109F0AEC86B22FB9CEB44E70F44C467ED0C5B302E075B5048EF1

Uniqueness

Uniqueness Score: -1.00%

Function 00ADA7CF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336909575.0000000000AD2000.00000040.00000001.sdmp, Offset: 00AD2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 841c2d58344796d0967e94883761be91778ca5fda85c5a354aedf36c6dfe325f
Instruction ID: 803f2625acddc504b448ad9ea0dd0f11aaa132523d651224c6e538ef03e45ff5
Opcode Fuzzy Hash: 841c2d58344796d0967e94883761be91778ca5fda85c5a354aedf36c6dfe325f
Instruction Fuzzy Hash: F1E0D8729412046BD2108F06AC86F22FB98EB54A70F04C56BED085B302E075B5048AF5

Uniqueness

Uniqueness Score: -1.00%

Function 05881488, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b739732b86a0817f6ae6e960e56845b67929c7b5dc9cf92e5b3c07ec3f2780
Instruction ID: 4817ae842eed24c809e0107c1203198ac3de4174add99c6d4895ea44b9562b37
Opcode Fuzzy Hash: 31b739732b86a0817f6ae6e960e56845b67929c7b5dc9cf92e5b3c07ec3f2780
Instruction Fuzzy Hash: 09E0927094510D9BCB00DFE8C549BADBBB1EB45304F10829AC859D3341CB386642CA44

Uniqueness

Uniqueness Score: -1.00%

Function 05882A21, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc79caba0e79f2e6d0c02a5fde10d7825d23c47fb1403b3017ac2b94159b6fb
Instruction ID: f8d5991303ded9cfb9ceaba73d3961c83626881e7348d462509b83f3d2015cc7
Opcode Fuzzy Hash: dbc79caba0e79f2e6d0c02a5fde10d7825d23c47fb1403b3017ac2b94159b6fb
Instruction Fuzzy Hash: DFF06575D45208DFC704DB98C8816ADBBB4EF49304F1480EADC15D7352D635AD06CF85

Uniqueness

Uniqueness Score: -1.00%

Function 04BC8DC0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4e72a87e99f6f8457fbbc42ce562ad62cc85afb059d8d84752dc34bce476046
Instruction ID: c3c862d31399bdd469b1fc028c96065fb40ce23201b8579a9e5605ca8a4a5997
Opcode Fuzzy Hash: d4e72a87e99f6f8457fbbc42ce562ad62cc85afb059d8d84752dc34bce476046
Instruction Fuzzy Hash: 23E04830905108EBC704EF94DC855BEBB36EB56312F10909E9C0523251D7306A51EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04BC6B18, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dcb36ef55134f4eb1bb20aed18fa445fe9b4590d31965b937c9c1eb4e9d4c22
Instruction ID: 49884550ef81590cb178ccc2474b17ff28566bf2acc6f4695f63787b16a307d7
Opcode Fuzzy Hash: 3dcb36ef55134f4eb1bb20aed18fa445fe9b4590d31965b937c9c1eb4e9d4c22
Instruction Fuzzy Hash: D2F022708122089FCB02DFB8C486ADCBFB0FF06300F1001AEC40183221E7318A6ACB02

Uniqueness

Uniqueness Score: -1.00%

Function 058803CF, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e027ccebfd288df0db45beedb3af49ff4c8852c9c26452204c6ac27c6eff7170
Instruction ID: 2fe9bc3512aeb73cac3a62d9f96ff072e99b275c3b4812a4338ba03faff58c2a
Opcode Fuzzy Hash: e027ccebfd288df0db45beedb3af49ff4c8852c9c26452204c6ac27c6eff7170
Instruction Fuzzy Hash: 67E04F7494A208DFC701EBA89889BADBF78EB06605F44009ADC49A3352DA719A49C791

Uniqueness

Uniqueness Score: -1.00%

Function 04BC8C60, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32f9214cb8bf425c7286f2d68ffb28a7b098a0248b74623749ef49fbbefcd94e
Instruction ID: b76415a2f50b2e6e1e7580f91431b88f91074dd6af2ff8555349cc989c2593bf
Opcode Fuzzy Hash: 32f9214cb8bf425c7286f2d68ffb28a7b098a0248b74623749ef49fbbefcd94e
Instruction Fuzzy Hash: 5CF0C975D0120CAFCF45EFA8D981AAEBFB1FF48300F0085AAE914A3250D7759A61DB91

Uniqueness

Uniqueness Score: -1.00%

Function 04BCA5CF, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e7d897f51b4ea0a352dd43354b0f50ff381234b6bfb95cb8839feb4c3ca132
Instruction ID: 6113f9f0c75d581e52a5b40a064e895895a6ddfeabe2ed2bb1debed13064222d
Opcode Fuzzy Hash: 31e7d897f51b4ea0a352dd43354b0f50ff381234b6bfb95cb8839feb4c3ca132
Instruction Fuzzy Hash: FBE08679A59288DFC702EB7CD5860AC7FB0EF06204F1104EADD0997693EA342A47CB52

Uniqueness

Uniqueness Score: -1.00%

Function 058829E0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a993856e758de407f7c0b925f514e005227309df5317f7604f344ebfafa39843
Instruction ID: 302e4541ce0dd50d69aea9d8567035ee29dd52d0e65a38e6d6f6bc103391128b
Opcode Fuzzy Hash: a993856e758de407f7c0b925f514e005227309df5317f7604f344ebfafa39843
Instruction Fuzzy Hash: 6FE09274C0410CEFC744DF94C940AACFBB4EF48300F10C1AADC1593341C6355A41DB54

Uniqueness

Uniqueness Score: -1.00%

Function 05882A69, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bef1c2223d04d529c787627d1de78966c616a66299fe6d26d6cb70a759d279c
Instruction ID: be9ba7715afcdf63fc0a77f03cca983657877307b96381e54122518c052997f0
Opcode Fuzzy Hash: 0bef1c2223d04d529c787627d1de78966c616a66299fe6d26d6cb70a759d279c
Instruction Fuzzy Hash: 2BD02B3018A12C97C314E6ACEC817AE3318DF01708F100095840793381E6349D418185

Uniqueness

Uniqueness Score: -1.00%

Function 04BC58FA, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc3c991c608a667e5e0c5e0dc904bf54eb1d533ae98f91740c43bc54818ad541
Instruction ID: 5878c8af0558d9cb13e45b0f00cf5451b8e75a2b5ce49d09df76bb31a2dcdc57
Opcode Fuzzy Hash: cc3c991c608a667e5e0c5e0dc904bf54eb1d533ae98f91740c43bc54818ad541
Instruction Fuzzy Hash: A4E039309051AE9FCF51CF94C8449CEFB31FF02300F0049EA980A7A018D3722A8A9F91

Uniqueness

Uniqueness Score: -1.00%

Function 04BC9EE1, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf681c50cc8a2165e647dc612971f8887cfee182050803c5f768c2c7f340b3ee
Instruction ID: a078eb874ae3bac040a1231106d67030569dba46d15a80c0c36d248e4f9ea013
Opcode Fuzzy Hash: bf681c50cc8a2165e647dc612971f8887cfee182050803c5f768c2c7f340b3ee
Instruction Fuzzy Hash: 78F0D47491211DCBEB50DF58DD88B9DBBB1FB49301F0046DAE90AA3280DB34AD84CF19

Uniqueness

Uniqueness Score: -1.00%

Function 04BC4EC0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da2013bb58a3bf8543fada3b08e2f8abf651f28b680a15cb57f871eb70fd96e5
Instruction ID: f2452ae5760104e06e5dbb473e65f569ef73796c62048b409c1a5e170ad5f607
Opcode Fuzzy Hash: da2013bb58a3bf8543fada3b08e2f8abf651f28b680a15cb57f871eb70fd96e5
Instruction Fuzzy Hash: 3FE07DA0C0B1548ECF18D7B84A5139C7FF0CB01202F1006FDC94141540D1740701C712

