Play interactive tour

Edit tour

Windows Analysis Report GHhMZFFEmf

Overview

General Information

Sample Name:	GHhMZFFEmf (renamed file extension from none to exe)
Analysis ID:	509563
MD5:	ace96cf7ef24eeac993b4da172a5a8f0
SHA1:	fa89615f55a87ef1d9ee9330ec5b0c040f54e8c1
SHA256:	d4ee80500d9c280e85b290b467592a5910e9d4ee127cfda17ad40467b2c88942
Tags:	32exeNanoCoretrojan
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

GHhMZFFEmf.exe (PID: 6388 cmdline: 'C:\Users\user\Desktop\GHhMZFFEmf.exe' MD5: ACE96CF7EF24EEAC993B4DA172A5A8F0)

schtasks.exe (PID: 6656 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eWoGxZG' /XML 'C:\Users\user\AppData\Local\Temp\tmpBBC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6680 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)

RegSvcs.exe (PID: 6716 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)

schtasks.exe (PID: 6764 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA2A2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6836 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9E6.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6852 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 7024 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 4408 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)

conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "70bb352e-dceb-4105-9fdd-010e83e2", "Group": "NEW LIFE", "Domain1": "drrkingsleym001.ddns.net", "Domain2": "drrkingsleym001.ddns.net", "Port": 1665, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.629752938.0000000005970000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000007.00000002.629752938.0000000005970000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000000.00000002.374588602.0000000004627000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10155:$x1: NanoCore.ClientPluginHost 0x10192:$x2: IClientNetworkHost 0x13cc5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.374588602.0000000004627000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.374588602.0000000004627000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfebd:$a: NanoCore 0xfecd:$a: NanoCore 0x10101:$a: NanoCore 0x10115:$a: NanoCore 0x10155:$a: NanoCore 0xff1c:$b: ClientPlugin 0x1011e:$b: ClientPlugin 0x1015e:$b: ClientPlugin 0x10043:$c: ProjectData 0x10a4a:$d: DESCrypto 0x18416:$e: KeepAlive 0x16404:$g: LogClientMessage 0x125ff:$i: get_Connected 0x10d80:$j: #=q 0x10db0:$j: #=q 0x10dcc:$j: #=q 0x10dfc:$j: #=q 0x10e18:$j: #=q 0x10e34:$j: #=q 0x10e64:$j: #=q 0x10e80:$j: #=q
00000007.00000002.629950144.00000000059F0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000007.00000002.629950144.00000000059F0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000000.00000002.373937130.0000000003581000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000002.630106440.0000000005A70000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000007.00000002.630106440.0000000005A70000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000007.00000002.621893164.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.621893164.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.621893164.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000007.00000002.629869803.00000000059C0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000007.00000002.629869803.00000000059C0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000007.00000002.630029119.0000000005A30000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000007.00000002.630029119.0000000005A30000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000000.00000002.374161297.0000000003630000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000002.629930642.00000000059E0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000007.00000002.629930642.00000000059E0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000007.00000002.630174361.0000000005AB0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000007.00000002.630174361.0000000005AB0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000007.00000002.630174361.0000000005AB0000.00000004.00020000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.629989793.0000000005A10000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000007.00000002.629989793.0000000005A10000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000007.00000002.629818927.00000000059A0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000007.00000002.629818927.00000000059A0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000007.00000002.629622545.0000000005790000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000007.00000002.629622545.0000000005790000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000007.00000002.629898256.00000000059D0000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000007.00000002.629898256.00000000059D0000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000007.00000002.630057484.0000000005A40000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000007.00000002.630057484.0000000005A40000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000007.00000002.629669654.0000000005810000.00000004.00020000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000007.00000002.629669654.0000000005810000.00000004.00020000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000002.374682357.00000000046A9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x17497d:$x1: NanoCore.ClientPluginHost 0x1749ba:$x2: IClientNetworkHost 0x1784ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.374682357.00000000046A9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.374682357.00000000046A9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1746e5:$a: NanoCore 0x1746f5:$a: NanoCore 0x174929:$a: NanoCore 0x17493d:$a: NanoCore 0x17497d:$a: NanoCore 0x174744:$b: ClientPlugin 0x174946:$b: ClientPlugin 0x174986:$b: ClientPlugin 0x3c279:$c: ProjectData 0x90299:$c: ProjectData 0x17486b:$c: ProjectData 0x175272:$d: DESCrypto 0x17cc3e:$e: KeepAlive 0x17ac2c:$g: LogClientMessage 0x176e27:$i: get_Connected 0x1755a8:$j: #=q 0x1755d8:$j: #=q 0x1755f4:$j: #=q 0x175624:$j: #=q 0x175640:$j: #=q 0x17565c:$j: #=q
00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x7623b:$a: NanoCore 0x76250:$a: NanoCore 0x76285:$a: NanoCore 0x83eaf:$a: NanoCore 0x83ed4:$a: NanoCore 0x83f2d:$a: NanoCore 0x940cc:$a: NanoCore 0x940f2:$a: NanoCore 0x9414e:$a: NanoCore 0xa0fa5:$a: NanoCore 0xa0ffe:$a: NanoCore 0xa1031:$a: NanoCore 0xa125d:$a: NanoCore 0xa12d9:$a: NanoCore 0xa18f2:$a: NanoCore 0xa1a3b:$a: NanoCore 0xa1f0f:$a: NanoCore 0xa21f6:$a: NanoCore 0xa220d:$a: NanoCore 0xab0b1:$a: NanoCore 0xab12d:$a: NanoCore
Process Memory Space: GHhMZFFEmf.exe PID: 6388	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2035:$x1: NanoCore.ClientPluginHost 0x2072:$x2: IClientNetworkHost 0x5886:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1080a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x9b6a8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: GHhMZFFEmf.exe PID: 6388	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: GHhMZFFEmf.exe PID: 6388	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: GHhMZFFEmf.exe PID: 6388	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d4c:$a: NanoCore 0x1d5c:$a: NanoCore 0x1dd1:$a: NanoCore 0x1de0:$a: NanoCore 0x1fe1:$a: NanoCore 0x1ff5:$a: NanoCore 0x2035:$a: NanoCore 0xce74:$a: NanoCore 0xce86:$a: NanoCore 0xcec2:$a: NanoCore 0x97d12:$a: NanoCore 0x97d24:$a: NanoCore 0x97d60:$a: NanoCore 0x1d70:$b: ClientPlugin 0x1e2a:$b: ClientPlugin 0x1ffe:$b: ClientPlugin 0x203e:$b: ClientPlugin 0xce8f:$b: ClientPlugin 0xcecb:$b: ClientPlugin 0x97d2d:$b: ClientPlugin 0x97d69:$b: ClientPlugin
Process Memory Space: RegSvcs.exe PID: 6716	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10129:$x1: NanoCore.ClientPluginHost 0x10156:$x2: IClientNetworkHost 0x60e70:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6b40c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 6716	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6716	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd60d:$a: NanoCore 0x10103:$a: NanoCore 0x10129:$a: NanoCore 0x10185:$a: NanoCore 0x17996:$a: NanoCore 0x179ba:$a: NanoCore 0x17a12:$a: NanoCore 0x217b7:$a: NanoCore 0x21818:$a: NanoCore 0x2184a:$a: NanoCore 0x21886:$a: NanoCore 0x221eb:$a: NanoCore 0x22237:$a: NanoCore 0x22282:$a: NanoCore 0x222dd:$a: NanoCore 0x2231a:$a: NanoCore 0x22355:$a: NanoCore 0x2256a:$a: NanoCore 0x225ff:$a: NanoCore 0x22d40:$a: NanoCore 0x232b7:$a: NanoCore
Click to see the 42 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.RegSvcs.exe.5a10000.16.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5a10000.16.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5a30000.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5a30000.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5810000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5810000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.RegSvcs.exe.59c0000.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
7.2.RegSvcs.exe.59c0000.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5a10000.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5a10000.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
7.2.RegSvcs.exe.59e0000.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
7.2.RegSvcs.exe.59e0000.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
7.2.RegSvcs.exe.59f0000.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
7.2.RegSvcs.exe.59f0000.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5a44c9f.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5a44c9f.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
0.2.GHhMZFFEmf.exe.480d7f0.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.GHhMZFFEmf.exe.480d7f0.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.GHhMZFFEmf.exe.480d7f0.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.GHhMZFFEmf.exe.480d7f0.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.RegSvcs.exe.5a70000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5a70000.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5970000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5970000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5a40000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5a40000.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5790000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5790000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
7.2.RegSvcs.exe.400a796.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
7.2.RegSvcs.exe.400a796.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5ab0000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5ab0000.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5ab0000.23.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.3de7ad8.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.RegSvcs.exe.3de7ad8.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.3de7ad8.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.5a40000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5a40000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
7.2.RegSvcs.exe.59d0000.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
7.2.RegSvcs.exe.59d0000.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
7.2.RegSvcs.exe.3e00319.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
7.2.RegSvcs.exe.3e00319.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
7.2.RegSvcs.exe.5ab4629.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5ab4629.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5ab4629.22.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.59e0000.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
7.2.RegSvcs.exe.59e0000.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5ab0000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5ab0000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5ab0000.23.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.4018669.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x2997c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost 0x299b9:$x2: IClientNetworkHost
7.2.RegSvcs.exe.4018669.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x2997c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x2cdcf:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost 0x299a6:$s5: IClientLoggingHost
7.2.RegSvcs.exe.59a0000.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
7.2.RegSvcs.exe.59a0000.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
7.2.RegSvcs.exe.2d912fc.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.RegSvcs.exe.2d912fc.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.RegSvcs.exe.59d0000.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
7.2.RegSvcs.exe.59d0000.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
7.2.RegSvcs.exe.59f0000.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
7.2.RegSvcs.exe.59f0000.15.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5a30000.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5a30000.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
7.2.RegSvcs.exe.59a0000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
7.2.RegSvcs.exe.59a0000.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
7.2.RegSvcs.exe.40139ca.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x2e61b:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost 0x2e658:$x2: IClientNetworkHost
7.2.RegSvcs.exe.40139ca.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x2e61b:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x31a6e:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost 0x2e645:$s5: IClientLoggingHost
0.2.GHhMZFFEmf.exe.4721340.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfc63d:$x1: NanoCore.ClientPluginHost 0xfc67a:$x2: IClientNetworkHost 0x1001ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.GHhMZFFEmf.exe.4721340.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.GHhMZFFEmf.exe.4721340.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfc3a5:$a: NanoCore 0xfc3b5:$a: NanoCore 0xfc5e9:$a: NanoCore 0xfc5fd:$a: NanoCore 0xfc63d:$a: NanoCore 0xfc404:$b: ClientPlugin 0xfc606:$b: ClientPlugin 0xfc646:$b: ClientPlugin 0x17f59:$c: ProjectData 0xfc52b:$c: ProjectData 0xfcf32:$d: DESCrypto 0x1048fe:$e: KeepAlive 0x1028ec:$g: LogClientMessage 0xfeae7:$i: get_Connected 0xfd268:$j: #=q 0xfd298:$j: #=q 0xfd2b4:$j: #=q 0xfd2e4:$j: #=q 0xfd300:$j: #=q 0xfd31c:$j: #=q 0xfd34c:$j: #=q
7.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.RegSvcs.exe.5a4e8a4.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5a4e8a4.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5a70000.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5a70000.21.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
0.2.GHhMZFFEmf.exe.46cd320.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x15065d:$x1: NanoCore.ClientPluginHost 0x15069a:$x2: IClientNetworkHost 0x1541cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.GHhMZFFEmf.exe.46cd320.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.GHhMZFFEmf.exe.46cd320.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1503c5:$a: NanoCore 0x1503d5:$a: NanoCore 0x150609:$a: NanoCore 0x15061d:$a: NanoCore 0x15065d:$a: NanoCore 0x150424:$b: ClientPlugin 0x150626:$b: ClientPlugin 0x150666:$b: ClientPlugin 0x17f59:$c: ProjectData 0x6bf79:$c: ProjectData 0x15054b:$c: ProjectData 0x150f52:$d: DESCrypto 0x15891e:$e: KeepAlive 0x15690c:$g: LogClientMessage 0x152b07:$i: get_Connected 0x151288:$j: #=q 0x1512b8:$j: #=q 0x1512d4:$j: #=q 0x151304:$j: #=q 0x151320:$j: #=q 0x15133c:$j: #=q
0.2.GHhMZFFEmf.exe.3589b80.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
7.2.RegSvcs.exe.40139ca.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
7.2.RegSvcs.exe.40139ca.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
7.2.RegSvcs.exe.5970000.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
7.2.RegSvcs.exe.5970000.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
7.2.RegSvcs.exe.400a796.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
7.2.RegSvcs.exe.400a796.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
0.2.GHhMZFFEmf.exe.480d7f0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.GHhMZFFEmf.exe.480d7f0.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.GHhMZFFEmf.exe.480d7f0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.GHhMZFFEmf.exe.480d7f0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.RegSvcs.exe.3e00319.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.3e00319.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db3:$a: NanoCore 0x14dd9:$a: NanoCore 0x14e35:$a: NanoCore 0x21c8c:$a: NanoCore 0x21ce5:$a: NanoCore 0x21d18:$a: NanoCore 0x21f44:$a: NanoCore 0x21fc0:$a: NanoCore 0x225d9:$a: NanoCore 0x22722:$a: NanoCore 0x22bf6:$a: NanoCore 0x22edd:$a: NanoCore 0x22ef4:$a: NanoCore 0x2bd98:$a: NanoCore 0x2be14:$a: NanoCore 0x2e6f7:$a: NanoCore 0x31aa9:$a: NanoCore 0x32e65:$a: NanoCore
7.2.RegSvcs.exe.3de7ad8.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.3de7ad8.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3d7:$a: NanoCore 0x1d3fc:$a: NanoCore 0x1d455:$a: NanoCore 0x2d5f4:$a: NanoCore 0x2d61a:$a: NanoCore 0x2d676:$a: NanoCore 0x3a4cd:$a: NanoCore 0x3a526:$a: NanoCore 0x3a559:$a: NanoCore 0x3a785:$a: NanoCore 0x3a801:$a: NanoCore 0x3ae1a:$a: NanoCore 0x3af63:$a: NanoCore 0x3b437:$a: NanoCore 0x3b71e:$a: NanoCore 0x3b735:$a: NanoCore 0x445d9:$a: NanoCore 0x44655:$a: NanoCore
7.2.RegSvcs.exe.3dec101.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.RegSvcs.exe.3dec101.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x18dae:$a: NanoCore 0x18dd3:$a: NanoCore 0x18e2c:$a: NanoCore 0x28fcb:$a: NanoCore 0x28ff1:$a: NanoCore 0x2904d:$a: NanoCore 0x35ea4:$a: NanoCore 0x35efd:$a: NanoCore 0x35f30:$a: NanoCore 0x3615c:$a: NanoCore 0x361d8:$a: NanoCore 0x367f1:$a: NanoCore 0x3693a:$a: NanoCore 0x36e0e:$a: NanoCore 0x370f5:$a: NanoCore 0x3710c:$a: NanoCore 0x3ffb0:$a: NanoCore 0x4002c:$a: NanoCore
Click to see the 92 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6716, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\GHhMZFFEmf.exe' , ParentImage: C:\Users\user\Desktop\GHhMZFFEmf.exe, ParentProcessId: 6388, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6680

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\GHhMZFFEmf.exe' , ParentImage: C:\Users\user\Desktop\GHhMZFFEmf.exe, ParentProcessId: 6388, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 6680

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 7.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "70bb352e-dceb-4105-9fdd-010e83e2", "Group": "NEW LIFE", "Domain1": "drrkingsleym001.ddns.net", "Domain2": "drrkingsleym001.ddns.net", "Port": 1665, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for submitted file

Show sources

Source: GHhMZFFEmf.exe	Virustotal: Detection: 35%			Perma Link
Source: GHhMZFFEmf.exe	ReversingLabs: Detection: 43%

Multi AV Scanner detection for domain / URL

Show sources

Source: drrkingsleym001.ddns.net

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\eWoGxZG.exe

ReversingLabs: Detection: 43%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.480d7f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3de7ad8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab4629.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.4721340.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.46cd320.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.480d7f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3e00319.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3de7ad8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3dec101.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.374588602.0000000004627000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.621893164.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.630174361.0000000005AB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.374682357.00000000046A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GHhMZFFEmf.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6716, type: MEMORYSTR

Machine Learning detection for sample

Show sources

Source: GHhMZFFEmf.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\eWoGxZG.exe

Joe Sandbox ML: detected

Source: 7.2.RegSvcs.exe.5ab0000.23.unpack	Avira: Label: TR/NanoCore.fadte
Source: 7.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: GHhMZFFEmf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: GHhMZFFEmf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Windows\symbols\dll\System.pdbee source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbIN= source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdbNA source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 00000007.00000002.629818927.00000000059A0000.00000004.00020000.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.7.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000007.00000002.629950144.00000000059F0000.00000004.00020000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000007.00000002.629869803.00000000059C0000.00000004.00020000.sdmp
Source:	Binary string: System.pdb\ source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp
Source:	Binary string: System.pdbX source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000007.00000002.629930642.00000000059E0000.00000004.00020000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Code function: 4x nop then jmp 0559C037h	0_2_0559BF92
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4x nop then mov esp, ebp	7_2_06374490
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	7_2_063776E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	7_2_063776D3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	7_2_0637774A

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: drrkingsleym001.ddns.net

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: drrkingsleym001.ddns.net

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Source: Joe Sandbox View

IP Address: 103.133.109.121 103.133.109.121

Source: global traffic

TCP traffic: 192.168.2.6:49751 -> 103.133.109.121:1665

Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RegSvcs.exe, 00000007.00000002.629930642.00000000059E0000.00000004.00020000.sdmp	String found in binary or memory: http://google.com
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: GHhMZFFEmf.exe, 00000000.00000003.359413440.000000000588F000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html5
Source: GHhMZFFEmf.exe, 00000000.00000003.357640366.0000000005889000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: GHhMZFFEmf.exe, 00000000.00000003.357640366.0000000005889000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comC
Source: GHhMZFFEmf.exe, 00000000.00000003.357640366.0000000005889000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comRea
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: GHhMZFFEmf.exe, 00000000.00000003.357640366.0000000005889000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn
Source: GHhMZFFEmf.exe, 00000000.00000003.357850714.0000000005882000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comwdth
Source: GHhMZFFEmf.exe, 00000000.00000002.373937130.0000000003581000.00000004.00000001.sdmp	String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: GHhMZFFEmf.exe, 00000000.00000002.373795763.00000000018A7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: GHhMZFFEmf.exe, 00000000.00000003.361389497.0000000005887000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmln
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: GHhMZFFEmf.exe, 00000000.00000002.373795763.00000000018A7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTF
Source: GHhMZFFEmf.exe, 00000000.00000002.373795763.00000000018A7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.come.comc
Source: GHhMZFFEmf.exe, 00000000.00000003.354756371.00000000058BE000.00000004.00000001.sdmp, GHhMZFFEmf.exe, 00000000.00000003.354349198.000000000589B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: GHhMZFFEmf.exe, 00000000.00000003.357037703.0000000005884000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: GHhMZFFEmf.exe, 00000000.00000003.356520437.0000000005884000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn(
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: GHhMZFFEmf.exe, 00000000.00000003.356416592.0000000005885000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: GHhMZFFEmf.exe, 00000000.00000003.361958851.0000000005887000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/f
Source: GHhMZFFEmf.exe, 00000000.00000003.362194491.0000000005890000.00000004.00000001.sdmp, GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: GHhMZFFEmf.exe, 00000000.00000003.360121799.00000000018AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: GHhMZFFEmf.exe, 00000000.00000003.356069598.0000000005889000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: GHhMZFFEmf.exe, 00000000.00000003.357850714.0000000005882000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comslnt
Source: GHhMZFFEmf.exe, 00000000.00000003.354726430.000000000589B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.net
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: GHhMZFFEmf.exe, 00000000.00000003.354726430.000000000589B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netL
Source: GHhMZFFEmf.exe, 00000000.00000003.354726430.000000000589B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netes
Source: GHhMZFFEmf.exe, 00000000.00000003.354726430.000000000589B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netved.
Source: GHhMZFFEmf.exe, 00000000.00000003.354726430.000000000589B000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netze
Source: GHhMZFFEmf.exe, 00000000.00000003.361061235.0000000005883000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: GHhMZFFEmf.exe, 00000000.00000003.357361575.0000000005889000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: GHhMZFFEmf.exe, 00000000.00000003.357361575.0000000005889000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn.
Source: GHhMZFFEmf.exe, 00000000.00000003.357448654.0000000005889000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.

Source: unknown

DNS traffic detected: queries for: drrkingsleym001.ddns.net

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 7_2_050E2EA6 WSARecv,

7_2_050E2EA6

Source: RegSvcs.exe, 00000007.00000002.630174361.0000000005AB0000.00000004.00020000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.480d7f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3de7ad8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab4629.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.4721340.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.46cd320.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.480d7f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3e00319.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3de7ad8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3dec101.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.374588602.0000000004627000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.621893164.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.630174361.0000000005AB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.374682357.00000000046A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GHhMZFFEmf.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6716, type: MEMORYSTR

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 7.2.RegSvcs.exe.5a10000.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5a30000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5810000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.59c0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5a10000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.59e0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.59f0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5a44c9f.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.GHhMZFFEmf.exe.480d7f0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.GHhMZFFEmf.exe.480d7f0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.5a70000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5970000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5a40000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5790000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.400a796.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.3de7ad8.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5a40000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.59d0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.3e00319.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5ab4629.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.59e0000.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.4018669.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.59a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.2d912fc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.59d0000.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.59f0000.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5a30000.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.59a0000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.40139ca.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.GHhMZFFEmf.exe.4721340.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.GHhMZFFEmf.exe.4721340.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.5a4e8a4.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5a70000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.GHhMZFFEmf.exe.46cd320.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.GHhMZFFEmf.exe.46cd320.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.40139ca.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.5970000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.RegSvcs.exe.400a796.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.GHhMZFFEmf.exe.480d7f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.GHhMZFFEmf.exe.480d7f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.3e00319.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.3de7ad8.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.RegSvcs.exe.3dec101.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.629752938.0000000005970000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.374588602.0000000004627000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.374588602.0000000004627000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.629950144.00000000059F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.630106440.0000000005A70000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.621893164.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.621893164.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.629869803.00000000059C0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.630029119.0000000005A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.629930642.00000000059E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.630174361.0000000005AB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.629989793.0000000005A10000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.629818927.00000000059A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.629622545.0000000005790000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.629898256.00000000059D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.630057484.0000000005A40000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.629669654.0000000005810000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.374682357.00000000046A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.374682357.00000000046A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: GHhMZFFEmf.exe PID: 6388, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: GHhMZFFEmf.exe PID: 6388, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 6716, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 6716, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: GHhMZFFEmf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 7.2.RegSvcs.exe.5a10000.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5a10000.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5a30000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5a30000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5810000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5810000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.59c0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.59c0000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5a10000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5a10000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.59e0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.59e0000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.59f0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.59f0000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5a44c9f.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5a44c9f.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.GHhMZFFEmf.exe.480d7f0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.GHhMZFFEmf.exe.480d7f0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.GHhMZFFEmf.exe.480d7f0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.5a70000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5a70000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5970000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5970000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5a40000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5a40000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5790000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5790000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.400a796.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.400a796.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5ab0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.3de7ad8.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.3de7ad8.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5a40000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5a40000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.59d0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.59d0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.3e00319.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.3e00319.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5ab4629.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5ab4629.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.59e0000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.59e0000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5ab0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.4018669.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.4018669.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.59a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.59a0000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.2d912fc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.2d912fc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.59d0000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.59d0000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.59f0000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.59f0000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5a30000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5a30000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.59a0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.59a0000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.40139ca.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.40139ca.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.GHhMZFFEmf.exe.4721340.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.GHhMZFFEmf.exe.4721340.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.5a4e8a4.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5a4e8a4.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5a70000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5a70000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.GHhMZFFEmf.exe.46cd320.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.GHhMZFFEmf.exe.46cd320.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.40139ca.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.40139ca.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.5970000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.5970000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.RegSvcs.exe.400a796.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.RegSvcs.exe.400a796.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.GHhMZFFEmf.exe.480d7f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.GHhMZFFEmf.exe.480d7f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.GHhMZFFEmf.exe.480d7f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.3e00319.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.3de7ad8.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.RegSvcs.exe.3dec101.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.629752938.0000000005970000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.629752938.0000000005970000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.374588602.0000000004627000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.374588602.0000000004627000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.629950144.00000000059F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.629950144.00000000059F0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.630106440.0000000005A70000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.630106440.0000000005A70000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.621893164.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.621893164.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.629869803.00000000059C0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.629869803.00000000059C0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.630029119.0000000005A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.630029119.0000000005A30000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.629930642.00000000059E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.629930642.00000000059E0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.630174361.0000000005AB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.630174361.0000000005AB0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.629989793.0000000005A10000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.629989793.0000000005A10000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.629818927.00000000059A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.629818927.00000000059A0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.629622545.0000000005790000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.629622545.0000000005790000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.629898256.00000000059D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.629898256.00000000059D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.630057484.0000000005A40000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.630057484.0000000005A40000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.629669654.0000000005810000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.629669654.0000000005810000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.374682357.00000000046A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.374682357.00000000046A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: GHhMZFFEmf.exe PID: 6388, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: GHhMZFFEmf.exe PID: 6388, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 6716, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 6716, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Code function: 0_2_05591EE8	0_2_05591EE8
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Code function: 0_2_05598900	0_2_05598900
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Code function: 0_2_05590138	0_2_05590138
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Code function: 0_2_05592DF8	0_2_05592DF8
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Code function: 0_2_05592DE9	0_2_05592DE9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02872477	7_2_02872477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02887ABF	7_2_02887ABF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FB3850	7_2_04FB3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FB89D8	7_2_04FB89D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FBB2A8	7_2_04FBB2A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FB2FA8	7_2_04FB2FA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FB23A0	7_2_04FB23A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FB306F	7_2_04FB306F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FB95D8	7_2_04FB95D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_04FB969F	7_2_04FB969F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_0637884F	7_2_0637884F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_063732BF	7_2_063732BF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_06375080	7_2_06375080
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_06375C80	7_2_06375C80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_06376528	7_2_06376528
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_06375D47	7_2_06375D47
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_06377B88	7_2_06377B88
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_06378788	7_2_06378788
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_063731F8	7_2_063731F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_063725F8	7_2_063725F8

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_050E180A NtQuerySystemInformation,		7_2_050E180A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_050E17E8 NtQuerySystemInformation,		7_2_050E17E8

Source: GHhMZFFEmf.exe	Binary or memory string: OriginalFilename vs GHhMZFFEmf.exe
Source: GHhMZFFEmf.exe, 00000000.00000002.373937130.0000000003581000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTaskNode.dll4 vs GHhMZFFEmf.exe
Source: GHhMZFFEmf.exe, 00000000.00000002.376713626.00000000077B0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dll< vs GHhMZFFEmf.exe
Source: GHhMZFFEmf.exe	Binary or memory string: OriginalFilenameSecurityActi.exe< vs GHhMZFFEmf.exe

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

Section loaded: windows.staterepositoryps.dll

Jump to behavior

Source: GHhMZFFEmf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: eWoGxZG.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: GHhMZFFEmf.exe	Virustotal: Detection: 35%
Source: GHhMZFFEmf.exe	ReversingLabs: Detection: 43%

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

File read: C:\Users\user\Desktop\GHhMZFFEmf.exe

Jump to behavior

Source: GHhMZFFEmf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\GHhMZFFEmf.exe 'C:\Users\user\Desktop\GHhMZFFEmf.exe'
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eWoGxZG' /XML 'C:\Users\user\AppData\Local\Temp\tmpBBC.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA2A2.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9E6.tmp'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eWoGxZG' /XML 'C:\Users\user\AppData\Local\Temp\tmpBBC.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA2A2.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9E6.tmp'	Jump to behavior

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_050E149A AdjustTokenPrivileges,		7_2_050E149A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_050E1463 AdjustTokenPrivileges,		7_2_050E1463

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

File created: C:\Users\user\AppData\Roaming\eWoGxZG.exe

Jump to behavior

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

File created: C:\Users\user\AppData\Local\Temp\tmpBBC.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@20/14@17/1

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: GHhMZFFEmf

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6876:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{70bb352e-dceb-4105-9fdd-010e83e28b1b}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_01
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Mutant created: \Sessions\1\BaseNamedObjects\ZXYpidgSeDxfiqu
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_01

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: GHhMZFFEmf.exe	String found in binary or memory: $c2808ccb-5ae8-48e8-add6-1570f353a9d0
Source: GHhMZFFEmf.exe	String found in binary or memory: $c2808ccb-5ae8-48e8-add6-1570f353a9d0

Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: GHhMZFFEmf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: GHhMZFFEmf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Windows\symbols\dll\System.pdbee source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbIN= source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdbNA source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: RegSvcs.exe, 00000007.00000002.629818927.00000000059A0000.00000004.00020000.sdmp
Source:	Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.7.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: RegSvcs.exe, 00000007.00000002.629950144.00000000059F0000.00000004.00020000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000007.00000002.629869803.00000000059C0000.00000004.00020000.sdmp
Source:	Binary string: System.pdb\ source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: RegSvcs.exe, 00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp
Source:	Binary string: System.pdbX source: RegSvcs.exe, 00000007.00000002.625580958.0000000002925000.00000004.00000040.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: RegSvcs.exe, 00000007.00000002.629930642.00000000059E0000.00000004.00020000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: RegSvcs.exe, 00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_02889D73 pushad ; retf	7_2_02889D79
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_06378528 push esp; retf	7_2_06378529
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 18_2_02980006 push esp; retf	18_2_02980016

Source: initial sample	Static PE information: section name: .text entropy: 7.95466244747
Source: initial sample	Static PE information: section name: .text entropy: 7.95466244747

Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	File created: C:\Users\user\AppData\Roaming\eWoGxZG.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eWoGxZG' /XML 'C:\Users\user\AppData\Local\Temp\tmpBBC.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.3589b80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.373937130.0000000003581000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.374161297.0000000003630000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GHhMZFFEmf.exe PID: 6388, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: GHhMZFFEmf.exe, 00000000.00000002.373937130.0000000003581000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: GHhMZFFEmf.exe, 00000000.00000002.373937130.0000000003581000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe TID: 6392	Thread sleep time: -30704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe TID: 6420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7124	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5424	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Window / User API: foregroundWindowGot 830

Jump to behavior

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Code function: 7_2_050E11C2 GetSystemInfo,