Uniqueness

Uniqueness Score: -1.00%

Function 05882A30, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107b7d541b7690482e9d593727a802a95a21525b12c77983b23db92084043cd4
Instruction ID: a2ebdc4bebf0bb6a101c61d837a32cb828af7e6f599c1147a2e76766c86ab3a2
Opcode Fuzzy Hash: 107b7d541b7690482e9d593727a802a95a21525b12c77983b23db92084043cd4
Instruction Fuzzy Hash: C7E04F74E05108EFC704EF98D541AACFBB4EF48304F1080EACC1993351C631AE02CB85

Uniqueness

Uniqueness Score: -1.00%

Function 04BC8909, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb9cc583d9d8d67cb504180e4c0b938d4d5640f00a854479d689a7b7425f470
Instruction ID: b12f460aed0044bb8638a3aa35f3a0a9aa96ed61825675f3c9627dea414687dd
Opcode Fuzzy Hash: 7bb9cc583d9d8d67cb504180e4c0b938d4d5640f00a854479d689a7b7425f470
Instruction Fuzzy Hash: 8EE01AB0E1A2489FCF55EBB8C49579DBFB0DB55301F0441EEC90AA3651D6741950CF42

Uniqueness

Uniqueness Score: -1.00%

Function 04BC8949, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6593ea527d309ae39443d90535e2a5cbd46604a9abe56760bf13febd09e6c39c
Instruction ID: 231736d123d63acac174356d732d5351f0ff6b79ea3ec0e5bfd35e91f4edd4fe
Opcode Fuzzy Hash: 6593ea527d309ae39443d90535e2a5cbd46604a9abe56760bf13febd09e6c39c
Instruction Fuzzy Hash: 59E0E575D01208AFC744EFA8C54A75CBBF4FB48309F2091EED819AB760E6756945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 04BC93A2, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 968320c91cb8abe0b4f34d5f0e537c9a59338d5c49f20cdf6aee2e53680f2f33
Instruction ID: 4b77aa147de8de4eb6289385cb4a56cfc11eee62788e99ff7d0fb7b865066398
Opcode Fuzzy Hash: 968320c91cb8abe0b4f34d5f0e537c9a59338d5c49f20cdf6aee2e53680f2f33
Instruction Fuzzy Hash: 2AE09AB0D0A608EFDB09DFE4D4846ADBB70EF84300F1081EED81563290D7302A40DF44

Uniqueness

Uniqueness Score: -1.00%

Function 04BC1FFC, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5394feb2a98074b5093995d79ec4986cbde94176dad8c65efe2775ecca8052c9
Instruction ID: e978d46dd6b8881f7556072c090ea91878b0a4089e0077514cc50c57fe8bd27f
Opcode Fuzzy Hash: 5394feb2a98074b5093995d79ec4986cbde94176dad8c65efe2775ecca8052c9
Instruction Fuzzy Hash: 02E065B4A01348CFCB25CF64C8842C8BBB2EB46300F0052DAC4A5AB215D3315A42CF45

Uniqueness

Uniqueness Score: -1.00%

Function 04BC9BC8, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1b065927d7369e132ca8a292e2a763d1f0a3feeb84608ed107a014fe51f3f4
Instruction ID: 58d7c4371c86d0cbdd375263cdbe8e892d10baee01e247bd6a9af433037a756c
Opcode Fuzzy Hash: 7a1b065927d7369e132ca8a292e2a763d1f0a3feeb84608ed107a014fe51f3f4
Instruction Fuzzy Hash: 77E04F70D0920CEBCB14DFE8D48059DBB79EB44300F2080AED80413300D7316A51DF95

Uniqueness

Uniqueness Score: -1.00%

Function 05881498, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff55e8f97cb48f8ca64f355512e51b3f999516119bf7a6abb4e6ffed003fc85
Instruction ID: ad5a0b7bdf6f7f0b8f0c7d0f59fd0af3e3081c943f76e1cb25f74810870eb2ea
Opcode Fuzzy Hash: eff55e8f97cb48f8ca64f355512e51b3f999516119bf7a6abb4e6ffed003fc85
Instruction Fuzzy Hash: 65E0ECB4D0520CEBCB04EFE8D5499ADFBB9EB44304F1082AADC09A3740DA786A41CF49

Uniqueness

Uniqueness Score: -1.00%

Function 058813F1, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed68cd76371a72e6997316b509084a2812d56f91343fc0ec66535724b77a2c10
Instruction ID: 6a1e4869b62af10d82832eab4fa26d2259306a65ef85dfb502988e0b07dc2773
Opcode Fuzzy Hash: ed68cd76371a72e6997316b509084a2812d56f91343fc0ec66535724b77a2c10
Instruction Fuzzy Hash: 97E02C304192848BC306EB78C00EABABF21FF03209F1800A9C85A87283CE321802CA95

Uniqueness

Uniqueness Score: -1.00%

Function 04BC201B, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d230e5391b5f1ef7fa48fc17d7ca33f4e91de8383cef77ccecde12239247f7
Instruction ID: 06e4d3b5688fd8f940c497d58c5f1d8fba031e67ca128051413764f826757067
Opcode Fuzzy Hash: b9d230e5391b5f1ef7fa48fc17d7ca33f4e91de8383cef77ccecde12239247f7
Instruction Fuzzy Hash: E6F00C78A02758DFCBA1DF59C984A99BBB1EB4A311F5010D9A459AB310D631AA81CF01

Uniqueness

Uniqueness Score: -1.00%

Function 04BC9070, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffcc707a54ea3d7355b6cecb6d6fb54ff66c3639c9e0275750fe2f4405e3ac7c
Instruction ID: e622b4ddebe9f4f1ab2b2949e65b9db7e341373ccca376c415385a00e38c3640
Opcode Fuzzy Hash: ffcc707a54ea3d7355b6cecb6d6fb54ff66c3639c9e0275750fe2f4405e3ac7c
Instruction Fuzzy Hash: AFE08CB0D2A108ABCB04DBF8D4856AC7FB0AB49314F20019EC80663251EA301945CB12

Uniqueness

Uniqueness Score: -1.00%

Function 04BC93B0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4fedd326c02256a55b1f23a62a46d321a0674d04a9813cc6cabd772c15fad0
Instruction ID: 30c23218fb290996bcb66fb9834e82cfe1458d54ca98a14c812a6ad43a4d5d15
Opcode Fuzzy Hash: 8d4fedd326c02256a55b1f23a62a46d321a0674d04a9813cc6cabd772c15fad0
Instruction Fuzzy Hash: C9E0ECB4D46608EBCB04EFE8D4855ADBBB4EB85310F1091EAD85563350D7342A41DF95

Uniqueness

Uniqueness Score: -1.00%

Function 04BC6B28, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2244c064d46adc7a7737c5890bf4b6c09dbcdc69d66fd93a8ed67edcfe74621c
Instruction ID: cd4017cd68e3924588b03798622dcbc358a112095455dd3549570a16217f0d13
Opcode Fuzzy Hash: 2244c064d46adc7a7737c5890bf4b6c09dbcdc69d66fd93a8ed67edcfe74621c
Instruction Fuzzy Hash: A8E08C30812208EFC705EFB4C946A9DBFB4EF04300F5040B9D90443220E731A6A4DB91

Uniqueness

Uniqueness Score: -1.00%

Function 05881400, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16cf994019212dcca53bea35fedff6b09ab37ac5836638d47ebe736f67969ae7
Instruction ID: 448bd23e5e88d290c49d9ec3f13717ce8e20bbe38f1e6866eecd61aebc501545
Opcode Fuzzy Hash: 16cf994019212dcca53bea35fedff6b09ab37ac5836638d47ebe736f67969ae7
Instruction Fuzzy Hash: D7D0127080520CDBC704EFA4E54D96DBF75FB45305F2041A99805A3341CA711945CA99

Uniqueness

Uniqueness Score: -1.00%

Function 04BC5854, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e3c98e8299c3e5c0bc7b7d1f95cb8f7cab575089807ea098689945efc4b086
Instruction ID: b9b70bb91b0af9ac7df664d0343b02526243a9352660f13e18ca712cce3b2272
Opcode Fuzzy Hash: 94e3c98e8299c3e5c0bc7b7d1f95cb8f7cab575089807ea098689945efc4b086
Instruction Fuzzy Hash: EDF01574D0A25A8BCB14CFA48D11B8DFBB1BB15300F0486EA9109A7281E7344A85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04BC4E89, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae15a3a46a210449dd5fe51c199a5002385f964deca8c115dcb1dfce8e63202
Instruction ID: d7af3ea96c2686483f7ccf05a222275be32b99c510c23f8fc759c598f5e3bee9
Opcode Fuzzy Hash: fae15a3a46a210449dd5fe51c199a5002385f964deca8c115dcb1dfce8e63202
Instruction Fuzzy Hash: 56D0A7A141B2449FC302D7B4591376E3FF0CB12200F154AEE9406D3952D5BD4D06CA63

Uniqueness

Uniqueness Score: -1.00%

Function 058803E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b264d4afdf366378b767b7deaa5c662b68ad4bae3beed755e0d52042ba4e00da
Instruction ID: dee3527f24d58cbdb2e9718cb89b05c45f500a704e9fc1c3a2b23fba8074268f
Opcode Fuzzy Hash: b264d4afdf366378b767b7deaa5c662b68ad4bae3beed755e0d52042ba4e00da
Instruction Fuzzy Hash: 00D05B7095520CDBC704EFE8D54996CBF78EF05305F100099DC0993350DB315D48C755

Uniqueness

Uniqueness Score: -1.00%

Function 04BC9078, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c069b17d541e98246656d8db4b7f951399aa727cda157b83e65841367340f19b
Instruction ID: 8772a8485cbeeb6ee9804e442d562cd3e09b6df88effefd93549da55e186783e
Opcode Fuzzy Hash: c069b17d541e98246656d8db4b7f951399aa727cda157b83e65841367340f19b
Instruction Fuzzy Hash: 9CD05EB4D1A20CDBC704EFF8D8856ACBBB8EB09315F2000EEC80663351EA302A50DB95

Uniqueness

Uniqueness Score: -1.00%

Function 04BCA5E0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14281c724084174940ed2586c7d7d6eb11bb087b3d435420da9a059c86cd9a3d
Instruction ID: 256a791ea877936a5e0eebe5938d90e722d4843ec18e630ef51153e77cc36d31
Opcode Fuzzy Hash: 14281c724084174940ed2586c7d7d6eb11bb087b3d435420da9a059c86cd9a3d
Instruction Fuzzy Hash: CAD0127491610CDBC704DBECD98565CBB749B09201F104099DC0593650DA306980C655

Uniqueness

Uniqueness Score: -1.00%

Function 04BC9B88, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5055f394aacbe03c09b8768dfde5ab16abb10bcaae5ac2c484984a650d0ada7c
Instruction ID: 64d70c59f9185ae358439aed56e65f90c193a7299f23d5504f9d3243928ad5b3
Opcode Fuzzy Hash: 5055f394aacbe03c09b8768dfde5ab16abb10bcaae5ac2c484984a650d0ada7c
Instruction Fuzzy Hash: 41E0C774A24208EFC704EFA8C0846ACBBB8EB04300F2000EDC80553320EA306E40CB42

Uniqueness

Uniqueness Score: -1.00%

Function 05882A78, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.342018107.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3636b43f92b0cd942703bfb50c728843d6a85f1fbd383ab1c0ce7d3c621c378
Instruction ID: 5bb52bd3d602daa7e6e790c64ec4a74b2478100d921a5a547669a8a788dc5e66
Opcode Fuzzy Hash: c3636b43f92b0cd942703bfb50c728843d6a85f1fbd383ab1c0ce7d3c621c378
Instruction Fuzzy Hash: DFD0223054B20CDBC324EBE8E881BBE776CEF02704F2000D9880B53601AA302D00C255

Uniqueness

Uniqueness Score: -1.00%

Function 04BC58A8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50f802939ed6851979f2e1e6855aa95ffc96a02198f5d3d15e7e0db00b26fcd
Instruction ID: 1f37b735e8f9a9d97f0a925862f27589fde9a024a241be3339092173a450f15d
Opcode Fuzzy Hash: e50f802939ed6851979f2e1e6855aa95ffc96a02198f5d3d15e7e0db00b26fcd
Instruction Fuzzy Hash: 41E0B6319015AE9BCF51CF90C9409DEBB32AF45310F005885980A7B064D7752B8A9F90

Uniqueness

Uniqueness Score: -1.00%

Function 04BC5522, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e841f73a7be09119f0df9974698bdd0f8515db140c5e7e0c11b75bfd035fea85
Instruction ID: 586b0312b025ece7ecdde1e55d2ef85831b086dfcaa9bbf8312606ce22763d88
Opcode Fuzzy Hash: e841f73a7be09119f0df9974698bdd0f8515db140c5e7e0c11b75bfd035fea85
Instruction Fuzzy Hash: 79E01A38A112148FC754CF94C98869DBBB1EB48300F2190EAE40AFB334E7349E81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00AC23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336825586.0000000000AC2000.00000040.00000001.sdmp, Offset: 00AC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8410c0202544fc3ccf5ba4d1ada89ce25e10b8a073d28ceed2acc6661ac3e1
Instruction ID: d67127074e43e62f812ac2fcaf5ca8fb18468117e94872cba59e90bb535a063e
Opcode Fuzzy Hash: 1a8410c0202544fc3ccf5ba4d1ada89ce25e10b8a073d28ceed2acc6661ac3e1
Instruction Fuzzy Hash: 04D05E79245AC14FD32A8B1CC2A8F953BA4AF51B04F4744FDE8008B663C368D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 04BC1D9D, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f685dadf0657d28dcf9b978f7512f9967bf49f5cdfbebeb6a750681d4989ce
Instruction ID: 80419c744a40deb5564fb786e45e783335763e608b5ced2a8cc8a6c27b4aa917
Opcode Fuzzy Hash: f0f685dadf0657d28dcf9b978f7512f9967bf49f5cdfbebeb6a750681d4989ce
Instruction Fuzzy Hash: 57E09275602314CFCB54DFA4D5A4898BB72FF09312F5000D9E406AB361CB75EA82CF01

Uniqueness

Uniqueness Score: -1.00%

Function 04BCBA88, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644b2d59a4ef5fdd46ff16148fec7e15d68e70d74195a63048fa29ffde5c162d
Instruction ID: 1444ab70a1095990238d750c2ac027b801ff5cb4f34958e4983fd1d3b605a43f
Opcode Fuzzy Hash: 644b2d59a4ef5fdd46ff16148fec7e15d68e70d74195a63048fa29ffde5c162d
Instruction Fuzzy Hash: 1CE07574A04359CFCB65CF24D984A5CBBB5BB09200F1081DAF919A7354EB316E85DF14

Uniqueness

Uniqueness Score: -1.00%

Function 04BC62EA, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c3ecfb6405da7392c8b95b6cdddfc7452a2a156130dc36d347ecdd8df6ed1f
Instruction ID: b7c7f5ad15854375d52c6a95127b48a253e979dd2a8830df449346c51d57b8b1
Opcode Fuzzy Hash: 63c3ecfb6405da7392c8b95b6cdddfc7452a2a156130dc36d347ecdd8df6ed1f
Instruction Fuzzy Hash: 7FE0753590A1648FCB64CFB4D94869DB7B1BB48340F2091EA944EA7724D7309E81DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00AC23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.336825586.0000000000AC2000.00000040.00000001.sdmp, Offset: 00AC2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 211e28df2cad957d48e0f55e4ae360c863f7aea53239078c450081157804a04d
Instruction ID: 89d54689b2753ea38c2af0b3e8ad919e3683081e970039ccee90a59f40ab4696
Opcode Fuzzy Hash: 211e28df2cad957d48e0f55e4ae360c863f7aea53239078c450081157804a04d
Instruction Fuzzy Hash: 61D05E343102814BD716DB0CC698F5937D4AB41B00F0744ECAC008F362C7B9DC81C600

Uniqueness

Uniqueness Score: -1.00%

Function 04BC0070, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2901d3305e03a7ab831d6e5fb758306a85cf0933efb18c44e4779fd52722f3d2
Instruction ID: 21887afe847f6e7fb93061df80fb324f5aad223426031c1f1affa12dd24d9769
Opcode Fuzzy Hash: 2901d3305e03a7ab831d6e5fb758306a85cf0933efb18c44e4779fd52722f3d2
Instruction Fuzzy Hash: 87C01271406208DBC701EBF4990971A7B98DB05306F0402B9940983610DA755611C6B7