7_2_050E11C2

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Thread delayed: delay time: 30704	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: GHhMZFFEmf.exe, 00000000.00000002.373937130.0000000003581000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: GHhMZFFEmf.exe, 00000000.00000002.373937130.0000000003581000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: GHhMZFFEmf.exe, 00000000.00000002.373937130.0000000003581000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: GHhMZFFEmf.exe, 00000000.00000002.373937130.0000000003581000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 880008	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eWoGxZG' /XML 'C:\Users\user\AppData\Local\Temp\tmpBBC.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA2A2.tmp'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9E6.tmp'	Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.625828084.0000000002DD4000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000007.00000002.624471096.0000000001450000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000007.00000002.624471096.0000000001450000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000007.00000002.630431439.0000000005FC0000.00000004.00000001.sdmp	Binary or memory string: Program Managerk7
Source: RegSvcs.exe, 00000007.00000002.624471096.0000000001450000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: RegSvcs.exe, 00000007.00000002.624471096.0000000001450000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: RegSvcs.exe, 00000007.00000002.627312318.0000000002FEA000.00000004.00000001.sdmp	Binary or memory string: Program ManagerDkR
Source: RegSvcs.exe, 00000007.00000002.630431439.0000000005FC0000.00000004.00000001.sdmp	Binary or memory string: Program Managerra

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GHhMZFFEmf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\GHhMZFFEmf.exe

Code function: 0_2_0149A2F6 GetUserNameW,

0_2_0149A2F6

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.480d7f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3de7ad8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab4629.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.4721340.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.46cd320.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.480d7f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3e00319.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3de7ad8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3dec101.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.374588602.0000000004627000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.621893164.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.630174361.0000000005AB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.374682357.00000000046A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GHhMZFFEmf.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6716, type: MEMORYSTR

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: GHhMZFFEmf.exe, 00000000.00000002.374588602.0000000004627000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000007.00000002.629752938.0000000005970000.00000004.00020000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000007.00000002.629950144.00000000059F0000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: RegSvcs.exe, 00000007.00000002.629869803.00000000059C0000.00000004.00020000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: RegSvcs.exe, 00000007.00000002.625650248.0000000002D81000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: RegSvcs.exe, 00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.480d7f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3de7ad8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab4629.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.23.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.4721340.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.46cd320.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GHhMZFFEmf.exe.480d7f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3e00319.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3de7ad8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.3dec101.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.374588602.0000000004627000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.621893164.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.630174361.0000000005AB0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.374682357.00000000046A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GHhMZFFEmf.exe PID: 6388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6716, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_050E29EA bind,		7_2_050E29EA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe	Code function: 7_2_050E2998 bind,		7_2_050E2998

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	Input Capture11	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture11	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection312	Obfuscated Files or Information3	Security Account Manager	System Information Discovery13	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Scheduled Task/Job1	Software Packing13	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Security Software Discovery21	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading2	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol21	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion21	DCSync	Virtualization/Sandbox Evasion21	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection312	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
GHhMZFFEmf.exe	35%	Virustotal		Browse
GHhMZFFEmf.exe	43%	ReversingLabs	ByteCode-MSIL.Spyware.Noon
GHhMZFFEmf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\eWoGxZG.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\eWoGxZG.exe	43%	ReversingLabs	ByteCode-MSIL.Spyware.Noon

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.2.RegSvcs.exe.5ab0000.23.unpack	100%	Avira	TR/NanoCore.fadte		Download File
7.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

Source	Detection	Scanner	Label	Link
drrkingsleym001.ddns.net	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.zhongyicts.com.cn.	0%	Virustotal		Browse
http://www.zhongyicts.com.cn.	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.collada.org/2005/11/COLLADASchema9Done	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html5	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.carterandcone.comC	0%	URL Reputation	safe
http://www.founder.com.cn/cnl	0%	URL Reputation	safe
http://www.typography.net	0%	URL Reputation	safe
http://www.fontbureau.comB.TTF	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/f	0%	Avira URL Cloud	safe
http://www.fontbureau.come.comc	0%	Avira URL Cloud	safe
http://www.tiro.comslnt	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.typography.netL	0%	Avira URL Cloud	safe
http://www.carterandcone.comn	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.typography.netved.	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.carterandcone.comRea	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.zhongyicts.com.cno.	0%	URL Reputation	safe
http://www.typography.netze	0%	Avira URL Cloud	safe
http://www.typography.netes	0%	Avira URL Cloud	safe
drrkingsleym001.ddns.net	0%	Avira URL Cloud	safe
http://www.carterandcone.comwdth	0%	URL Reputation	safe
http://www.founder.com.cn/cn(	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
drrkingsleym001.ddns.net	103.133.109.121	true	true	8%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
drrkingsleym001.ddns.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false		high
http://www.zhongyicts.com.cn.	GHhMZFFEmf.exe, 00000000.00000003.357361575.0000000005889000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.tiro.com	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://google.com	RegSvcs.exe, 00000007.00000002.629930642.00000000059E0000.00000004.00020000.sdmp	false		high
http://www.carterandcone.com	GHhMZFFEmf.exe, 00000000.00000003.357640366.0000000005889000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.collada.org/2005/11/COLLADASchema9Done	GHhMZFFEmf.exe, 00000000.00000002.373937130.0000000003581000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html5	GHhMZFFEmf.exe, 00000000.00000003.359413440.000000000588F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	GHhMZFFEmf.exe, 00000000.00000003.362194491.0000000005890000.00000004.00000001.sdmp, GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comC	GHhMZFFEmf.exe, 00000000.00000003.357640366.0000000005889000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnl	GHhMZFFEmf.exe, 00000000.00000003.356416592.0000000005885000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.net	GHhMZFFEmf.exe, 00000000.00000003.354726430.000000000589B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comB.TTF	GHhMZFFEmf.exe, 00000000.00000002.373795763.00000000018A7000.00000004.00000040.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	GHhMZFFEmf.exe, 00000000.00000003.354756371.00000000058BE000.00000004.00000001.sdmp, GHhMZFFEmf.exe, 00000000.00000003.354349198.000000000589B000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	GHhMZFFEmf.exe, 00000000.00000003.356069598.0000000005889000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.de	GHhMZFFEmf.exe, 00000000.00000003.361061235.0000000005883000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	GHhMZFFEmf.exe, 00000000.00000003.357361575.0000000005889000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/f	GHhMZFFEmf.exe, 00000000.00000003.361958851.0000000005887000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	GHhMZFFEmf.exe, 00000000.00000002.373795763.00000000018A7000.00000004.00000040.sdmp	false		high
http://www.fontbureau.come.comc	GHhMZFFEmf.exe, 00000000.00000002.373795763.00000000018A7000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comslnt	GHhMZFFEmf.exe, 00000000.00000003.357850714.0000000005882000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.htmln	GHhMZFFEmf.exe, 00000000.00000003.361389497.0000000005887000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/	GHhMZFFEmf.exe, 00000000.00000003.360121799.00000000018AB000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netL	GHhMZFFEmf.exe, 00000000.00000003.354726430.000000000589B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comn	GHhMZFFEmf.exe, 00000000.00000003.357640366.0000000005889000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netved.	GHhMZFFEmf.exe, 00000000.00000003.354726430.000000000589B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	GHhMZFFEmf.exe, 00000000.00000003.357037703.0000000005884000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comRea	GHhMZFFEmf.exe, 00000000.00000003.357640366.0000000005889000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cno.	GHhMZFFEmf.exe, 00000000.00000003.357448654.0000000005889000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	GHhMZFFEmf.exe, 00000000.00000002.376086691.0000000006A92000.00000004.00000001.sdmp	false		high
http://www.typography.netze	GHhMZFFEmf.exe, 00000000.00000003.354726430.000000000589B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netes	GHhMZFFEmf.exe, 00000000.00000003.354726430.000000000589B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comwdth	GHhMZFFEmf.exe, 00000000.00000003.357850714.0000000005882000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn(	GHhMZFFEmf.exe, 00000000.00000003.356520437.0000000005884000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.133.109.121	drrkingsleym001.ddns.net	Viet Nam		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	509563
Start date:	26.10.2021
Start time:	17:10:46
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	GHhMZFFEmf (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@20/14@17/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.7% (good quality ratio 2.2%) Quality average: 38.2% Quality standard deviation: 36.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 328 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 13.107.5.88, 13.107.42.16, 20.199.120.182, 20.82.209.183, 20.199.120.151, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 23.211.4.86, 20.199.120.85 Excluded domains from analysis (whitelisted): ocos-office365-s2s.msedge.net, client-office365-tas.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, config-edge-skype.l-0007.l-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, l-0007.l-msedge.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, afdo-tas-offload.trafficmanager.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, l-0007.config.skype.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:11:54	API Interceptor	1x Sleep call for process: GHhMZFFEmf.exe modified
17:12:01	Task Scheduler	Run new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" s>$(Arg0)
17:12:02	API Interceptor	868x Sleep call for process: RegSvcs.exe modified
17:12:04	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
17:12:04	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
103.133.109.121	Purchase order_122.doc	Get hash	malicious	Browse
	b2ZeLApyX2.exe	Get hash	malicious	Browse
	Purchase order_122.doc	Get hash	malicious	Browse
	YKr3m9a7C3.exe	Get hash	malicious	Browse
	SWIFT COPY.doc	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
drrkingsleym001.ddns.net	Purchase order_122.doc	Get hash	malicious	Browse	103.133.109.121
	b2ZeLApyX2.exe	Get hash	malicious	Browse	103.133.109.121
	Purchase order_122.doc	Get hash	malicious	Browse	103.133.109.121
	YKr3m9a7C3.exe	Get hash	malicious	Browse	103.133.109.121
	SWIFT COPY.doc	Get hash	malicious	Browse	103.133.109.121

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	Purchase order_122.doc	Get hash	malicious	Browse	103.133.109.121
	IMS211323.xlsx	Get hash	malicious	Browse	103.149.12.116
	purchase order # 4459.xls	Get hash	malicious	Browse	103.141.138.110
	6811A4CEA56365431B3799600303C945593A997E61968.exe	Get hash	malicious	Browse	103.114.104.13
	KfvEoN0wIw	Get hash	malicious	Browse	103.68.250.127
	INQ_42-4I090.xlsx	Get hash	malicious	Browse	103.125.190.6
	PO doc 42782.xlsx	Get hash	malicious	Browse	103.125.190.6
	b2ZeLApyX2.exe	Get hash	malicious	Browse	103.133.109.121
	Purchase order_122.doc	Get hash	malicious	Browse	103.133.109.121
	DMS210949 MV LYDERHORN LOW MIX RATIO.xlsx	Get hash	malicious	Browse	180.214.239.85
	payment issue need help.exe	Get hash	malicious	Browse	103.133.110.241
	DMS210949 MV LYDERHORN LOW MIX RATIO.xlsx	Get hash	malicious	Browse	180.214.239.85
	PO1-424480.xlsx	Get hash	malicious	Browse	103.125.190.6
	arm7	Get hash	malicious	Browse	14.225.246.61
	PI Alu Circle_Dt. 14.05.2021.xlsx	Get hash	malicious	Browse	180.214.239.85
	YKr3m9a7C3.exe	Get hash	malicious	Browse	103.133.109.121
	SWIFT COPY.doc	Get hash	malicious	Browse	103.133.109.121
	Airway bill# 7899865792021.xlsx	Get hash	malicious	Browse	103.125.190.6
	presupuesto.xlsx	Get hash	malicious	Browse	103.140.251.116
	Purchase orders with bank details.ppa	Get hash	malicious	Browse	103.141.138.110

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	DRAFT BL-DOCS-20211510-VP-KMC022021.exe	Get hash	malicious	Browse
	b2ZeLApyX2.exe	Get hash	malicious	Browse
	YKr3m9a7C3.exe	Get hash	malicious	Browse
	tEdxwnE4lw.exe	Get hash	malicious	Browse
	87R65JT93I.exe	Get hash	malicious	Browse
	invo.exe	Get hash	malicious	Browse
	U5s97oQj9A.exe	Get hash	malicious	Browse
	hAmgDpjdg5.exe	Get hash	malicious	Browse
	PO00174Quotations.exe	Get hash	malicious	Browse
	mNgTZMYBA8.exe	Get hash	malicious	Browse
	xvE67cxGKh.exe	Get hash	malicious	Browse
	C9UKyFaVBg.exe	Get hash	malicious	Browse
	IzopQnj0od.exe	Get hash	malicious	Browse
	khmU580OCp.exe	Get hash	malicious	Browse
	eKLFu9iX5X.exe	Get hash	malicious	Browse
	HXMhjytc4v.exe	Get hash	malicious	Browse
	ID3xMSKdE5.exe	Get hash	malicious	Browse
	bzPdZR1ZMh.exe	Get hash	malicious	Browse
	IyAJkrCCbT.exe	Get hash	malicious	Browse
	V672IT45op.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.7515815714465193
Encrypted:	false
SSDEEP:	384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
MD5:	71369277D09DA0830C8C59F9E22BB23A
SHA1:	37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
SHA-256:	D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
SHA-512:	2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: DRAFT BL-DOCS-20211510-VP-KMC022021.exe, Detection: malicious, Browse Filename: b2ZeLApyX2.exe, Detection: malicious, Browse Filename: YKr3m9a7C3.exe, Detection: malicious, Browse Filename: tEdxwnE4lw.exe, Detection: malicious, Browse Filename: 87R65JT93I.exe, Detection: malicious, Browse Filename: invo.exe, Detection: malicious, Browse Filename: U5s97oQj9A.exe, Detection: malicious, Browse Filename: hAmgDpjdg5.exe, Detection: malicious, Browse Filename: PO00174Quotations.exe, Detection: malicious, Browse Filename: mNgTZMYBA8.exe, Detection: malicious, Browse Filename: xvE67cxGKh.exe, Detection: malicious, Browse Filename: C9UKyFaVBg.exe, Detection: malicious, Browse Filename: IzopQnj0od.exe, Detection: malicious, Browse Filename: khmU580OCp.exe, Detection: malicious, Browse Filename: eKLFu9iX5X.exe, Detection: malicious, Browse Filename: HXMhjytc4v.exe, Detection: malicious, Browse Filename: ID3xMSKdE5.exe, Detection: malicious, Browse Filename: bzPdZR1ZMh.exe, Detection: malicious, Browse Filename: IyAJkrCCbT.exe, Detection: malicious, Browse Filename: V672IT45op.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\GHhMZFFEmf.exe.log Download File
Process:	C:\Users\user\Desktop\GHhMZFFEmf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	true
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	5.016405576253028
Encrypted:	false
SSDEEP:	3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
MD5:	50DEC1858E13F033E6DCA3CBFAD5E8DE
SHA1:	79AE1E9131B0FAF215B499D2F7B4C595AA120925
SHA-256:	14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
SHA-512:	1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
Malicious:	false
Preview:	1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\tmpA2A2.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1320
Entropy (8bit):	5.135021273392143
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mn4xtn:cbk4oL600QydbQxIYODOLedq3Z4j
MD5:	40B11EF601FB28F9B2E69D36857BF2EC
SHA1:	B6454020AD2CEED193F4792B77001D0BD741B370
SHA-256:	C51E12D18CC664425F6711D8AE2507068884C7057092CFA11884100E1E9D49E1
SHA-512:	E3C5BCC714CBFCA4B8058DDCDDF231DCEFA69C15881CE3F8123E59ED45CFB5DA052B56E1945DCF8DC7F800D62F9A4EECB82BCA69A66A1530787AEFFEB15E2BD5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpA9E6.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Jn:Jn
MD5:	E337E0BC57E076912DC359F37771751A
SHA1:	1534E393ADFDB71F571BAA9AC4A25D626A872F64
SHA-256:	CF204C685AADF83087B8C4B93697C2FBAD6CA74813BE93660BA509135296E94C
SHA-512:	C659DC7F17348FA502EA8B04D9C26B2675354733280C294FA5B6221FBF40F3EB37E7334D968F4DCEE17AEF83A07B4D098B4628F36B8BD73DE9F37EB64FA32DB7
Malicious:	true
Preview:	^.xd..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.795707286467131
Encrypted:	false
SSDEEP:	3:oMty8WbSX/MNn:oMLWus
MD5:	D685103573539B7E9FDBF5F1D7DD96CE
SHA1:	4B2FE6B5C0B37954B314FCAEE1F12237A9B02D07
SHA-256:	D78BC23B0CA3EDDF52D56AB85CDC30A71B3756569CB32AA2F6C28DBC23C76E8E
SHA-512:	17769A5944E8929323A34269ABEEF0861D5C6799B0A27F5545FBFADC80E5AB684A471AD6F6A7FC623002385154EA89DE94013051E09120AB94362E542AB0F1DD
Malicious:	false
Preview:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

C:\Users\user\AppData\Roaming\eWoGxZG.exe Download File
Process:	C:\Users\user\Desktop\GHhMZFFEmf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	368128
Entropy (8bit):	7.943323696866316
Encrypted:	false
SSDEEP:	6144:biuHodpZO0/zxllEpjNGLTk+eRSMjf9oHpqUFNsWPAyJt4SKbxF+wkonJx:upZOu7EpjAnkR/9a9rsWPAmyScxFRb
MD5:	ACE96CF7EF24EEAC993B4DA172A5A8F0
SHA1:	FA89615F55A87EF1D9EE9330EC5B0C040F54E8C1
SHA-256:	D4EE80500D9C280E85B290B467592A5910E9D4EE127CFDA17AD40467B2C88942
SHA-512:	E1D5279223D7E82003BAD73E94B1607B043C0B987987E99DC39AB9790558C4C840CD6949A37F87134FBD13B64C4A2492FB572EEBDE870DB709D2A77C419C7EA1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 43%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.wa..............0.................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........?...A......}........1............................................{...."..}......{...."..}......{...."..}......{...."..}......{...."..}........0..8........s....%.Bo.....%.Po.....%.Do.....%.Io.....%.Wo......+...0..8........s....%.oo.....%.+o.....%.-o.....%.o.....%.=o......+..".(.........0.. ..............%.r...p.%.r7..p.%....+..&.(.........0..0.........o#....oO...3..o%....oQ.....+....,....+....+..*.0..0.........o#....o#...3..o%....o%.....+....,....+....