Uniqueness

Uniqueness Score: -1.00%

Function 04BC5AAA, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.338915553.0000000004BC0000.00000040.00000001.sdmp, Offset: 04BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1ce9666c6c944f95ad2b31c1abdbb2a72ef837d6a062c10ef12d90662c5f0d
Instruction ID: a3732ec05a47ded582f12772240d254db70d95266a4df6bec51816c36472e390
Opcode Fuzzy Hash: 8e1ce9666c6c944f95ad2b31c1abdbb2a72ef837d6a062c10ef12d90662c5f0d
Instruction Fuzzy Hash: 45E0EC38D1622A8FCBA0DFA0CA4869CBBB1FB45300F1094DAC406A6314EB306A449F00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 4140 Parent PID: 6520 dhcpmon.exeCOMMON

Executed Functions

Function 057B3850, Relevance: .7, Instructions: 732COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08c2285b450f453ee168eece722922289e91f000575357a5a95d3176dd6af416
Instruction ID: 7a9d8fff44dde3ab3857b067b64fd0724ca1961714a7ac12a39da3844e16ca07
Opcode Fuzzy Hash: 08c2285b450f453ee168eece722922289e91f000575357a5a95d3176dd6af416
Instruction Fuzzy Hash: 4C42F371A00115DFDB15CF68C984AEEBBB2FF84300B29C9A6D4099F216D7B1EC81DB91

Uniqueness

Uniqueness Score: -1.00%

Function 057B23A0, Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4daaaa03dfa1aad4fe5eb442136872adef7798b3a2a4f2293977108a2913f0
Instruction ID: 1c95fb6d204132d9c1add76c9c5e1bc10eec69257cc1c7ced1a3e50f1e735b4b
Opcode Fuzzy Hash: de4daaaa03dfa1aad4fe5eb442136872adef7798b3a2a4f2293977108a2913f0
Instruction Fuzzy Hash: E212CE38A02615CFEB24DF25D4847EDB7F2FB85304F248169D406DB256EBB88C86EB50

Uniqueness

Uniqueness Score: -1.00%

Function 057B2FA8, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c768c624ad985f21e254d5aba94766f233fe841031e2397273130b7a3030d1ca
Instruction ID: 2660d04450e1af214210fcb2d3ce2d16193df5cfc3a7b5f3969ef209943e64d0
Opcode Fuzzy Hash: c768c624ad985f21e254d5aba94766f233fe841031e2397273130b7a3030d1ca
Instruction Fuzzy Hash: CD81DC31F041099BEB04DB68D894BAEB7F3AFC8310F2A8464E415EB365EE74DC419B90

Uniqueness

Uniqueness Score: -1.00%

Function 057B09A1, Relevance: 5.2, Strings: 4, Instructions: 176COMMON

Download Yara Rule

Strings

X1q, xrefs: 057B0A5A
X1q, xrefs: 057B0A50
X1q, xrefs: 057B0A98
X1q, xrefs: 057B0AA2

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID: X1q$X1q$X1q$X1q
API String ID: 0-1201878573
Opcode ID: d08ce44cfdf27634f69b93329a839a361516414a501809e34f511698ee194562
Instruction ID: 325b6e6687b1cf13c4d36829a0bf7c2304cb853def67bb27cf9386385ecf4007
Opcode Fuzzy Hash: d08ce44cfdf27634f69b93329a839a361516414a501809e34f511698ee194562
Instruction Fuzzy Hash: E8519D35B00615EFDB05DBA8D858BEFB7F2BB84304F2185A9D5069B260DB74AD02DB81

Uniqueness

Uniqueness Score: -1.00%

Function 057B0682, Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

Zho^, xrefs: 057B06A1
Yho^, xrefs: 057B0702, 057B0707

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID: Zho^$Yho^
API String ID: 0-863811625
Opcode ID: 6133ebca57471d0e475a08c7902b027c0b76538597e4b8d5e68e71c7ff6d0f5b
Instruction ID: e755f80a1a81e963b9b28e857fd7cd94d97573ac164a51ea59e0922c240e518c
Opcode Fuzzy Hash: 6133ebca57471d0e475a08c7902b027c0b76538597e4b8d5e68e71c7ff6d0f5b
Instruction Fuzzy Hash: 3E41B535602A058FEB05BBB4F85C6AD3BA6FFC1B027158469F403CB26ADF784C419B91

Uniqueness

Uniqueness Score: -1.00%

Function 057B12A0, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

$gq, xrefs: 057B1349

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID: $gq
API String ID: 0-815412418
Opcode ID: 220ef08b71fa6dc3dae50d9cf1a6d37834579d309c12afd1d527592c19e0a166
Instruction ID: 0234522ce3c833c83bc5075ab8d7465babf9279ccbfe58984efeb4d486b9109a
Opcode Fuzzy Hash: 220ef08b71fa6dc3dae50d9cf1a6d37834579d309c12afd1d527592c19e0a166
Instruction Fuzzy Hash: 4B224638A00605CFDB64DF24C594AAAB7F2FF89300F508999D85A9B712DB34ED86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 058E01F4, Relevance: 1.6, APIs: 1, Instructions: 101synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 058E019D

Memory Dump Source

Source File: 00000015.00000002.353670174.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8f91e7ee95ae651e031e32c05e7365ef42a702ccbe007eba00c253b08b1ad083
Instruction ID: c71369c6e4bdfa4ffb32f4dceb688e333e7a3c1c068d3b1821421aa2c653f434
Opcode Fuzzy Hash: 8f91e7ee95ae651e031e32c05e7365ef42a702ccbe007eba00c253b08b1ad083
Instruction Fuzzy Hash: 9A31A3715093849FD712CF64DC49BA6BFB4EF46224F0884ABDD85CF262D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0309AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0309AAB1

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4e2ab2fdf06c96acac6283c2689b84db426894c9dade5573256b55521667cffc
Instruction ID: 5e7eced7aff59f0229e5336fbd22ee66b703e3127bfffc360621273193ddf804
Opcode Fuzzy Hash: 4e2ab2fdf06c96acac6283c2689b84db426894c9dade5573256b55521667cffc
Instruction Fuzzy Hash: B031D4725443846FE722CB25CD45FA7BFECEF06310F08859BED849B152D264A909CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 058E00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 058E019D

Memory Dump Source

Source File: 00000015.00000002.353670174.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f55ee826990374cc422f3f40b781eb06109bb1b11293619f7743a2f303172fb5
Instruction ID: 4f9c37a6d7833dbbdc266dec5aa2028bcf5dd4ec96ad709125bc3e2b7aef7575
Opcode Fuzzy Hash: f55ee826990374cc422f3f40b781eb06109bb1b11293619f7743a2f303172fb5
Instruction Fuzzy Hash: BF318F71509780AFE722DB25DD85B56FFF8EF06210F08849AE984CF292D365A909C761

Uniqueness

Uniqueness Score: -1.00%

Function 0309AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,BBE84898,00000000,00000000,00000000,00000000), ref: 0309ABB4

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e6de075151a39c4457ed4057e460cacb45f26a1f633978049e3aacf07e988988
Instruction ID: a19077e2b31360178ac024d6f69d9277b4e743933f9285f07d5e465dcb35a7c7
Opcode Fuzzy Hash: e6de075151a39c4457ed4057e460cacb45f26a1f633978049e3aacf07e988988
Instruction Fuzzy Hash: 403191711097846FEB22CB25CC45FA2BFECEF46310F1885DAE9859B153D264E548CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0309AF50, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0309AFEA

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 68b6b9c83e066be0b2b3087c9ea6acb95d2f9091acc67334b50caf1037125c65
Instruction ID: aba534f74e21122cce9ac8a16a765197dcf577baa62f3f89161f54415f050490
Opcode Fuzzy Hash: 68b6b9c83e066be0b2b3087c9ea6acb95d2f9091acc67334b50caf1037125c65
Instruction Fuzzy Hash: AD21C47140E3C06FD7138B258C51B21BFB8EF87610F0A81DBE884CB5A3D129A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0309AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0309AAB1

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e20ba8d3b701bf7ea90120c41ddf8549ab014232e6121ab195d5a2744e75ed65
Instruction ID: fd8ec1af4576ac03e7d8498f7d6620fb379c968215678e076d21b18efce8c46c
Opcode Fuzzy Hash: e20ba8d3b701bf7ea90120c41ddf8549ab014232e6121ab195d5a2744e75ed65
Instruction Fuzzy Hash: A521C272500244AFFB21DE19CE49F6BFBECEF04310F14855AED459B241D664E5088BB1

Uniqueness

Uniqueness Score: -1.00%

Function 058E012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 058E019D

Memory Dump Source

Source File: 00000015.00000002.353670174.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: e8ca188b53a0b2509a1cc344fe213129aa9eb1ef188a0b354b19c2a8aa3ce890
Instruction ID: 7c4af7a55d351de6debfcede647f01a0726c0394b01033717c3ad5a3b45e6813
Opcode Fuzzy Hash: e8ca188b53a0b2509a1cc344fe213129aa9eb1ef188a0b354b19c2a8aa3ce890
Instruction Fuzzy Hash: E521AC71504244AFE721DF69DD89B6AFBE8EF05310F04886AED89CB242D2B1E904CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0309AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,BBE84898,00000000,00000000,00000000,00000000), ref: 0309ABB4

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5a1df53995e665a44e89514db25c3ff11e4e9260d55a53510604afb530e131d8
Instruction ID: f2d51f39be1eb17809b3b61f77d3278df8787d326fcc7cdb21e2299ae6d6fc8f
Opcode Fuzzy Hash: 5a1df53995e665a44e89514db25c3ff11e4e9260d55a53510604afb530e131d8
Instruction Fuzzy Hash: EB219071601604AFEB21CF29DD85FA6FBECEF04710F1884AAED459B252D360E408CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0309A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0309A58A

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0bef6e899ba54f4278c86e410ec7813ee22c71608f49bbf742df393fc897d8cd
Instruction ID: a453b6261dafd50d1e450a61e17b40d35791e54efee3f709adbb4325b104e197
Opcode Fuzzy Hash: 0bef6e899ba54f4278c86e410ec7813ee22c71608f49bbf742df393fc897d8cd
Instruction Fuzzy Hash: 53117271409780AFDB228F55DC44A62FFF8EF4A220F0885DAED898B562C275A418DB71

Uniqueness

Uniqueness Score: -1.00%

Function 0309B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0309B841

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a6a18373feed8a844ef343795ee5ebbd8cd26aa1e1ffacecc2f39dcb87e952a2
Instruction ID: b513720e8237aba41f0bcbd3263555f3ea5dfa5de695c544d9a543992140e09e
Opcode Fuzzy Hash: a6a18373feed8a844ef343795ee5ebbd8cd26aa1e1ffacecc2f39dcb87e952a2
Instruction Fuzzy Hash: C2218E714097C09FDB128B21DC50A92BFB4EF1B220F0D84DAEDC44F163D265A958DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0309BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0309BBB9

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cb0bb98d98fcf4e4e0c8df129f495282c4feb78e4b5549027a7750833f43a46a
Instruction ID: 3c3cd863a5076879c674e437975f4a11cb5eb3c057550b1959718febd044e21d
Opcode Fuzzy Hash: cb0bb98d98fcf4e4e0c8df129f495282c4feb78e4b5549027a7750833f43a46a
Instruction Fuzzy Hash: 5611B1354097C09FDB228F25DC45B52FFB4EF16220F0885DEED858B563D265A418DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 058E05EF, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 058E0650

Memory Dump Source

Source File: 00000015.00000002.353670174.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 58b4e422878b6166b0cf1c87b0184d57b518fb723026923d9f8ae92fa3e5f1ae
Instruction ID: 6f30a49d7ed023abc4cae1242a5fa06f94389fcedb60cba80f5f97712220f390
Opcode Fuzzy Hash: 58b4e422878b6166b0cf1c87b0184d57b518fb723026923d9f8ae92fa3e5f1ae
Instruction Fuzzy Hash: EE11B1714493C09FD7128B25DC84B52BFB4EF42220F0884EBED858B653D2659808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0309BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0309BE70

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 977406fcbd8fc7892fc42cc0c1f8d69281271e42bb4fd5617a4b1471801da5bb
Instruction ID: 2cbc4d0aacb23a0a86484feae8a241cddec6be56c60e0940d10bda153de35d91
Opcode Fuzzy Hash: 977406fcbd8fc7892fc42cc0c1f8d69281271e42bb4fd5617a4b1471801da5bb
Instruction Fuzzy Hash: 5A117F754093C09FDB138B259C44761BFB8EF47624F0984DBED844F263D2695808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0309B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0309B78A

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 6aa4cee2f80b15a3e939298aab31a8c926a2a21825b94d10a5cbf003d5d73336
Instruction ID: f03f0fff56eddb980b9798e8541166cebea4809a6bd3fc1e4114b6eb818c9383
Opcode Fuzzy Hash: 6aa4cee2f80b15a3e939298aab31a8c926a2a21825b94d10a5cbf003d5d73336
Instruction Fuzzy Hash: 97119D32409780AFDB22CF54DC44A52FFF4FF49320F0985AEE9898B662C375A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0309A75B, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0309A7BC

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 7bacaa97a90903a4041f9bb3d2346fdb373f0d5a7f5583120392882cff7c7f1f
Instruction ID: 64b4cf8674719a9f2df55332c46facab0a6565ad2ce5490bd4b796bd0dfd5825
Opcode Fuzzy Hash: 7bacaa97a90903a4041f9bb3d2346fdb373f0d5a7f5583120392882cff7c7f1f
Instruction Fuzzy Hash: 0B116D714493849FDB12CF15DC45B52BFB8EF42220F1984EBED898F263D279A448CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0309A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0309A926

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 63140f36847ca95c3cec5823588a889f888ef5b40f43b2083b6482a944457d60
Instruction ID: 81fd9a415b112ae7ec6b8ca98a27687703b13abcd9cde88c8a456b034cc190a5
Opcode Fuzzy Hash: 63140f36847ca95c3cec5823588a889f888ef5b40f43b2083b6482a944457d60
Instruction Fuzzy Hash: DA117C314097849FDB22CF15DC85A52FFF8EF46220F09C4DAED894B262C275A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0309A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0309A58A

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 346cce3378fb5d8bd1c15fd156f86eb3f7a95cc3e853c01b2a47399ec91e7e57
Instruction ID: 8d57a5c27afc2180074ebb33f8520e9afc2e565ba569b947079d6ff6a7d76d52
Opcode Fuzzy Hash: 346cce3378fb5d8bd1c15fd156f86eb3f7a95cc3e853c01b2a47399ec91e7e57
Instruction Fuzzy Hash: AE016D316017409FEB21CF55D944B56FFF4EF48321F08C9AAEE894B612C275A418DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0309B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0309B78A

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 514c7e2a3fdb2cce83b17c4cf26f94fc07681212abdde4c9eec60ee1f22365d6
Instruction ID: 0e1fe54dd8873e88044fb55aef4cebed381619086ea61144e475a6994396d05b
Opcode Fuzzy Hash: 514c7e2a3fdb2cce83b17c4cf26f94fc07681212abdde4c9eec60ee1f22365d6
Instruction Fuzzy Hash: 00015B314016409FEB21CF55ED84B56FFE4EF48320F08C9AEEE894B622D275A018DB72

Uniqueness

Uniqueness Score: -1.00%

Function 058E061E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 058E0650

Memory Dump Source

Source File: 00000015.00000002.353670174.00000000058E0000.00000040.00000001.sdmp, Offset: 058E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2ef10236481c78ae3a5945c1f1ba55c5573f006482c7bc8298cefc84b661f210
Instruction ID: 3b1c12ecbc05ac0709f9cacc3cd698665928e7c5d7fae07ae6110f55417a300c
Opcode Fuzzy Hash: 2ef10236481c78ae3a5945c1f1ba55c5573f006482c7bc8298cefc84b661f210
Instruction Fuzzy Hash: 1D0171715007449FDB11CF5AE989B66FBA4EF85321F08C4AADD49CB652D2B4A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0309AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0309AFEA