C:\Users\user\AppData\Roaming\eWoGxZG.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\GHhMZFFEmf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1145
Entropy (8bit):	4.462201512373672
Encrypted:	false
SSDEEP:	24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
MD5:	46EBEB88876A00A52CC37B1F8E0D0438
SHA1:	5E5DB352F964E5F398301662FF558BD905798A65
SHA-256:	D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
SHA-512:	E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.943323696866316
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	GHhMZFFEmf.exe
File size:	368128
MD5:	ace96cf7ef24eeac993b4da172a5a8f0
SHA1:	fa89615f55a87ef1d9ee9330ec5b0c040f54e8c1
SHA256:	d4ee80500d9c280e85b290b467592a5910e9d4ee127cfda17ad40467b2c88942
SHA512:	e1d5279223d7e82003bad73e94b1607b043c0b987987e99dc39ab9790558c4c840cd6949a37f87134fbd13b64c4a2492fb572eebde870db709d2a77c419c7ea1
SSDEEP:	6144:biuHodpZO0/zxllEpjNGLTk+eRSMjf9oHpqUFNsWPAyJt4SKbxF+wkonJx:upZOu7EpjAnkR/9a9rsWPAmyScxFRb
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X.wa..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x45b2f6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61778758 [Tue Oct 26 04:43:04 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5b2a4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x5dc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x592fc	0x59400	False	0.962431066176	data	7.95466244747	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x5c000	0x5dc	0x600	False	0.4296875	data	4.16495497717	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x5c090	0x34c	data
RT_MANIFEST	0x5c3ec	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2017 - 2021
Assembly Version	1.0.0.0
InternalName	SecurityActi.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Project Snake
ProductVersion	1.0.0.0
FileDescription	Project Snake
OriginalFilename	SecurityActi.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/26/21-17:12:06.400060	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	62044	8.8.8.8	192.168.2.6
10/26/21-17:12:13.421862	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	63791	8.8.8.8	192.168.2.6
10/26/21-17:12:20.059046	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	61346	8.8.8.8	192.168.2.6
10/26/21-17:12:26.416582	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	51774	8.8.8.8	192.168.2.6
10/26/21-17:12:32.822515	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	58384	8.8.8.8	192.168.2.6
10/26/21-17:12:52.460411	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50339	8.8.8.8	192.168.2.6
10/26/21-17:13:32.283168	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	64021	8.8.8.8	192.168.2.6
10/26/21-17:13:39.916980	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	58177	8.8.8.8	192.168.2.6
10/26/21-17:13:46.338970	UDP	254	DNS SPOOF query response with TTL of 1 min. and no authority	53	50700	8.8.8.8	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2021 17:12:06.413135052 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:06.713388920 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:06.713548899 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:07.379342079 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:07.689163923 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:07.689301014 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:08.036999941 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:08.037178993 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:08.337479115 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:08.337584019 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:08.693383932 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:08.693514109 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:09.040148973 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:09.040210962 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:09.040246964 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:09.040282011 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:09.040730953 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:09.040785074 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:09.319142103 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:09.337840080 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:09.337965012 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:09.338378906 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:09.338463068 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:09.338534117 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:09.338592052 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:09.338794947 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:09.338856936 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:09.339080095 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:09.339184999 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:09.339709044 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:09.339781046 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:09.340244055 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:09.340325117 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:09.340600967 CEST	1665	49751	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:09.340667963 CEST	49751	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:13.423677921 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:13.730799913 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:13.732357979 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:13.732394934 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:14.049108982 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:14.049243927 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:14.412121058 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:14.412221909 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:14.712161064 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:14.712251902 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:15.061395884 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:15.061486959 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:15.413252115 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:15.413382053 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:15.415617943 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:15.415652990 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:15.415735960 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:15.415755033 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:15.415942907 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:15.415971041 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:15.415990114 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:15.416019917 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:15.715415955 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:15.715447903 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:15.715606928 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:15.715612888 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:15.715697050 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:15.715965986 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:15.716062069 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:15.716131926 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:15.716475010 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:15.716547012 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:15.716722965 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:15.716744900 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:15.716784000 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:15.716804981 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:15.721004963 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:16.014996052 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.015049934 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.015058994 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:16.015086889 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.015108109 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:16.015150070 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:16.015280008 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.015383959 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:16.015451908 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.015507936 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:16.015630960 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.015706062 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:16.015806913 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.015860081 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:16.016113043 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.016186953 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:16.016216040 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.016263962 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:16.016341925 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.016410112 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:16.016433001 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.016469955 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.016522884 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:16.016546011 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.016597033 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:16.016618967 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.016668081 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:16.016690016 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.016738892 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:16.016760111 CEST	1665	49753	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:16.016808987 CEST	49753	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:20.062201023 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:20.364577055 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:20.372643948 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:20.373585939 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:20.682847023 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:20.682944059 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:21.046217918 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:21.046355963 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:21.346726894 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:21.346870899 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:21.703402996 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:21.703509092 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:22.056870937 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:22.056910038 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:22.057020903 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:22.057054996 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:22.057271957 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:22.057322979 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:22.057607889 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:22.057679892 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:22.319418907 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:22.357161999 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:22.357237101 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:22.357290030 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:22.357355118 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:22.357485056 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:22.357553959 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:22.357630968 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:22.357685089 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:22.357842922 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:22.357903957 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:22.357964039 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:22.358023882 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:22.358113050 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:22.358165026 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:22.358405113 CEST	1665	49762	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:22.358478069 CEST	49762	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:26.417905092 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:26.715045929 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:26.715159893 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:26.715823889 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:27.022653103 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:27.022763968 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:27.379861116 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:27.381987095 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:27.680356026 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:27.683337927 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:28.036856890 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:28.044686079 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:28.396198034 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:28.399275064 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:28.745285988 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:28.746779919 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:28.746812105 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:28.746871948 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:28.747222900 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:28.747267962 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:28.747287035 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:28.749527931 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:28.757618904 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:29.044605017 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:29.044730902 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:29.044770002 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:29.044823885 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:29.045013905 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:29.045070887 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:29.045243025 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:29.045363903 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:29.045609951 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:29.045675039 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:29.045854092 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:29.045964956 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:29.047101974 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:29.047240973 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:29.047286034 CEST	1665	49763	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:29.047343016 CEST	49763	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:32.823685884 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:33.117908955 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:33.118041039 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:33.118788958 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:33.422846079 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:33.422938108 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:33.764035940 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:33.764966965 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:34.059007883 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:34.059400082 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:34.411051989 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:34.413829088 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:34.756504059 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:34.756539106 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:34.756644011 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:34.756674051 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:34.756689072 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:34.756772995 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:34.757004023 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:34.757083893 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:34.977782011 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:35.051107883 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:35.051163912 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:35.051213980 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:35.051260948 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:35.051456928 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:35.051486969 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:35.051532030 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:35.051564932 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:35.051632881 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:35.051738024 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:35.051917076 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:35.051976919 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:35.052293062 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:35.052397013 CEST	1665	49765	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:35.053086042 CEST	49765	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:39.194981098 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:39.508142948 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:39.508275032 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:39.511486053 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:39.835336924 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:39.835611105 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:40.211411953 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:40.211524963 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:40.529855967 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:40.585967064 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:40.700404882 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:41.064182997 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:41.064378023 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:41.432260036 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:41.432328939 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:41.432384014 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:41.432471037 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:41.432598114 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:41.432672977 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:41.432763100 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:41.432830095 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:41.745357037 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:41.745539904 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:41.745563030 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:41.745620966 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:41.745897055 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:41.745968103 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:41.746043921 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:41.746118069 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:41.746155024 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:41.746206999 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:41.746306896 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:41.746368885 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:41.746443987 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:41.746495962 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:41.746553898 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:41.746603966 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063046932 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063091040 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063133955 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063134909 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063162088 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063163996 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063188076 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063189030 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063216925 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063226938 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063241959 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063244104 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063263893 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063273907 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063288927 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063302040 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063325882 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063325882 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063350916 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063353062 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063374996 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063379049 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063395023 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063404083 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063412905 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063431978 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063456059 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063486099 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063584089 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063611984 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.063638926 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.063667059 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.119978905 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.377370119 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377407074 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377430916 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377464056 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377484083 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377504110 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377522945 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.377526045 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377546072 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377567053 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377588034 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377607107 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.377613068 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377635956 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377651930 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.377655983 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377676964 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377681017 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.377697945 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377717972 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377722025 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.377737999 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377758026 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377764940 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.377782106 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377798080 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.377804995 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377825022 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.377825022 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377846003 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377866030 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377866030 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.377886057 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377906084 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377909899 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.377926111 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377938986 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.377950907 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377973080 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.377981901 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.377994061 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.378014088 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.378024101 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.378035069 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.378051043 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.378055096 CEST	1665	49766	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:42.378082991 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:42.378123045 CEST	49766	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:46.192128897 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:46.490227938 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:46.490389109 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:46.491368055 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:46.802758932 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:46.802932978 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:47.163429022 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:47.163501978 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:47.462476015 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:47.462594986 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:47.819103003 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:47.819250107 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:48.170063019 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:48.170104027 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:48.170201063 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:48.170234919 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:48.170356035 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:48.170404911 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:48.170706034 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:48.170759916 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:48.400228977 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:48.468955994 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:48.468998909 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:48.469085932 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:48.469474077 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:48.469516993 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:48.469523907 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:48.469552994 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:48.469571114 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:48.469702959 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:48.469762087 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:48.470117092 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:48.470160007 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:48.470192909 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:48.470225096 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:48.470524073 CEST	1665	49768	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:48.470578909 CEST	49768	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:52.461694002 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:52.763083935 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:52.763231039 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:52.764045954 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:53.077388048 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:53.078098059 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:53.433705091 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:53.433823109 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:53.737200022 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:53.737278938 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:54.089893103 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:54.090090990 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:54.436698914 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:54.436824083 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:54.438747883 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:54.438931942 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:54.439060926 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:54.439263105 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:54.439336061 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:54.439414024 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:54.441515923 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:54.587790966 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:54.742216110 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:54.742321014 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:54.742322922 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:54.742402077 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:54.742654085 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:54.742677927 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:54.742732048 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:54.742775917 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:54.742958069 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:54.743031979 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:54.743098974 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:54.743319035 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:54.745237112 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:54.745301962 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:54.745500088 CEST	1665	49789	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:54.745575905 CEST	49789	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:58.653664112 CEST	49808	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:58.955970049 CEST	1665	49808	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:58.956119061 CEST	49808	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:58.956861019 CEST	49808	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:59.270556927 CEST	1665	49808	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:59.270726919 CEST	49808	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:59.630307913 CEST	1665	49808	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:59.630436897 CEST	49808	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:12:59.932240009 CEST	1665	49808	103.133.109.121	192.168.2.6
Oct 26, 2021 17:12:59.933203936 CEST	49808	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:00.286612034 CEST	1665	49808	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:00.286756039 CEST	49808	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:00.645973921 CEST	1665	49808	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:00.646095037 CEST	49808	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:00.901263952 CEST	49808	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:00.999233007 CEST	1665	49808	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:00.999267101 CEST	1665	49808	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:00.999319077 CEST	49808	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:00.999349117 CEST	1665	49808	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:00.999420881 CEST	49808	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:01.003268957 CEST	1665	49808	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:01.003498077 CEST	49808	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:04.960194111 CEST	49815	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:05.266093969 CEST	1665	49815	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:05.267137051 CEST	49815	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:05.267585039 CEST	49815	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:05.585917950 CEST	1665	49815	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:05.586218119 CEST	49815	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:05.948926926 CEST	1665	49815	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:05.949184895 CEST	49815	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:06.254089117 CEST	1665	49815	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:06.254712105 CEST	49815	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:06.606719971 CEST	1665	49815	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:06.606885910 CEST	49815	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:06.965967894 CEST	1665	49815	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:06.966105938 CEST	49815	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:07.325505972 CEST	1665	49815	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:07.325587988 CEST	49815	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:07.385577917 CEST	49815	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:07.680960894 CEST	1665	49815	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:07.681924105 CEST	1665	49815	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:07.681943893 CEST	1665	49815	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:07.681962967 CEST	1665	49815	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:07.682060003 CEST	49815	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:07.682077885 CEST	49815	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:11.659996033 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:11.950110912 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:11.950308084 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:11.963892937 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:12.264301062 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:12.264743090 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:12.606904030 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:12.607218981 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:12.897628069 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:12.948139906 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:13.030883074 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:13.380326033 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:13.380590916 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:13.721340895 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:13.722474098 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:13.723912954 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:13.724049091 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:13.724072933 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:13.724195004 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:13.724217892 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.014375925 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.014502048 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.015243053 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.016081095 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.016343117 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.016674042 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.016751051 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.016889095 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.017136097 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.017784119 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.018176079 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.018301010 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.196739912 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.306005955 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.306113005 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.306463003 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.306512117 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.306888103 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.307169914 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.307609081 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.307818890 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.308074951 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.308149099 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.308176041 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.308474064 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.308502913 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.308527946 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.308552980 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.308577061 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.308600903 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.308624983 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.308651924 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.308667898 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.308676004 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.308763981 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.308778048 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.536621094 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.538321018 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.596371889 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.596405029 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.596421957 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.596436977 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.596473932 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.596496105 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.596740007 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.596760035 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.596797943 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.596813917 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.596822023 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.596837997 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.596843958 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.596863985 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.598148108 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598179102 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598196983 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598212957 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598228931 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598241091 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598261118 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598278046 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598289967 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.598294020 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598309994 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.598314047 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.598319054 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598336935 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598349094 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598352909 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.598368883 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598385096 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598398924 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598414898 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598429918 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.598429918 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598434925 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.598445892 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598460913 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598475933 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598495007 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598511934 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598515034 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.598520041 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.598526955 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.598571062 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.598576069 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.825335026 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.881767988 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.882687092 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.889512062 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.889553070 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.889570951 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890527010 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890594959 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890619993 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890642881 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890667915 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890687943 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890707970 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890729904 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890750885 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890775919 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890800953 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890820980 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890842915 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890866041 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890887022 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890908957 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890933037 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890957117 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.890981913 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.891002893 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.891028881 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.891052008 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.891074896 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.891098976 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.891150951 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.891179085 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.891201973 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.891227007 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.891249895 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.891278028 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.894474030 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894506931 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894511938 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894515991 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894520044 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894524097 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894526958 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894530058 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894532919 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894536018 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894541025 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894543886 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894546986 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894550085 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894552946 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894556046 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894557953 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894561052 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.894563913 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:14.904964924 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.905005932 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.905033112 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.905059099 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.905081034 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.905106068 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.905129910 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.905179977 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.905204058 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.905229092 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.905251026 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.905273914 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.905296087 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.905328989 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.905355930 CEST	1665	49821	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:14.913882017 CEST	49821	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:18.926219940 CEST	49833	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:19.229666948 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:19.229868889 CEST	49833	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:19.231373072 CEST	49833	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:19.552305937 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:19.552473068 CEST	49833	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:19.909177065 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:19.909296989 CEST	49833	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:20.215589046 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:20.220227957 CEST	49833	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:20.581710100 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:20.589248896 CEST	49833	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:20.941128016 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:20.941446066 CEST	49833	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:21.297333002 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:21.297435045 CEST	49833	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:21.297538996 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:21.297645092 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:21.297703981 CEST	49833	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:21.297923088 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:21.297991037 CEST	49833	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:21.324002981 CEST	49833	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:21.604460955 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:21.604502916 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:21.604809046 CEST	49833	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:21.604995012 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:21.605021000 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:21.605190039 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:21.605345011 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:21.606271982 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:21.606309891 CEST	1665	49833	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:21.611257076 CEST	49833	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:25.885113001 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:26.186790943 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:26.186937094 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:26.205284119 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:26.516918898 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:26.517079115 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:26.872582912 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:26.872745037 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:27.173530102 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:27.173683882 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:27.529051065 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:27.529156923 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:27.879020929 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:27.879287958 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:27.879318953 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:27.879395962 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:27.879483938 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:27.879564047 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:28.181574106 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.181611061 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.181623936 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.181637049 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.181653023 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.181665897 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.181695938 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.181716919 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.181869984 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:28.181967020 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:28.182526112 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:28.482220888 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.482254982 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.482266903 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.482280970 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.482295036 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.482306957 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.482320070 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.482332945 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.482347965 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.482366085 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.482378960 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.482431889 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:28.482460976 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:28.482558966 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:28.482742071 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.482762098 CEST	1665	49854	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:28.482817888 CEST	49854	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:32.284718037 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:32.594022989 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:32.594522953 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:33.201541901 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:33.522151947 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:33.522274971 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:33.879718065 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:33.879875898 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:34.187856913 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:34.229433060 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:34.285065889 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:34.644646883 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:34.644823074 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.003829956 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.003945112 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.005044937 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.005213022 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.005314112 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.005388975 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.005523920 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.005582094 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.005759001 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.005845070 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.313318014 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.313435078 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.313882113 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.314059019 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.314229012 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.314321041 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.314418077 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.314742088 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.314867020 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.315000057 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.315356016 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.315428019 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.315515041 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.315602064 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.319370031 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.319552898 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.558188915 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.625149965 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.625232935 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.625328064 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.625345945 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.625967026 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.626396894 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.626483917 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.626502991 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.627015114 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.627151966 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.627357960 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.627615929 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.627712965 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.627789021 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.627990007 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.628010035 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.628026009 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.628046989 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.628068924 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.628108978 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.628163099 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.630697966 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.630728006 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.630743027 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.630764961 CEST	1665	49856	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:35.630897045 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:35.630933046 CEST	49856	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:39.918844938 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:40.228101015 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:40.228255033 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:40.228939056 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:40.547594070 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:40.547950029 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:40.924757004 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:40.925067902 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:41.237107992 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:41.237517118 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:41.593633890 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:41.593820095 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:41.950886011 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:41.953114986 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:41.955580950 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:41.955651045 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:41.955694914 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:41.955722094 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:41.956072092 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:41.956145048 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:41.956155062 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:41.956231117 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:42.204767942 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:42.261132956 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:42.261171103 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:42.261224031 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:42.261274099 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:42.261322021 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:42.261392117 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:42.261414051 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:42.261483908 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:42.261596918 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:42.261650085 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:42.261925936 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:42.261960030 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:42.262017012 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:42.262149096 CEST	1665	49858	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:42.262222052 CEST	49858	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:46.340251923 CEST	49859	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:46.654263973 CEST	1665	49859	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:46.654542923 CEST	49859	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:46.655525923 CEST	49859	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:46.962963104 CEST	1665	49859	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:46.963191986 CEST	49859	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:47.325124979 CEST	1665	49859	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:47.325304985 CEST	49859	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:47.626290083 CEST	1665	49859	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:47.626590967 CEST	49859	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:47.982702971 CEST	1665	49859	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:47.983304024 CEST	49859	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:48.328248024 CEST	1665	49859	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:48.328423023 CEST	49859	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:48.687589884 CEST	1665	49859	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:49.008011103 CEST	49859	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:49.359750986 CEST	1665	49859	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:49.359956980 CEST	49859	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:49.419481993 CEST	49859	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:49.711888075 CEST	1665	49859	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:49.711925983 CEST	1665	49859	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:49.711954117 CEST	1665	49859	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:49.711976051 CEST	1665	49859	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:49.712019920 CEST	49859	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:49.712075949 CEST	49859	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:53.460988045 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:53.745415926 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:53.745580912 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:53.746459007 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:54.039079905 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:54.039388895 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:54.322397947 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:54.322722912 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:54.664294004 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:54.992259979 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:55.324234962 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.324589014 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.324692011 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:55.324862003 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.325067997 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.325372934 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:55.608726025 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.608751059 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.608768940 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.608784914 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.608886003 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:55.608917952 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:55.609324932 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.609586000 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.610012054 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.610125065 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:55.610229969 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.610392094 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:55.891047001 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.891278028 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.891448021 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:55.891458035 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.891664028 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.891920090 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:55.893014908 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.893048048 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.893069983 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.893095970 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.893121004 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.893142939 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:55.893146992 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:55.893147945 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.893172979 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.893197060 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.893220901 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.893245935 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.893269062 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.893291950 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:55.893292904 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:55.893299103 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:55.893343925 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:55.893348932 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.173921108 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.173949003 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.174550056 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.174595118 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.174617052 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.175415039 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.175746918 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.175766945 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.175780058 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.175792933 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.175811052 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.175828934 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.175842047 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.175977945 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.176141024 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176161051 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176177025 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176192045 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176208973 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176222086 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176235914 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176249027 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176269054 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176289082 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176290989 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.176300049 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.176304102 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176325083 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176337957 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176351070 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176363945 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176367044 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.176378965 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176399946 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176414013 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176431894 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176445961 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.176450014 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176469088 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.176517963 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.176532984 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.176615000 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.456837893 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.456873894 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.456892967 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.456914902 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.457254887 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.457278967 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.457300901 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.457324028 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.457345963 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.457371950 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.457403898 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.458137035 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.458161116 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.458185911 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.458208084 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.458229065 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.458250046 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.458271027 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.458292961 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.458312035 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.458317041 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.458323002 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.458326101 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.458334923 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.458358049 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.458762884 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.458776951 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.459161997 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459242105 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459264040 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459286928 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459310055 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459331036 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459333897 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.459342957 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.459352016 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459373951 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459397078 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459420919 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459444046 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459465027 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459486961 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459507942 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459530115 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459553003 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459775925 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459800959 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459817886 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459844112 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459867001 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459887981 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459909916 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459933043 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459955931 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459976912 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.459997892 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.460022926 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.460046053 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.460608959 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.460638046 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.460643053 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.460645914 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.460649014 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.460652113 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.460683107 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.460737944 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.460751057 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.460773945 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.460787058 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.460829020 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.460839987 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.739715099 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.740206957 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.740240097 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.740261078 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.740279913 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.740299940 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.740319014 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.740339041 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.740535021 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.740853071 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.741044044 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.741070032 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.741091967 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.741115093 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.741136074 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.741158009 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.741180897 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.741189003 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.741219044 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.741239071 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.741271019 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.741714001 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.741735935 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.741751909 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.741769075 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.741786003 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.741806030 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.741904020 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.741957903 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.743108034 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743149996 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743169069 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743186951 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743201017 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743220091 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743241072 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743258953 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743272066 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743294001 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743311882 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.743314028 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743328094 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743345976 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743359089 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743376017 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743392944 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743403912 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.743408918 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743423939 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743442059 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743454933 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.743459940 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743478060 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743494034 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743510962 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743526936 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743546009 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743565083 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:56.743588924 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.743597031 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:56.743887901 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.023145914 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023178101 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023195982 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023217916 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023238897 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023258924 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023284912 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023307085 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023576021 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.023613930 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.023675919 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023704052 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023726940 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023746967 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023770094 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023782969 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.023791075 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023812056 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023832083 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023852110 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023875952 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023896933 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.023899078 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023901939 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.023905039 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.023921013 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023941994 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.023962975 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.024024963 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.024032116 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.024036884 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.025538921 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025566101 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025588036 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025608063 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025629044 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025649071 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025670052 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025691032 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025716066 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025738955 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025759935 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025780916 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025800943 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025820017 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025840998 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025855064 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.025861025 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025872946 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.025876045 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.025887966 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025911093 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025930882 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025952101 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025969028 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.025973082 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.025974989 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.025979042 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.025995016 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.026015043 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.026035070 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.026058912 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.026081085 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.026144028 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.026149988 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.026151896 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.305965900 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.305999041 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306020021 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306037903 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306056023 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306072950 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306090117 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306109905 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306128979 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306145906 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306164026 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306180954 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306197882 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306215048 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306226015 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306232929 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306253910 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306255102 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306257010 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306276083 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306293964 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306312084 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306329012 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306345940 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306355953 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306361914 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306363106 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306365967 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306380987 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306401968 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306420088 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306436062 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306447029 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306451082 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306453943 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306453943 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306473017 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306488037 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306504965 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306520939 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306540966 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306541920 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306545973 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306549072 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306560040 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306576967 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306592941 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306610107 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306626081 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306642056 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306658030 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306678057 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306696892 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306704998 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306711912 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306714058 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306716919 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306730986 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306747913 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.306804895 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306809902 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.306813002 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.307908058 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.307929039 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.307943106 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.307959080 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.307976007 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.307998896 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.308016062 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.308032990 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.308051109 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.308067083 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.308087111 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.308104992 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.308120966 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.308139086 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.308142900 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.308156013 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.308167934 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.308171034 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.308172941 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.308175087 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.308193922 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.308209896 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.308217049 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.308221102 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.308232069 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.308252096 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.308353901 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.308367968 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.511853933 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:57.859170914 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.922326088 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:57.945276022 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:58.228116035 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:58.245273113 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:58.528062105 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:58.528779030 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:58.810832977 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:58.810978889 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:59.093164921 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:13:59.093893051 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:13:59.440291882 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:14:04.050056934 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:14:04.091562986 CEST	49862	1665	192.168.2.6	103.133.109.121
Oct 26, 2021 17:14:05.034864902 CEST	1665	49862	103.133.109.121	192.168.2.6
Oct 26, 2021 17:14:05.092690945 CEST	49862	1665	192.168.2.6	103.133.109.121