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: 11094342e0b4153617c72ae1f86287dae7f8db34ce01cb75514af81b7f1c70d9
Instruction ID: 3c2c4715433954a9bba7488e92a86829eab26651894a1d54ba99b16bbc9257e2
Opcode Fuzzy Hash: 11094342e0b4153617c72ae1f86287dae7f8db34ce01cb75514af81b7f1c70d9
Instruction Fuzzy Hash: 7001AD75500601ABD250DF1ADC82B26FBE8FB88B20F14C15AED084BB41E631F915CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0309BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0309BBB9

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e5653b5bf5dfb0b96a3642110d9cb610f8f93ba0417d433c66848baa3c3596e0
Instruction ID: ea49e6e247ebb6f1055cc6fb9abe946cbff21087561fcda57c69807c10afbdfd
Opcode Fuzzy Hash: e5653b5bf5dfb0b96a3642110d9cb610f8f93ba0417d433c66848baa3c3596e0
Instruction Fuzzy Hash: D501B1355016408FEB21CF15ED44B65FFE4EF04320F08C4AEDD494B666C271E418DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0309A78A, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0309A7BC

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 32c63c93f7b2d165af6bb85ae2b54478e33eea1de0d76e68d8f3babc7551d170
Instruction ID: 34fb3ddd6c5abea3055754dcae903ded0514b889205fd9584ac6d712a3495853
Opcode Fuzzy Hash: 32c63c93f7b2d165af6bb85ae2b54478e33eea1de0d76e68d8f3babc7551d170
Instruction Fuzzy Hash: 0C018B749012809FEB11CF15DD89766FFE8EF44221F18C4ABDD488B612D274A408CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0309B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0309B841

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 955589fd10af78c64118f92829349ff8a83abc4a51707f1b75ddc1f06b047483
Instruction ID: f260d1c13981706a8f23e77d74ad528d190798a92f43acad8904c99a7cc9b675
Opcode Fuzzy Hash: 955589fd10af78c64118f92829349ff8a83abc4a51707f1b75ddc1f06b047483
Instruction Fuzzy Hash: EE018F31401640DFEB21CF15E984B66FFE4EF08721F08C4DAED890B622D275A418DBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0309A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0309A926

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: cb45bf9077f31288c6f964e08dcdc9fc9b3798ec958fb118f30c4243ef4f0bdb
Instruction ID: 888c800c04671ff5bccb33dda22ae2d23debc2b84baa90f75160fceb53d888e0
Opcode Fuzzy Hash: cb45bf9077f31288c6f964e08dcdc9fc9b3798ec958fb118f30c4243ef4f0bdb
Instruction Fuzzy Hash: 3A01AD319016409FEB21CF05D989755FFE8EF08321F08C4AADD8A0B612C275E408DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0309BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0309BE70

Memory Dump Source

Source File: 00000015.00000002.351639630.000000000309A000.00000040.00000001.sdmp, Offset: 0309A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 5391cfaf8bed0c2d4cadad25bbd6ee169965199252a56d8d47587975777778d4
Instruction ID: 80f1ccbf716d9e78bd8c82cfa9bf00aec3e3dc6a228f96339b7e985cf66d0712
Opcode Fuzzy Hash: 5391cfaf8bed0c2d4cadad25bbd6ee169965199252a56d8d47587975777778d4
Instruction Fuzzy Hash: A7F08C358056848FEB21CF05E988765FFA8EF04321F08C4AADE494B612D275A408DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 057B20D0, Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

r*+, xrefs: 057B230F

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID: r*+
API String ID: 0-3221063712
Opcode ID: 96f53799baae6b75bcc15f4edcdd51ac51572110b15ddb2b6742af55bacbc2df
Instruction ID: 6f1512bf8d88e3e572cdeb169c2c681e61f4a6b7268863276c2522ed8731a5d2
Opcode Fuzzy Hash: 96f53799baae6b75bcc15f4edcdd51ac51572110b15ddb2b6742af55bacbc2df
Instruction Fuzzy Hash: 13713C38A0A209DFEB44DFA4C585BFEBBB2FB85300F15806AC502DB256D7B49D41DB52

Uniqueness

Uniqueness Score: -1.00%

Function 057B02E8, Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

`5q, xrefs: 057B03A5

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID: `5q
API String ID: 0-3867205651
Opcode ID: cb249fa966eee7f1516eb37003e0dc72dc9874ac2204944882b8f276c4f27327
Instruction ID: a82a672a3c13c01fc7c71902d94008cbb574ed58cb831cc1a688f02334b91cf6
Opcode Fuzzy Hash: cb249fa966eee7f1516eb37003e0dc72dc9874ac2204944882b8f276c4f27327
Instruction Fuzzy Hash: EC517C34A052058FEB09DB68C598BAE7BF2FF89300F18856DD406AB361DB75AC019B52

Uniqueness

Uniqueness Score: -1.00%

Function 057B2D58, Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

, xrefs: 057B2E76

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 593d71fbe6df702ded9eb3be4166094cc6c34d91add85290d799df0ed85ddc81
Instruction ID: 88855dae2ef9900148f53e0eda874af8bf05656864f04fecf627e93519fa0a4b
Opcode Fuzzy Hash: 593d71fbe6df702ded9eb3be4166094cc6c34d91add85290d799df0ed85ddc81
Instruction Fuzzy Hash: DA41D478F061158BEB10DF6AC8886FEB763FBC1315B24C576C415DB606C7B6E8429B82

Uniqueness

Uniqueness Score: -1.00%

Function 057B0BC0, Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

hXMr, xrefs: 057B0C78

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID: hXMr
API String ID: 0-1185242784
Opcode ID: bf8a9ee4e0cc9952b3e066f4dc7650f9ed5dfd03fcbed332c22528b40def6ddb
Instruction ID: 5dda7a5112ade197162157b1329f51bf7f8ed5c4be5d2602ff808519a684b63f
Opcode Fuzzy Hash: bf8a9ee4e0cc9952b3e066f4dc7650f9ed5dfd03fcbed332c22528b40def6ddb
Instruction Fuzzy Hash: B641B231B051188FDB05DB68C4187EF77E7AF89310F15806AE80AEF2A1CEB59D069792

Uniqueness

Uniqueness Score: -1.00%

Function 057B1458, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

$gq, xrefs: 057B14C7

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID: $gq
API String ID: 0-815412418
Opcode ID: 8a44cc40c9cc4bad0bd589b2aa7d657e35b9af806e35c7b72f343198ce10a7f7
Instruction ID: c7f58c87955b9b22de4498504c0b15e94396b3e0aa5cfc65c21640afce195f79
Opcode Fuzzy Hash: 8a44cc40c9cc4bad0bd589b2aa7d657e35b9af806e35c7b72f343198ce10a7f7
Instruction Fuzzy Hash: AF51F438A04219CFDB54DF64C898B9CBBF2BF89340F5040A9D40AAB361DB759E85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 057B1290, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

$gq, xrefs: 057B1349

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID: $gq
API String ID: 0-815412418
Opcode ID: 3b460b798b037783af602535e27ddc437f21a8439318c253e302a15cf31abd5a
Instruction ID: 77c056d5d896951a855f270b7d2862e34c70e9e333a6056a2e59f5aecb8e3b71
Opcode Fuzzy Hash: 3b460b798b037783af602535e27ddc437f21a8439318c253e302a15cf31abd5a
Instruction Fuzzy Hash: FF413534E04219CFEB54DF64C894BEDBBB2BB89340F4040A9D40AAB351EB749D84DF61

Uniqueness

Uniqueness Score: -1.00%

Function 057B05B9, Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

8$q, xrefs: 057B05D6

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID: 8$q
API String ID: 0-2903697390
Opcode ID: 96722171ef8df86afd8a81adddfbb2b419e9a6a2cccd97298498817bc946607b
Instruction ID: a097bd1128b887e6ef1fd49b0e4ab3ec951e910c85ae797ffc36ee0569119c72
Opcode Fuzzy Hash: 96722171ef8df86afd8a81adddfbb2b419e9a6a2cccd97298498817bc946607b
Instruction Fuzzy Hash: 1401F4317020281FDA19A77DA5126FF129BABC6642F19002FF006DB3A9DDB85C4343D6