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2021 17:12:06.380254030 CEST	62044	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:12:06.400059938 CEST	53	62044	8.8.8.8	192.168.2.6
Oct 26, 2021 17:12:13.401860952 CEST	63791	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:12:13.421861887 CEST	53	63791	8.8.8.8	192.168.2.6
Oct 26, 2021 17:12:20.037813902 CEST	61346	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:12:20.059046030 CEST	53	61346	8.8.8.8	192.168.2.6
Oct 26, 2021 17:12:26.385204077 CEST	51774	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:12:26.416582108 CEST	53	51774	8.8.8.8	192.168.2.6
Oct 26, 2021 17:12:32.800523996 CEST	58384	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:12:32.822515011 CEST	53	58384	8.8.8.8	192.168.2.6
Oct 26, 2021 17:12:39.173913002 CEST	60261	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:12:39.193416119 CEST	53	60261	8.8.8.8	192.168.2.6
Oct 26, 2021 17:12:46.170840979 CEST	58336	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:12:46.190529108 CEST	53	58336	8.8.8.8	192.168.2.6
Oct 26, 2021 17:12:52.440460920 CEST	50339	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:12:52.460411072 CEST	53	50339	8.8.8.8	192.168.2.6
Oct 26, 2021 17:12:58.633362055 CEST	63718	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:12:58.651909113 CEST	53	63718	8.8.8.8	192.168.2.6
Oct 26, 2021 17:13:04.940239906 CEST	55014	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:13:04.958895922 CEST	53	55014	8.8.8.8	192.168.2.6
Oct 26, 2021 17:13:11.638370991 CEST	57574	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:13:11.657114983 CEST	53	57574	8.8.8.8	192.168.2.6
Oct 26, 2021 17:13:18.900628090 CEST	56628	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:13:18.918715000 CEST	53	56628	8.8.8.8	192.168.2.6
Oct 26, 2021 17:13:25.865489006 CEST	54683	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:13:25.883599997 CEST	53	54683	8.8.8.8	192.168.2.6
Oct 26, 2021 17:13:32.262892962 CEST	64021	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:13:32.283168077 CEST	53	64021	8.8.8.8	192.168.2.6
Oct 26, 2021 17:13:39.896927118 CEST	58177	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:13:39.916980028 CEST	53	58177	8.8.8.8	192.168.2.6
Oct 26, 2021 17:13:46.314315081 CEST	50700	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:13:46.338969946 CEST	53	50700	8.8.8.8	192.168.2.6
Oct 26, 2021 17:13:53.440485954 CEST	57017	53	192.168.2.6	8.8.8.8
Oct 26, 2021 17:13:53.460067987 CEST	53	57017	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 26, 2021 17:12:06.380254030 CEST	192.168.2.6	8.8.8.8	0x9b77	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:13.401860952 CEST	192.168.2.6	8.8.8.8	0x5965	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:20.037813902 CEST	192.168.2.6	8.8.8.8	0xcd55	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:26.385204077 CEST	192.168.2.6	8.8.8.8	0x5706	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:32.800523996 CEST	192.168.2.6	8.8.8.8	0xba2f	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:39.173913002 CEST	192.168.2.6	8.8.8.8	0x8beb	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:46.170840979 CEST	192.168.2.6	8.8.8.8	0x5406	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:52.440460920 CEST	192.168.2.6	8.8.8.8	0x61c8	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:58.633362055 CEST	192.168.2.6	8.8.8.8	0xeb75	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:04.940239906 CEST	192.168.2.6	8.8.8.8	0xe4cf	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:11.638370991 CEST	192.168.2.6	8.8.8.8	0xc0e2	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:18.900628090 CEST	192.168.2.6	8.8.8.8	0x5c4d	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:25.865489006 CEST	192.168.2.6	8.8.8.8	0x3e91	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:32.262892962 CEST	192.168.2.6	8.8.8.8	0xea00	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:39.896927118 CEST	192.168.2.6	8.8.8.8	0x3d8c	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:46.314315081 CEST	192.168.2.6	8.8.8.8	0xeb06	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:53.440485954 CEST	192.168.2.6	8.8.8.8	0xa231	Standard query (0)	drrkingsleym001.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Oct 26, 2021 17:12:06.400059938 CEST	8.8.8.8	192.168.2.6	0x9b77	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:13.421861887 CEST	8.8.8.8	192.168.2.6	0x5965	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:20.059046030 CEST	8.8.8.8	192.168.2.6	0xcd55	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:26.416582108 CEST	8.8.8.8	192.168.2.6	0x5706	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:32.822515011 CEST	8.8.8.8	192.168.2.6	0xba2f	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:39.193416119 CEST	8.8.8.8	192.168.2.6	0x8beb	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:46.190529108 CEST	8.8.8.8	192.168.2.6	0x5406	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:52.460411072 CEST	8.8.8.8	192.168.2.6	0x61c8	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:12:58.651909113 CEST	8.8.8.8	192.168.2.6	0xeb75	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:04.958895922 CEST	8.8.8.8	192.168.2.6	0xe4cf	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:11.657114983 CEST	8.8.8.8	192.168.2.6	0xc0e2	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:18.918715000 CEST	8.8.8.8	192.168.2.6	0x5c4d	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:25.883599997 CEST	8.8.8.8	192.168.2.6	0x3e91	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:32.283168077 CEST	8.8.8.8	192.168.2.6	0xea00	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:39.916980028 CEST	8.8.8.8	192.168.2.6	0x3d8c	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:46.338969946 CEST	8.8.8.8	192.168.2.6	0xeb06	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)
Oct 26, 2021 17:13:53.460067987 CEST	8.8.8.8	192.168.2.6	0xa231	No error (0)	drrkingsleym001.ddns.net	103.133.109.121	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: GHhMZFFEmf.exe PID: 6388 Parent PID: 5900

General

Start time:	17:11:48
Start date:	26/10/2021
Path:	C:\Users\user\Desktop\GHhMZFFEmf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\GHhMZFFEmf.exe'
Imagebase:	0xd80000
File size:	368128 bytes
MD5 hash:	ACE96CF7EF24EEAC993B4DA172A5A8F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.374588602.0000000004627000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.374588602.0000000004627000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.374588602.0000000004627000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.373937130.0000000003581000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.374161297.0000000003630000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.374682357.00000000046A9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.374682357.00000000046A9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.374682357.00000000046A9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6656 Parent PID: 6388

General

Start time:	17:11:56
Start date:	26/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eWoGxZG' /XML 'C:\Users\user\AppData\Local\Temp\tmpBBC.tmp'
Imagebase:	0xea0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6672 Parent PID: 6656

General

Start time:	17:11:56
Start date:	26/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6680 Parent PID: 6388

General

Start time:	17:11:56
Start date:	26/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Imagebase:	0x360000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6716 Parent PID: 6388

General

Start time:	17:11:57
Start date:	26/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Imagebase:	0x7e0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.629752938.0000000005970000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.629752938.0000000005970000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.629950144.00000000059F0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.629950144.00000000059F0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.630106440.0000000005A70000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.630106440.0000000005A70000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.621893164.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.621893164.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.621893164.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.629869803.00000000059C0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.629869803.00000000059C0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.630029119.0000000005A30000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.630029119.0000000005A30000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.629930642.00000000059E0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.629930642.00000000059E0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.630174361.0000000005AB0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.630174361.0000000005AB0000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.630174361.0000000005AB0000.00000004.00020000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.629989793.0000000005A10000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.629989793.0000000005A10000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.629818927.00000000059A0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.629818927.00000000059A0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.629622545.0000000005790000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.629622545.0000000005790000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.629898256.00000000059D0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.629898256.00000000059D0000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.630057484.0000000005A40000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.630057484.0000000005A40000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.629669654.0000000005810000.00000004.00020000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.629669654.0000000005810000.00000004.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.627669995.0000000003D81000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: schtasks.exe PID: 6764 Parent PID: 6716

General

Start time:	17:11:59
Start date:	26/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA2A2.tmp'
Imagebase:	0xea0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6772 Parent PID: 6764

General

Start time:	17:11:59
Start date:	26/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: schtasks.exe PID: 6836 Parent PID: 6716

General

Start time:	17:12:01
Start date:	26/10/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA9E6.tmp'
Imagebase:	0xea0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6852 Parent PID: 936

General

Start time:	17:12:01
Start date:	26/10/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0
Imagebase:	0xac0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 6876 Parent PID: 6836

General

Start time:	17:12:01
Start date:	26/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6896 Parent PID: 6852

General

Start time:	17:12:02
Start date:	26/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: dhcpmon.exe PID: 7024 Parent PID: 936

General

Start time:	17:12:04
Start date:	26/10/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Imagebase:	0x4c0000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs

Chronological Activities

Analysis Process: conhost.exe PID: 7080 Parent PID: 7024

General

Start time:	17:12:05
Start date:	26/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: dhcpmon.exe PID: 4408 Parent PID: 3440

General

Start time:	17:12:12
Start date:	26/10/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x580000
File size:	32768 bytes
MD5 hash:	71369277D09DA0830C8C59F9E22BB23A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 5676 Parent PID: 4408

General

Start time:	17:12:13
Start date:	26/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: GHhMZFFEmf.exe PID: 6388 Parent PID: 5900 GHhMZFFEmf.exeCOMMON

Executed Functions

Function 05590138, Relevance: 4.5, Strings: 3, Instructions: 788COMMON

Download Yara Rule

Strings

X1ar, xrefs: 0559098A
$4'q, xrefs: 05590233
H`r, xrefs: 0559093C

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: $4'q$H`r$X1ar
API String ID: 0-3711878680
Opcode ID: af86e8f0e26d423b956b15908928f1e5939efb6d1ef108c16cb32f7befc4d7e0
Instruction ID: 2d09e24374c61744b36ce5e55d34a3e8234313b105ecf23b25638c7b6e6af7df
Opcode Fuzzy Hash: af86e8f0e26d423b956b15908928f1e5939efb6d1ef108c16cb32f7befc4d7e0
Instruction Fuzzy Hash: F282C234A01219DFDB64DB64C894BDDB7B2BF89304F5184EAD909AB360DB31AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0149A2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 0149A346

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 092ec5a9c8c6ed0218f7adc2d4a17e7efd6e6fc1247b7b3ee21f906a62b06d7b
Instruction ID: dc2f58d0b123a5b4af0c64f0aa32fae1b0cebb8b26c99e849def0ff78c291a74
Opcode Fuzzy Hash: 092ec5a9c8c6ed0218f7adc2d4a17e7efd6e6fc1247b7b3ee21f906a62b06d7b
Instruction Fuzzy Hash: 72018F71500600ABD210DF16DC82B26FBA8EB88A20F14815AED084B741E771B515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 05598900, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb836450b05108d2ce2613be2c2d0736d4d53ea973eed82ade5c75290664437e
Instruction ID: f4f0139a718b5c7f94f39252e2289e80c804a7974a04807c5c7d283992e8b6a5
Opcode Fuzzy Hash: eb836450b05108d2ce2613be2c2d0736d4d53ea973eed82ade5c75290664437e
Instruction Fuzzy Hash: E79104B0D05249CFDF08CFAAC454AADBBF2BF4A314F18855AD414AB355D7389942CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05591EE8, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 319c030c86dddcb8aaff04fa4cb18d2fb71487bbf16ccdd8ac804de63dc2d11c
Instruction ID: 078dbf5960c41f2af235c8fc371efa655a6fdd5a5af694d3f4c6ed7c6b5a549c
Opcode Fuzzy Hash: 319c030c86dddcb8aaff04fa4cb18d2fb71487bbf16ccdd8ac804de63dc2d11c
Instruction Fuzzy Hash: A881F3B4D04229DFDF18DFA9C488AADFBF6FB48300F14851AD40AA7245D778A980CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0559B76E, Relevance: 5.1, Strings: 4, Instructions: 112COMMON

Download Yara Rule

Strings

(, xrefs: 0559BA77
, xrefs: 0559BE2A
,, xrefs: 0559BA7C
-, xrefs: 0559B7C2

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: $($,$-
API String ID: 0-2507013945
Opcode ID: b74de709d40a8915083d6307f7142ad3d52b9a1660984f3dafebc08e4cf87ace
Instruction ID: 00bb2da9aa69567b66796704afc4801a6bd2d0b8ceb737a1c6216d50e3705c6b
Opcode Fuzzy Hash: b74de709d40a8915083d6307f7142ad3d52b9a1660984f3dafebc08e4cf87ace
Instruction Fuzzy Hash: 8E51E174904228CFDF68CF64D984BECBBB1BB49314F1081DAC109A72A0CB799AC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05590FA0, Relevance: 2.6, Strings: 2, Instructions: 73COMMON

Download Yara Rule

Strings

X$ar, xrefs: 05591058
X$ar, xrefs: 05591048

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: X$ar$X$ar
API String ID: 0-4274354868
Opcode ID: 52bb94daa43569b3b269b270530fcd3becba4e9f5c45e1a8612771017eb35956
Instruction ID: d444b5fd6d9c347540566acc6a71e79b2af4763593cdd17df187a33a77f23623
Opcode Fuzzy Hash: 52bb94daa43569b3b269b270530fcd3becba4e9f5c45e1a8612771017eb35956
Instruction Fuzzy Hash: 3F31E274E00219DFDB08DFA9C954AAEBBF2FF48300F1085A9D815A73A0DB766940CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0559BF65, Relevance: 2.5, Strings: 2, Instructions: 31COMMON

Download Yara Rule

Strings

%, xrefs: 0559BF83
', xrefs: 0559B4ED

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: %$'
API String ID: 0-2502232532
Opcode ID: a24611da5e5a4e3e63ef52a5dc3605d5adc56532366653c5d0fb922b6ef60bfd
Instruction ID: 9bc7a9e3714134be0fed1438172697337e0416b5ad48d1c39e3cc8c9abbc14fb
Opcode Fuzzy Hash: a24611da5e5a4e3e63ef52a5dc3605d5adc56532366653c5d0fb922b6ef60bfd
Instruction Fuzzy Hash: 31013C35908228CFEF24CFA5D844BEDBBB1BB09314F1085DAD059A3291C7798AC5DF01

Uniqueness

Uniqueness Score: -1.00%

Function 0149AC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0149ACD1

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 2b96b6eb50a60c709528efcca73c4ca0a58937b5e0ca7a6437471c7c3ccb2f76
Instruction ID: b13ac04c42347fc3ff6f501d14f16fcc9e6164aaf0892d70f18706742e3778bf
Opcode Fuzzy Hash: 2b96b6eb50a60c709528efcca73c4ca0a58937b5e0ca7a6437471c7c3ccb2f76
Instruction Fuzzy Hash: DB31C872504384AFE7228B25DC45F67FFBCEF06710F08859BED819B252D265A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0149AD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,138F33D4,00000000,00000000,00000000,00000000), ref: 0149ADD4

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 6a15e2f773ecf0500c4cd331846ea3cec2c1320d40ea739789dd81555471d27e
Instruction ID: 766e09e31b2ca079e9f61bc32f53dd925f483bc8d50d9dc10ca676e698edacb4
Opcode Fuzzy Hash: 6a15e2f773ecf0500c4cd331846ea3cec2c1320d40ea739789dd81555471d27e
Instruction Fuzzy Hash: EF31B371109384AFEB22CB25CC44F93BFF8EF06310F18849BE9858B263D260E549CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0149A2AC, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E2C,?,?), ref: 0149A346

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 3cce371c1ead0e765e5e0a858a44159e95f3a2c4bee71d7977c513c5d735084b
Instruction ID: de797ac680262dcd86a72bc5214f4b7264003071d064190587e8f2e62dc82093
Opcode Fuzzy Hash: 3cce371c1ead0e765e5e0a858a44159e95f3a2c4bee71d7977c513c5d735084b
Instruction Fuzzy Hash: 9D31827540E3C06FD7138B259C51B62BFB4EF87610F1A40DBE884CB6A3D228A919C762

Uniqueness

Uniqueness Score: -1.00%

Function 0149AC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0149ACD1

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 12a12c1f5fd7f57d491a3c938dede664e3c2e812629c171652f8353d1776d8e6
Instruction ID: d66baae058185c5379325b3e2151548754997dfc1a687d4add13ae8429221cba
Opcode Fuzzy Hash: 12a12c1f5fd7f57d491a3c938dede664e3c2e812629c171652f8353d1776d8e6
Instruction Fuzzy Hash: 6421AE72500604AFEB219B69DC84FABFFECEF04710F24855BEE459B251D674E8098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0149AD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,138F33D4,00000000,00000000,00000000,00000000), ref: 0149ADD4

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 92960faf9eec74bd5224c757605088b59842086aa4d35d23e73ad2312973bf2b
Instruction ID: 280ae7233429b23c6a7a9f864b9e35fff854f313908102642d433380885f52ab
Opcode Fuzzy Hash: 92960faf9eec74bd5224c757605088b59842086aa4d35d23e73ad2312973bf2b
Instruction Fuzzy Hash: 78216D71600604AFEB21CF29DC84FA7BFECEF04711F18856BEA459B261D670E409CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0149B42D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0149B4A9

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 380d02c1b98e1ac5546a8495e0d971098e15f92f2a7896d9e1e4426ab71cc105
Instruction ID: d3485d4290eec01ad7f4be58c1c6648c223c5b144b711b88473d00406e5c6534
Opcode Fuzzy Hash: 380d02c1b98e1ac5546a8495e0d971098e15f92f2a7896d9e1e4426ab71cc105
Instruction Fuzzy Hash: 9E2193715093846FDB22CF15DC45B63FFE8EF46614F09809AED848B263D275A908D771

Uniqueness

Uniqueness Score: -1.00%

Function 0149A5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149A666

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 76101cb2983bcbd09839f72db6224178bb9ed49bf766644869c1fa1eef677147
Instruction ID: 596ecb6eea21db3b5ed62a80818266b747f997fd6c5f5b4a0a78d11d5db259fe
Opcode Fuzzy Hash: 76101cb2983bcbd09839f72db6224178bb9ed49bf766644869c1fa1eef677147
Instruction Fuzzy Hash: F5118771405780AFDB238F55DC44A52FFF4EF46310F0884DAED858B663D275A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0149A97B, Relevance: 1.6, APIs: 1, Instructions: 54comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0149A9DC

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6db63ed7397ba961adc1a1ecc6798106d2828cbe899d73aace271d9f5d614e68
Instruction ID: eb9a67339cce4e74797dd033305a2ffe102ec296bb911f2dc8053cfee0801a45
Opcode Fuzzy Hash: 6db63ed7397ba961adc1a1ecc6798106d2828cbe899d73aace271d9f5d614e68
Instruction Fuzzy Hash: 6E119D71409384AFDB128F14DC45B52BFA4EF46224F1884DBED448F253D2B9A408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0149AAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0149AB46

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: fa30cf79d9a98221e9e00f186aa846c946bccb5f5d52ba259da600b84e1e420c
Instruction ID: baaa72666ec10658d1e42e06ccf8a7d91fd64957834e0ca181649f72213a0fd4
Opcode Fuzzy Hash: fa30cf79d9a98221e9e00f186aa846c946bccb5f5d52ba259da600b84e1e420c
Instruction Fuzzy Hash: 44117031409784AFD722CF55DC85A52FFF4EF46220F09849AEE854B263C275A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0149A42A, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0149A480

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 677d814516fc08578ddabfe580bcad01e01b0ff1729b3c5768b8f8279d363b71
Instruction ID: 7cba30e67c355ee4a975003b4d6c19075f5899ee95ba4162f987eed45caa09ea
Opcode Fuzzy Hash: 677d814516fc08578ddabfe580bcad01e01b0ff1729b3c5768b8f8279d363b71
Instruction Fuzzy Hash: D0116175409384AFDB128B25DC48B52FFB4DF46220F0980EBDD854F263D279A948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0149B45E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0149B4A9

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: c770fb128247a0a3014db2e50d09ea003de372ef1593f84413eb99bdc1fa06ab
Instruction ID: e64267b2a925be716f610cfd74d84c5658cd26f7d549829fe30aa9bad5103c70
Opcode Fuzzy Hash: c770fb128247a0a3014db2e50d09ea003de372ef1593f84413eb99bdc1fa06ab
Instruction Fuzzy Hash: FC0180715006049FDB20CF19EC45B62FFE8EF04620F0880AADD498B752D675E408DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0149A622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0149A666

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bcbd977ee7bd5394495475fd0c6310eb136044c52e5775cffa9fd3c059ad0197
Instruction ID: 68e98691470cd55d82503c887a70f5a1835fbde0ff88550fbd9a96cc8ce63c97
Opcode Fuzzy Hash: bcbd977ee7bd5394495475fd0c6310eb136044c52e5775cffa9fd3c059ad0197
Instruction Fuzzy Hash: 86018431400604DFDB21CF55D944B56FFE4EF48310F18C59BDE894B622D275A414DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0149A9AA, Relevance: 1.5, APIs: 1, Instructions: 39comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(?), ref: 0149A9DC

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 769f6229306b98a57c9513d1cd96b7465d707b075e5b856369236ccdb9ef3728
Instruction ID: a2a2a3c2bb95ce770fedf9f59ab6c28f7f7d409a8a6211a259de8c190c773b91
Opcode Fuzzy Hash: 769f6229306b98a57c9513d1cd96b7465d707b075e5b856369236ccdb9ef3728
Instruction Fuzzy Hash: 6901AD348002449FDB10CF19E988766FFA4EF44220F28C4ABDE089F316D6B9A448CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0149AB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 0149AB46

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: fa0b0198498faf326f650a96691e92c3f205bb8a6980b6010bfdf02a30f3f783
Instruction ID: 9fa2fe9ff578d64414195a0c30032cc676d323f88e68afa22d4383313be1a1c6
Opcode Fuzzy Hash: fa0b0198498faf326f650a96691e92c3f205bb8a6980b6010bfdf02a30f3f783
Instruction Fuzzy Hash: A901AD31400A04DFDB208F09D884B62FFA0EF04720F18C49BDE4A0B762C2B5A409DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0149A44E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0149A480

Memory Dump Source

Source File: 00000000.00000002.373493367.000000000149A000.00000040.00000001.sdmp, Offset: 0149A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 1d960083cb6eea32d0fee0d040229db99061cb5f2c25cc4fff93cecffdaf59d8
Instruction ID: c6a99ddb9ea296c4ccc0ab2ebc6b29c6c833522474784e81393671d41dc44ef9
Opcode Fuzzy Hash: 1d960083cb6eea32d0fee0d040229db99061cb5f2c25cc4fff93cecffdaf59d8
Instruction Fuzzy Hash: E3F0C835504644DFDB10CF19E888762FF94DF44320F18C0ABDD494B316D6B5A408CF62

Uniqueness

Uniqueness Score: -1.00%

Function 055991B8, Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

, xrefs: 05599657

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: d43687dfd79e863ae3fc7967f165f75d4bc6b8679231e11b7efda10fb706a6d0
Instruction ID: 042017c1e16ac9ef289f45f76fc543200dc2adc0e9e264f0cc8f2cb06d803b1c
Opcode Fuzzy Hash: d43687dfd79e863ae3fc7967f165f75d4bc6b8679231e11b7efda10fb706a6d0
Instruction Fuzzy Hash: 0BB1E1B5C05218CFDF28CFA1D4497EEBBB5BB09706F50552EC00AA3690C3794A8ACF95

Uniqueness

Uniqueness Score: -1.00%

Function 0559A0F6, Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

|m^r, xrefs: 0559A11B

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: |m^r
API String ID: 0-3666999425
Opcode ID: ef837798904795519ef4fabf79835d0f39ffef89f0245d7946d0b3af6744fab4
Instruction ID: 9d8cc0120b44cee0895e44a9317dab334eea641d1af2e1f586683afac1d63243
Opcode Fuzzy Hash: ef837798904795519ef4fabf79835d0f39ffef89f0245d7946d0b3af6744fab4
Instruction Fuzzy Hash: E4B1F4B0E40308DBDF14DFA8C884BADBBB2BF85704F209029D509BB295DB756985CF55

Uniqueness

Uniqueness Score: -1.00%

Function 055994A8, Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

, xrefs: 05599657

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9ae08e484e380c408b1fb1139cb3bce80237ed5bbe7e86df7d61a3ceed0f1b78
Instruction ID: bbb79f66301be5cf002edf78f6ac7bd5902d92e359f4ee6268eaa88726a47a3d
Opcode Fuzzy Hash: 9ae08e484e380c408b1fb1139cb3bce80237ed5bbe7e86df7d61a3ceed0f1b78
Instruction Fuzzy Hash: 0D81D375C09258CFDF28CFA0D4497EEBBB5BB0A706F50652EC00AA3694C7784A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0559942E, Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

, xrefs: 05599657

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8e9269f852048afab741be3310ba3f918422da7c71686ecf5f0d313f0116b2e0
Instruction ID: ef0d2a9800de222f3402f72a6e1eb678c291c4d728efadcc8fa85bd0714d06e6
Opcode Fuzzy Hash: 8e9269f852048afab741be3310ba3f918422da7c71686ecf5f0d313f0116b2e0
Instruction Fuzzy Hash: 8271D475C09218CFDF28CFA0D4497EDBBB5BB0A706F50652EC00AA3694C7784989CF55

Uniqueness

Uniqueness Score: -1.00%

Function 055995CD, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

, xrefs: 05599657

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 808e8930e25c4bb2a140fc75d07d01cf20aa8952db9f93708dcd77fe0bced6fa
Instruction ID: 31f8ea82ba203328037820395b5040fe61c162fe0f81e5371a52e19b6bd974f2
Opcode Fuzzy Hash: 808e8930e25c4bb2a140fc75d07d01cf20aa8952db9f93708dcd77fe0bced6fa
Instruction Fuzzy Hash: AD811375C09368CFDF28CFA4D8487AEBBB1BB06706F50196ED00AA3695C7784986CF45

Uniqueness

Uniqueness Score: -1.00%

Function 055993CF, Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

, xrefs: 05599657

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fdd93e8798bb017205af9d1d191349fb0936cbb0ae2ac6490e50dc4aca59cff4
Instruction ID: beade9b8e6b869a2a7eda7f3ca8e764e696e7e056a5c7b557c1cd4775528c924
Opcode Fuzzy Hash: fdd93e8798bb017205af9d1d191349fb0936cbb0ae2ac6490e50dc4aca59cff4
Instruction Fuzzy Hash: 3071C275C09228CFDF28CFA0D4497EEBBB5BB0A706F50652EC00AA3694C7784986CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05599414, Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

, xrefs: 05599657

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 1f039c0353b4453f98553c0c0393055123139ba6e2e684cf55cbeed92cb8dffe
Instruction ID: 922089c105ca76f0f503e9a39d55810eab3583413c94d365ecab173b297b7c98
Opcode Fuzzy Hash: 1f039c0353b4453f98553c0c0393055123139ba6e2e684cf55cbeed92cb8dffe
Instruction Fuzzy Hash: D571C275C09228CFDF28CFA0D4497EEBBB5BB0A706F50652EC00AA3694C7784A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0559A560, Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

:@:r, xrefs: 0559A6A3

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: :@:r
API String ID: 0-1441432688
Opcode ID: 06f12ea907e3e2ce25818b9648bf4ff1e40b98a5ad3bdaafb9f0da2b8d2bc295
Instruction ID: dd802d0c3c326326db18ed919880260407c2eb69fcb5518c922cd40756863914
Opcode Fuzzy Hash: 06f12ea907e3e2ce25818b9648bf4ff1e40b98a5ad3bdaafb9f0da2b8d2bc295
Instruction Fuzzy Hash: 4B81F074E05248DFDF18DFA8D488AADBBB2FF89304F608129D806A7394DB385941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0559A5B0, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

:@:r, xrefs: 0559A6A3

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: :@:r
API String ID: 0-1441432688
Opcode ID: cc17360a6be5f844f1ace1e682ac8e6673fa1dea903ee54d8f8b371105eecbed
Instruction ID: f3201275495b54a4f200ccfc665dbb645eeb6d5312ed225df1723de4e732e6d4
Opcode Fuzzy Hash: cc17360a6be5f844f1ace1e682ac8e6673fa1dea903ee54d8f8b371105eecbed
Instruction Fuzzy Hash: 6871D0B4E05249DFDF18DFA8D888AADBBB2FF89304F208529D416A7354EB785941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0559A5A0, Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

:@:r, xrefs: 0559A6A3

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: :@:r
API String ID: 0-1441432688
Opcode ID: 3fb3854ddd1f21cff55a378834ebb2af690b441b2db62c1912cb34296dcac30d
Instruction ID: 93fed2f9f96c35d82c050a23a50d9b4a1fbafa36431a85c2f0161bde4004bef4
Opcode Fuzzy Hash: 3fb3854ddd1f21cff55a378834ebb2af690b441b2db62c1912cb34296dcac30d
Instruction Fuzzy Hash: 0A71D274E05249DFDF18DFA8D858AADBBB2FF89304F208129D415A7354DB785942CF50

Uniqueness

Uniqueness Score: -1.00%

Function 05599E10, Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

|m^r, xrefs: 05599E63

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: |m^r
API String ID: 0-3666999425
Opcode ID: 199a6683740d17f0b2f3201e9a16c2a9c39ef1a2a007893707eca4f3dfc9df81
Instruction ID: b77b862f3516cdbc8d0a9127a26832cb86d084a2af92bcdb86fdab2f92484c56
Opcode Fuzzy Hash: 199a6683740d17f0b2f3201e9a16c2a9c39ef1a2a007893707eca4f3dfc9df81
Instruction Fuzzy Hash: 02313770E05208DBDF18DFA9D484AEEBBB6FB89311F14A42ED005B3254DB385845CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05590F91, Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

X$ar, xrefs: 05591048

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: X$ar
API String ID: 0-3528744091
Opcode ID: b4b990161591c7304055ec3fb11c1711e17732239da639780fc6c6f51afc2cde
Instruction ID: 4480710d5914eb5105ac27231cdd33ee99a1073ab6883a25d7fe10efaa5a118c
Opcode Fuzzy Hash: b4b990161591c7304055ec3fb11c1711e17732239da639780fc6c6f51afc2cde
Instruction Fuzzy Hash: 2B310674D00219DFDB04DFA9D944AAEBBF2FF48310F1485AAD815B7260DB76A940CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0559BC7D, Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

(, xrefs: 0559BF56

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: df67d1164e154ac76059a44571a7da4003a415452b1498af888f853dc9c11328
Instruction ID: e615360a0fa4c8557997f2661063ef4e9578e9ccc8731a7f1eb37af8c7e7e896
Opcode Fuzzy Hash: df67d1164e154ac76059a44571a7da4003a415452b1498af888f853dc9c11328
Instruction Fuzzy Hash: 5C3198749042288FDF64DF68C888BEDBBB1BB49315F4085DAD40DAB250CB799AC5CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0559B358, Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

", xrefs: 0559B3A2

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 9949824110a1a7a390c9349686fa7880ee24096e92873ce58bf792aa8f35923a
Instruction ID: f31f5499a8f4cba7ee8d474d1e685c646f443a79ebd0c2060e4027886c904799
Opcode Fuzzy Hash: 9949824110a1a7a390c9349686fa7880ee24096e92873ce58bf792aa8f35923a
Instruction Fuzzy Hash: 75F06D74904218DFEB20CF54CC81BD9B7B5FB09314F2081CAE149BB281CBB9AA85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0559B48C, Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

', xrefs: 0559B4ED

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 89f31fdc0781ea08a58631a914f43029f1829bab2755eba0677fb700e10b0ed2
Instruction ID: e16f0490a2ce7bb085db21e3bb613091b86e6e297561c4c0ce054066884b7d3d
Opcode Fuzzy Hash: 89f31fdc0781ea08a58631a914f43029f1829bab2755eba0677fb700e10b0ed2
Instruction Fuzzy Hash: 7A01AF74904228DFDFA4CFA4D880BEDBBB2BB59310F2045DAE009A7261CB759E85DF01

Uniqueness

Uniqueness Score: -1.00%

Function 0559B4FD, Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

+, xrefs: 0559B826

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: c9007e4e0c21157171722baa27df6a652493f2bdae10c77bfcc4b1b20b419393
Instruction ID: e01ebaa4a9a2838fddad8194176551eb49f9d6dfb3ee5f6c06bbce6a0b6d3156
Opcode Fuzzy Hash: c9007e4e0c21157171722baa27df6a652493f2bdae10c77bfcc4b1b20b419393
Instruction Fuzzy Hash: D201BD74915228CFDF24DF60D9487DDBBB1BB0A314F0046DAD089A3250CB784AD5CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0559B3F9, Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

., xrefs: 0559B400

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: cfba7519418e64d263ae14acf78f7a57db6a049fc1ac6e5c8587847a05b88acf
Instruction ID: 41f78290eebb1c11d1add3def486245b00e5c99c63a0af93fc28a4759be4e3d9
Opcode Fuzzy Hash: cfba7519418e64d263ae14acf78f7a57db6a049fc1ac6e5c8587847a05b88acf
Instruction Fuzzy Hash: 30C08C30008040CFDF24CF14E088699BB70B307325F4086C2E04A92410CBBC48C0DF86

Uniqueness

Uniqueness Score: -1.00%

Function 0559AE20, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea209fce1574b3210c7f65806de3d7549c13bd14710351e1e94d1c8f2e559fe
Instruction ID: 50b2f23d5d629a429d1e8822622c1a4fcfe9f6146c1f59fa55a35fe1378839f1
Opcode Fuzzy Hash: cea209fce1574b3210c7f65806de3d7549c13bd14710351e1e94d1c8f2e559fe
Instruction Fuzzy Hash: C4919BB8D05218CFDF18DFA8C9887EDBBB1BB89304F20952AD405B7290D7785A85CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05591A69, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cad9cce17157fe32081d3601166106ad5fd3299ca93fcb61e786fce480a7dada
Instruction ID: da0cc3948677c7462c0fd986f1b0c37612e66219c8abd7c7fccf077c3f84baa2
Opcode Fuzzy Hash: cad9cce17157fe32081d3601166106ad5fd3299ca93fcb61e786fce480a7dada
Instruction Fuzzy Hash: B281E474D0462ADFDF24CFA4C984BEDBBB2FB49304F10956AD50AA7240D7784986CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0559AE10, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa4d2839094d0cdcf535e517538b0fbe1d70298732f03029a8962e1d2d7b388
Instruction ID: 1129197f217631146b6c1a48b8cff2a83d4fb4501640e440b29f0d147b0ff6c4
Opcode Fuzzy Hash: 1fa4d2839094d0cdcf535e517538b0fbe1d70298732f03029a8962e1d2d7b388
Instruction Fuzzy Hash: A081ACB8D05218DFDF18DFA8D9887EDBBB1BB88304F20852AD405B7290D7785A85CF64

Uniqueness

Uniqueness Score: -1.00%

Function 05591208, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b58228644055acc2a0572c9bfd9b4e3b2c66d482d24359b6f30f070efc81144
Instruction ID: 7245712739a08ed7672258f9b11e6498f5ea39b880a91c49f716c3def43aac1e
Opcode Fuzzy Hash: 6b58228644055acc2a0572c9bfd9b4e3b2c66d482d24359b6f30f070efc81144
Instruction Fuzzy Hash: A471C2B4E04219CFDB18DFA9D848AADBFF2FF49301F11992AD81AAB254DB745941CF40