Uniqueness

Uniqueness Score: -1.00%

Function 057B05C8, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

8$q, xrefs: 057B05D6

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID: 8$q
API String ID: 0-2903697390
Opcode ID: 1514fa56ba805c7c1954a33eef04087bb2bfae8759cec0c5c9e562da1c579c2c
Instruction ID: f04baa1a9c1877f5dca97c3e52706232082f7538c0b2abbdfd61e34b6d5bef04
Opcode Fuzzy Hash: 1514fa56ba805c7c1954a33eef04087bb2bfae8759cec0c5c9e562da1c579c2c
Instruction Fuzzy Hash: 0EF024213011280BDA09B77EB1126BF22CF9BC5A52B15002FF006DB3A8DDB9AC4313E7

Uniqueness

Uniqueness Score: -1.00%

Function 057B0007, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efa09dba771e10a0a06dcfca654fc2676fb907adab776ba34445e2ef2c1bfa6
Instruction ID: 672db762166b29c3b53f944dcf2b5f74796cae686380b4b85369b9368cf849eb
Opcode Fuzzy Hash: 2efa09dba771e10a0a06dcfca654fc2676fb907adab776ba34445e2ef2c1bfa6
Instruction Fuzzy Hash: EC316D3450E7859FDB06EB64D8A85993FB2EE93300709489AD081CB167EB799C44DB12

Uniqueness

Uniqueness Score: -1.00%

Function 057B02DA, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5503a6f8fe7eeca87d01f6392edd647dd8df38f210a8f1894f67b50fcee8c2ae
Instruction ID: 8f1c1b88c8bc9bf9b338940964c843047c6ac789df7a3854752ef896c77a060f
Opcode Fuzzy Hash: 5503a6f8fe7eeca87d01f6392edd647dd8df38f210a8f1894f67b50fcee8c2ae
Instruction Fuzzy Hash: CF413A74A01605CFEB18CB68C198BAE7BB3FF89310F14856DD502AB791DBB5AC409B51

Uniqueness

Uniqueness Score: -1.00%

Function 057B2C58, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c3114958800be477e25d20122fa10a4ad6e4204e92240fadf4782656e55804
Instruction ID: b179b1c457484a82a84cf174d2330d1b35c828f98d87799640a17fab9a9ade95
Opcode Fuzzy Hash: 55c3114958800be477e25d20122fa10a4ad6e4204e92240fadf4782656e55804
Instruction Fuzzy Hash: BC21373860F655CFD715DB28D488BF9BBE6FF86310B194566D446CB253C7A09C00E792

Uniqueness

Uniqueness Score: -1.00%

Function 057B21E9, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09fa23765bc5d495cbe45814fac8b5bf79cac48aff8bb2ceae171e080c28ef3
Instruction ID: 7b26361f0f6a4699940a144caad6752fc5c40c3af5131640a56086b2ef6913b8
Opcode Fuzzy Hash: d09fa23765bc5d495cbe45814fac8b5bf79cac48aff8bb2ceae171e080c28ef3
Instruction Fuzzy Hash: 2131073890A209DFEF44EBA8C545BFDBBF2BB45300F1144AAC442DB266D6749A41EB52

Uniqueness

Uniqueness Score: -1.00%

Function 057B25DE, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e96f5d155d5401570b983be695351dff21c1178e7f0bbc93923a22fede333526
Instruction ID: 46e386517dee663aea3652a2241c15e5cd0bfac73ce84411a6c203e0d320e197
Opcode Fuzzy Hash: e96f5d155d5401570b983be695351dff21c1178e7f0bbc93923a22fede333526
Instruction Fuzzy Hash: 0D31B078A02649CFEB60DF66D54879AFBF2FF84304F10C169C0059B216DBB89889DF41

Uniqueness

Uniqueness Score: -1.00%

Function 057B4190, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69dece212e460809b2217f16796dc13cb1854f4e5da29e0f467488275d3306e6
Instruction ID: 9c651af10537614e0c4654f23d0d5c98aa55b261052b5e65462d81f6ff5b9cd9
Opcode Fuzzy Hash: 69dece212e460809b2217f16796dc13cb1854f4e5da29e0f467488275d3306e6
Instruction Fuzzy Hash: 43110632B012099BEF14E7B5E945AFF7ABBAFC5300B51413AD50797246DEB58800A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 031F087C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.352434454.00000000031F0000.00000040.00000040.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4afcc5dea0e066ee082802849fab4f736d76e10c2d07ef952196c6f3e0ce56d4
Instruction ID: b7042ec72a516855be21f96cfd610b010281933ec5cc802895a3f7a9b2cdd9cb
Opcode Fuzzy Hash: 4afcc5dea0e066ee082802849fab4f736d76e10c2d07ef952196c6f3e0ce56d4
Instruction Fuzzy Hash: BE11D234604280DFD315CB64C944B26FB95AB4C708F28C99CEA490B643C37B9843CA91

Uniqueness

Uniqueness Score: -1.00%

Function 031F0845, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.352434454.00000000031F0000.00000040.00000040.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b23af47cb414aab237b99b44c67650d60141d94f35cd463eae7dc7446dc4e604
Instruction ID: 60b581281c10fbc9c4a0573898a784d2db01f235cbfc12ac18543fffd0369697
Opcode Fuzzy Hash: b23af47cb414aab237b99b44c67650d60141d94f35cd463eae7dc7446dc4e604
Instruction Fuzzy Hash: 0921293550D3C48FD707CB20C850B55BFB1AB4B204F2985DED9888B6A3D33A9816DB62

Uniqueness

Uniqueness Score: -1.00%

Function 057B11DF, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e6901b7df2b4042c059c423fb096632c5e229797adf4d6f15b7e3a4db46e13
Instruction ID: 6e695a8459ba35932665115b96514e98c069bae61ca9af516fcb1c6596b59c91
Opcode Fuzzy Hash: 80e6901b7df2b4042c059c423fb096632c5e229797adf4d6f15b7e3a4db46e13
Instruction Fuzzy Hash: 5D116D343091908FDB06DB28D068EE97BE6AFC6701B5541EAD406CB2A6CBB55C09E791

Uniqueness

Uniqueness Score: -1.00%

Function 031F05D0, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.352434454.00000000031F0000.00000040.00000040.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894149d0bb9d5fa81b7bcfbb27f5c858375b4a66c6c50a836c7b7ab393261afe
Instruction ID: c64eb97e65651de530464eff789be88e927278ce3af4849d3d9f20716f0c79b0
Opcode Fuzzy Hash: 894149d0bb9d5fa81b7bcfbb27f5c858375b4a66c6c50a836c7b7ab393261afe
Instruction Fuzzy Hash: 7A01A9765097806FD712CF16EC44863FFB8DF86620719C4EFEC498B652D229A809CB72

Uniqueness

Uniqueness Score: -1.00%

Function 057B1218, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9ab9f058a894bf92773e8fe208e117f9f9a1dbfe73916f0fceac41ac25ec2ae
Instruction ID: bcd173c36079394b122aa4b33835406157140438a369b0764a3caef4815fa0af
Opcode Fuzzy Hash: a9ab9f058a894bf92773e8fe208e117f9f9a1dbfe73916f0fceac41ac25ec2ae
Instruction Fuzzy Hash: 7C016D343040108BDB08D72CD068EE977EABFC5700B6440AAE406CB265CFB59C099781

Uniqueness

Uniqueness Score: -1.00%

Function 057B0918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b726f4247ee14b9b5a59c9ffec55ae3292e78403a6d4f597cbd0fefaedc2557f
Instruction ID: 5a99d25da93ace333a5576bbce10c31c52f80164b417605df74b4852f093be31
Opcode Fuzzy Hash: b726f4247ee14b9b5a59c9ffec55ae3292e78403a6d4f597cbd0fefaedc2557f
Instruction Fuzzy Hash: 1FE0E532E162189ABB209AF5991D6EFB7AAA785790F0049279907E3200DDF448015292