Uniqueness

Uniqueness Score: -1.00%

Function 05591ED9, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d442cf751368c6be56965b0ce1c800818a98d855e7e18d4eba8106c73d79ed2d
Instruction ID: 43c1786fffdeb77e68ba958fce7137b30d08ed4c3476633d9a580f9b8a2e7734
Opcode Fuzzy Hash: d442cf751368c6be56965b0ce1c800818a98d855e7e18d4eba8106c73d79ed2d
Instruction Fuzzy Hash: 6261F274E04219DFDF18DFA9C448AADBBF6FB48300F10892AD409E7259D7789985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05598D9F, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0d2ce4dbd75ddbe98c138fbc148c0a1f4e326c398593f20a954e0e334218cc1
Instruction ID: c9bfcdf41b43411bccdd37bb1a72fac5e1a1f0c93b98cdf4fac25d564982add6
Opcode Fuzzy Hash: d0d2ce4dbd75ddbe98c138fbc148c0a1f4e326c398593f20a954e0e334218cc1
Instruction Fuzzy Hash: 41513270D05208DFEF08CFA9D444BEDBBB2FF5A314F14A19AE414B7292D33889818B64

Uniqueness

Uniqueness Score: -1.00%

Function 05592277, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72a1bf89feef1eaf5f755d31731297a7a79f2f4bcecc7c8e283fe1b106a69c4
Instruction ID: 82f5a6647b84a9427635e638ec0566173ec98967602560b2688166be0fc3d88d
Opcode Fuzzy Hash: f72a1bf89feef1eaf5f755d31731297a7a79f2f4bcecc7c8e283fe1b106a69c4
Instruction Fuzzy Hash: FC312434B08245AFDF08DBE8C851BBEBBB6FFC5600F2044AAD405DB251CA794D02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014AA6EC, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96e29f172a7fb53bdac3e56f143b4520a34b1d6d9b223a349afb61a1442bec6
Instruction ID: 668ea957ce4806b02a3cf835ca4ed4785e230093b07223a9accf74bc07fc416d
Opcode Fuzzy Hash: d96e29f172a7fb53bdac3e56f143b4520a34b1d6d9b223a349afb61a1442bec6
Instruction Fuzzy Hash: 49316B76508340AFD310CF19EC45A57FFE8EB89630F18C95EF9599B611D276A804CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014AA944, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93bd7be23b1d68f356eb483cb9240cafd994ba07a506d73443474f1286f2bf6c
Instruction ID: faa40c3d127e4d7df5781d2f59dadcc7df28e9408c3b619978194aeb42ba2cbe
Opcode Fuzzy Hash: 93bd7be23b1d68f356eb483cb9240cafd994ba07a506d73443474f1286f2bf6c
Instruction Fuzzy Hash: F53150B6548340AFD310CF09EC41D57FBE8EB89630F15C95EFD589B611D275A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014AA81A, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707302dca1434e761bd7f23afb2a09ac54d4025c06afa122c4e31d79801dd855
Instruction ID: 795b2d9b48d6c1c37a9ef280bb9e08b7b6d2eeab16c2d53bdc0ca7a74a727d3d
Opcode Fuzzy Hash: 707302dca1434e761bd7f23afb2a09ac54d4025c06afa122c4e31d79801dd855
Instruction Fuzzy Hash: 0B315A76508340AFD300CF05EC41E57FFE8EB89630F18C96EF9599B612D275A904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014AA5C0, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7499fb5ff14031639ce1847dfbe5cb12d797ae8261a24073c748f4e8a0e9f46
Instruction ID: c287a71547c894b39a8d652645c930faf2bc9c9e73cc31293c97984cdb0923a6
Opcode Fuzzy Hash: a7499fb5ff14031639ce1847dfbe5cb12d797ae8261a24073c748f4e8a0e9f46
Instruction Fuzzy Hash: D321D172549300AFD710CF05EC41996FFA8EB85630F18C99FFD489B611D27AA904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014AAAC8, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 565b4426eb8c1c5eaf3c37ff51b7261a22628add1af0f47155938b16b25162d6
Instruction ID: fa566e701cbeb2580b947c6ed17e57b6f0aa8bf76d854807f4aa2ffc8a679f79
Opcode Fuzzy Hash: 565b4426eb8c1c5eaf3c37ff51b7261a22628add1af0f47155938b16b25162d6
Instruction Fuzzy Hash: E3314DB550E3C19FD302CF259850A56BFF4EF8A214F1988DFE9C8DB252D2759908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 014E0ED3, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373680194.00000000014E0000.00000040.00000040.sdmp, Offset: 014E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723a73e261ec8aed6b088eea7c17a23366ed00eb1b447182509acca82c77b3f7
Instruction ID: 14fb0d6e49550de09d3325348cda81fa4659587ec6778ed81d528cdfdcc373a8
Opcode Fuzzy Hash: 723a73e261ec8aed6b088eea7c17a23366ed00eb1b447182509acca82c77b3f7
Instruction Fuzzy Hash: 2B21B2715093806FD702CB28DC50892BFF8DF86615B1984DBF888CB223D275A915DB62

Uniqueness

Uniqueness Score: -1.00%

Function 05599F82, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7bba6eb5b7a73625aed5de3f17eaf195159f7b55ab1f3f5f67365380e2d469
Instruction ID: 6c530ed9b2514cd5f1fcd74d51946c2a831b6f93b9c2451175c5c116dc4c572c
Opcode Fuzzy Hash: 5f7bba6eb5b7a73625aed5de3f17eaf195159f7b55ab1f3f5f67365380e2d469
Instruction Fuzzy Hash: 37216670D0A208EFCF18DFA4E444AEDFFB6FB8A312F14942AD409A7254DB394845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 014AA191, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40182c81d9ad716639e7fbdc56e1ec680520bb53e967834ff4b7523a0f3d3f02
Instruction ID: af309bdfb5222934c819fff435538f671ee153f2e608500f611c938dfd27d5a2
Opcode Fuzzy Hash: 40182c81d9ad716639e7fbdc56e1ec680520bb53e967834ff4b7523a0f3d3f02
Instruction Fuzzy Hash: C021F676648344AFD7108F05EC41EA6FFA8EB85630F19C59FFD085B612D27AB804CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014AA3BC, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629c8e7cf238ca39b1e5f5c6d3c1b4c7c2efe5f4097e32b20a9604b48e9f057c
Instruction ID: 06c3d197598e95a5f089bc05957b82c30d1390ee94d18606fbea6b49a16604b5
Opcode Fuzzy Hash: 629c8e7cf238ca39b1e5f5c6d3c1b4c7c2efe5f4097e32b20a9604b48e9f057c
Instruction Fuzzy Hash: 15218476644304BFD6108F4AEC41DA7FFACEB84A70F14C51EFD095B211D672B5149BA1

Uniqueness

Uniqueness Score: -1.00%

Function 014AA842, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606f2d10cb6c3e553cc82ab2895d2428d97f703bf3e4d88380d5e190747e117c
Instruction ID: 910b172f46085373c6998ddcd88b382dad31d8a194f077c8461e9ba4ae2c20b1
Opcode Fuzzy Hash: 606f2d10cb6c3e553cc82ab2895d2428d97f703bf3e4d88380d5e190747e117c
Instruction Fuzzy Hash: 86214FB6604304AFD250CF49EC41E67FBE8EB88630F14C92EFD4897311D275A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 014AA96E, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe225ada03016d456a104cb7a67196564904c3b2f34a147c86a1aa99e4ae5a55
Instruction ID: 7e36fe5425debcb7da81c703ab4556bbedb38dbbf2a299d4eb7339af4b15cb90
Opcode Fuzzy Hash: fe225ada03016d456a104cb7a67196564904c3b2f34a147c86a1aa99e4ae5a55
Instruction Fuzzy Hash: 01213EB6644304AFD310CF4AEC81E57FBE8EB88630F14C92EFD5897311D675A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 014AA716, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9578a8e4834c9653e5a3ea44c7b2e75cee2f69c48aa0db5708024c859c07fef
Instruction ID: 9d869799f4fe453086621b465f9afc0fadd5e9d3038db69bf9d70668e443b23e
Opcode Fuzzy Hash: b9578a8e4834c9653e5a3ea44c7b2e75cee2f69c48aa0db5708024c859c07fef
Instruction Fuzzy Hash: CD212CB6644304AFD210CF4AEC41E57FBE8EB88630F18C92EFD5897311D675A9148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 014AA3D2, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8e80858b11d883b909f11c14db014c14bdd27951eb5c0600b616ea1d3ec547
Instruction ID: 7335c2a93e83d02b794c2443ae8e7ff2575f477dc02d351d6799fbdbf5442777
Opcode Fuzzy Hash: 9b8e80858b11d883b909f11c14db014c14bdd27951eb5c0600b616ea1d3ec547
Instruction Fuzzy Hash: 04119376644304BFD6108F4AEC41E67FBA8EB88630F18C56AFD085B311D6B6A5149BA2

Uniqueness

Uniqueness Score: -1.00%

Function 014AA5EA, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161971a50718cf1ab1900ae144d93c382d28effd8e4e283c923780df3c02f22a
Instruction ID: a2a8346aa2ab783c81bb07f9430c770590b8a3e85909a7fd97182e4e11c6ca1a
Opcode Fuzzy Hash: 161971a50718cf1ab1900ae144d93c382d28effd8e4e283c923780df3c02f22a
Instruction Fuzzy Hash: C7119376644304BFD610CF4AEC41E67FBA8EB88A30F18C56AFD085B311D676A5149BA2

Uniqueness

Uniqueness Score: -1.00%

Function 014AA640, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb3c4a1b33a87b1bf9a7511e23af9778c716a73944f03a5f2ecf5fc1706d57e
Instruction ID: 9df8814d6c4c9022ece91a7d0a1092777e3190f9d6ee4ed615c3974cf0074d04
Opcode Fuzzy Hash: eeb3c4a1b33a87b1bf9a7511e23af9778c716a73944f03a5f2ecf5fc1706d57e
Instruction Fuzzy Hash: 8E214FB5509380AFD302CF159C51956BFE4EF86620F09899AF9889B253D275A904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 014AA1BA, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbef3ac005c9c162edc2fb879414035d9c74997d3233d4dad42d7a7fee90f941
Instruction ID: 7cd23bf724e82c96802c73205adb838005e360f98dfb4493272fe8f61e3ac1c8
Opcode Fuzzy Hash: fbef3ac005c9c162edc2fb879414035d9c74997d3233d4dad42d7a7fee90f941
Instruction Fuzzy Hash: 5A11A372640204BFD6108F4AEC41EA3FBACEB84A30F18C46AFD085B201D6B6B5149BB1

Uniqueness

Uniqueness Score: -1.00%

Function 014E0700, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373680194.00000000014E0000.00000040.00000040.sdmp, Offset: 014E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1ec2bae39d86d2e1d27e0c98ac9af3676cf45bf99631500bed88446cc6ac04f
Instruction ID: 88f253f92700f13491f2d2f3a86709f9c1c380762b57435176b2aceec69a6fac
Opcode Fuzzy Hash: d1ec2bae39d86d2e1d27e0c98ac9af3676cf45bf99631500bed88446cc6ac04f
Instruction Fuzzy Hash: ED213D3524D3C49FC7138B24C894B16BFB1AB47314F2985EFE4959B6A3C27A8846CB52

Uniqueness

Uniqueness Score: -1.00%

Function 014E075C, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373680194.00000000014E0000.00000040.00000040.sdmp, Offset: 014E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5a9cede424739447d9482c153201f727230f753cb59df9ec40a8db545b6ad7
Instruction ID: 55961e1dfd4259e4bd15ca71023a4aec1fb424a476dc6083c2f82718924dee9a
Opcode Fuzzy Hash: ac5a9cede424739447d9482c153201f727230f753cb59df9ec40a8db545b6ad7
Instruction Fuzzy Hash: 4F11D234244244EFD305CB24C988B26BBD1AB88709F24C9AEF9491B763C7B7D803CE51

Uniqueness

Uniqueness Score: -1.00%

Function 05599898, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8f5af1b4e5c181ef599aad2236f960f082053c4c29b429318df7794f4eb020
Instruction ID: bc6c555dd0590c1803637b4131fce7847ad8fad6c2550e9ffb3dbcf3f18da85b
Opcode Fuzzy Hash: bb8f5af1b4e5c181ef599aad2236f960f082053c4c29b429318df7794f4eb020
Instruction Fuzzy Hash: C201AD30D192099BDF28DFB4D4086FEBBBAFB8A315F00682ED01AB3200C73945048BE5

Uniqueness

Uniqueness Score: -1.00%

Function 05591850, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c55d85105e1d771a36f0f89d61c79a741430fb2c5f4eb2e6858591c6fd5b4d5
Instruction ID: 80fa34b1eb528fe5ec24c7d6a638d38d9751362936b31311e7db561276a4daee
Opcode Fuzzy Hash: 1c55d85105e1d771a36f0f89d61c79a741430fb2c5f4eb2e6858591c6fd5b4d5
Instruction Fuzzy Hash: 9421F3B4E0421ADFCF18DFA9D444AEEBFB2BB88301F10816AD816A3354C7385941DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 014AAB09, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acd20b66d710f9f3846ab82a95d4f52a0c09c721f63773af257882b36ab5921d
Instruction ID: cfb7b181d9620e17789f477d97b82aa4d0c8683fb45b69c1d2578940b12336db
Opcode Fuzzy Hash: acd20b66d710f9f3846ab82a95d4f52a0c09c721f63773af257882b36ab5921d
Instruction Fuzzy Hash: 3A11DAB5508301AFD340CF19D881A5BFBE4FB88660F14891EF99897311D371E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 05599100, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ef08d326523e586894dc4e8a7e9637fbaa24238b2989d4209c5fafbfbf4b96
Instruction ID: 2d4b5867a492b391cc5af014c6981214e5b0b3f4846db5faae84b34a9bfabf5b
Opcode Fuzzy Hash: 50ef08d326523e586894dc4e8a7e9637fbaa24238b2989d4209c5fafbfbf4b96
Instruction Fuzzy Hash: D021C374D0420ADFCF08DF98C585AEEBBB1BF98310F10856AD805AB360DB34AA40DF91

Uniqueness

Uniqueness Score: -1.00%

Function 014E072C, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373680194.00000000014E0000.00000040.00000040.sdmp, Offset: 014E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 259d724c5ecced2bfde1b46291c1b205ced5db3966fcceaf62d016b33a3a4e61
Instruction ID: e65d35f0c9719c82730bbe0d9a7bea10c436955a598f5e1030d811c8b1140e73
Opcode Fuzzy Hash: 259d724c5ecced2bfde1b46291c1b205ced5db3966fcceaf62d016b33a3a4e61
Instruction Fuzzy Hash: 9D216A352493C49FD713CB20C894B56BFB1AF47308F1985DEE8895B6A3C37A9806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 014AA118, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e7c03eb61d0c189d8823b01023bf64c30782ba2ebdb3423c6104a4d60efadf
Instruction ID: 494864f6be47739540519fab5f13534b407a4f492ff038b27c1ac1b65f7ddfc2
Opcode Fuzzy Hash: 17e7c03eb61d0c189d8823b01023bf64c30782ba2ebdb3423c6104a4d60efadf
Instruction Fuzzy Hash: A10124B110D3C06FD3024B255C51AA2BF78DF43620F1D84CBE9889F153D2666909D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0559C587, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2aaa3acf53232770aae7f05248248fedd1818ff0b11def6140d8f3a1649fc6
Instruction ID: 4d3dc0311e5d8188573d58d83d2bc050aece66cf7fb243df223996a56a9597fe
Opcode Fuzzy Hash: 7b2aaa3acf53232770aae7f05248248fedd1818ff0b11def6140d8f3a1649fc6
Instruction Fuzzy Hash: B901817084A2889FEB15DFA4