Uniqueness

Uniqueness Score: -1.00%

Function 057B4180, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ecfb031a2808b80f1b0eba9434e56599d053a29ae77879a2017fc0c3d431bf7
Instruction ID: f1d43944161f8e682542c019fcc06658a10398c08cb68a2a5f99e936296c26bf
Opcode Fuzzy Hash: 2ecfb031a2808b80f1b0eba9434e56599d053a29ae77879a2017fc0c3d431bf7
Instruction Fuzzy Hash: 00F02072E2520C9AEF20AAB4A848AEE7F6B9BE0381B00413AD80382106E6F480008650

Uniqueness

Uniqueness Score: -1.00%

Function 031F0938, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.352434454.00000000031F0000.00000040.00000040.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction ID: 7240145dc74d85337d4899653d9ff8e5b7e53d2cdbf10e760d12963b204fa0e9
Opcode Fuzzy Hash: 8d74a29df55c69f98ab7c4b2aae8ba2665a8ebae01658a76b7ab1be4c5fff073
Instruction Fuzzy Hash: 7CF0FB35104644DFC216CB00D540B15FBA6FB8D718F24C6A9E9490B752C3379812DA81

Uniqueness

Uniqueness Score: -1.00%

Function 057B0908, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 614d8cf69eb3c9900120207271b0e9e8ef04a6e4214f3f2581894dd4b57669af
Instruction ID: e46dd323b300f1728a80ca0884fd3c18471bbc067dd368ff1c0c2e8536fef255
Opcode Fuzzy Hash: 614d8cf69eb3c9900120207271b0e9e8ef04a6e4214f3f2581894dd4b57669af
Instruction Fuzzy Hash: E8F0E53091A2149FF720CBF9D99CBEF7B67AB80340F0185278903A3204CAF858019A51

Uniqueness

Uniqueness Score: -1.00%

Function 031F05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.352434454.00000000031F0000.00000040.00000040.sdmp, Offset: 031F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c1fa6323ee1c517545b2baebd7e9bcd0ff67e4614b599114fd09b9b914c3549
Instruction ID: 0953b616a30ecfae547220b75df11f44d06e3dd56ca0edf8bf46ff2636df2641
Opcode Fuzzy Hash: 2c1fa6323ee1c517545b2baebd7e9bcd0ff67e4614b599114fd09b9b914c3549
Instruction Fuzzy Hash: 68E09276640A004BD650CF0AFC41452FBE8EB84631718C07FDC0D8B710D535B504CEB5

Uniqueness

Uniqueness Score: -1.00%

Function 057B064F, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d967b2ddafa588cb746321d5afb91b517c6c53364646b5a733c181e8c18fff6
Instruction ID: 2cd02a4467a2dded94a95e6841fc75e94f921482bcda82ac033f5d87beca7a2f
Opcode Fuzzy Hash: 3d967b2ddafa588cb746321d5afb91b517c6c53364646b5a733c181e8c18fff6
Instruction Fuzzy Hash: A8D02E3348A2808FC3018BB8680F2E13BA1CE8330470488E2C8408A822C0667443AA43

Uniqueness

Uniqueness Score: -1.00%

Function 057B02A0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b3683a7d4baf53eb39372b83da7d654a740f0f6ab06487a235e8b6984a780b
Instruction ID: 697f92a733fe53caca473669ab0018a671e57b82250c6a9a248c31d86bcfb71d
Opcode Fuzzy Hash: 44b3683a7d4baf53eb39372b83da7d654a740f0f6ab06487a235e8b6984a780b
Instruction Fuzzy Hash: 8CD0C231809E5497C761D6A8E5689C27BF1AB8A7007088D5AD042D7948D760BC008740

Uniqueness

Uniqueness Score: -1.00%

Function 057B2D20, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d0efff8f999627291994bd17a77cf31ed346a32f60429235c014b3ae9804b7
Instruction ID: be77ce085fd209f50f91f7268611b3df22f13bc419911f70810b9aaf0198cbc5
Opcode Fuzzy Hash: 82d0efff8f999627291994bd17a77cf31ed346a32f60429235c014b3ae9804b7
Instruction Fuzzy Hash: A0D0227816F124DFF3518668EC22FF03B22CB3AB03F040B93908B990CAA1C541029A02

Uniqueness

Uniqueness Score: -1.00%

Function 057B0170, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d604ff16931626703f2540c703747875f8459b3e8178e677f786eb08d1c4cc01
Instruction ID: d350f96cd1d16fc3f4056f0c1c7e26efaa5a426115dce739c65bd257bc8cb83d
Opcode Fuzzy Hash: d604ff16931626703f2540c703747875f8459b3e8178e677f786eb08d1c4cc01
Instruction Fuzzy Hash: 23D017B6601A048FCB15AFB0E0599683B72EBA6202B060ABDD416C7259EA7BD441CA00

Uniqueness

Uniqueness Score: -1.00%

Function 030923F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.351627742.0000000003092000.00000040.00000001.sdmp, Offset: 03092000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97936ca76613f0c319976e0360998d86f58fd67efbf95fa5ae25a00c0e2c12de
Instruction ID: f80805810c1f72d01b8144b71a5ba72d4a1e88e2bd3f34761e1d7813325f50f5
Opcode Fuzzy Hash: 97936ca76613f0c319976e0360998d86f58fd67efbf95fa5ae25a00c0e2c12de
Instruction Fuzzy Hash: 94D05B792056C19FD716CA1CC168B557BD4AF51704F4A44FAD8008B663C354D5D1D200

Uniqueness

Uniqueness Score: -1.00%

Function 030923BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.351627742.0000000003092000.00000040.00000001.sdmp, Offset: 03092000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe479cf5d384c013518a1c05ac82ed847d4de95e2243d7f90ab572e462355bd
Instruction ID: 5c5f63a4062cb31b450a0fea7098180bf3f7910a470dc2bd0da6fd3d19a7e329
Opcode Fuzzy Hash: cbe479cf5d384c013518a1c05ac82ed847d4de95e2243d7f90ab572e462355bd
Instruction Fuzzy Hash: 05D05E342012854BDB16DB0CC698F5977D8AB45B00F0A88E9AC008B262C7B5D881D600

Uniqueness

Uniqueness Score: -1.00%

Function 057B0180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36ffb4c24fffcfb7879723ebfcb43fd7b31f4bc77177a06d058cfbb4dcb0d91
Instruction ID: 86d8472f85709b47366fb1d77e1d91dda30b3231081cc6b676c6b71e6ea4b95e
Opcode Fuzzy Hash: e36ffb4c24fffcfb7879723ebfcb43fd7b31f4bc77177a06d058cfbb4dcb0d91
Instruction Fuzzy Hash: 79D01234201708CFCB083B70F01D41C33B6AB85205704087CD81787754EF3BE881CA40

Uniqueness

Uniqueness Score: -1.00%

Function 057B0660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855be14a8bd990478a5f5131505255fb8dde96699a4c20fb8c2c267bc4b5bf9f
Instruction ID: 3391d576c0317b18699e836368a2bca073413373f6f5b6f94646401b79c92b78
Opcode Fuzzy Hash: 855be14a8bd990478a5f5131505255fb8dde96699a4c20fb8c2c267bc4b5bf9f
Instruction Fuzzy Hash: 84C02B31086604CED214AFB6280D5BB722B57C0308700C43198010002589B27492A811

Uniqueness

Uniqueness Score: -1.00%

Function 057B2EC0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000015.00000002.353056882.00000000057B0000.00000040.00000001.sdmp, Offset: 057B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bd93c4266adc12dd45630070f7b053f4f51d828a4d67ac203049056acb60ebc
Instruction ID: cac078c5c15e58b6ba3da29c70e46f65ebec8ea79d0a5c32cac1f7161e1f44e4
Opcode Fuzzy Hash: 6bd93c4266adc12dd45630070f7b053f4f51d828a4d67ac203049056acb60ebc
Instruction Fuzzy Hash: 48B01230305A0C0B274066B6380CF62338C95404453440060A80CC4001F645D0903140

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report doa8GHSloq

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos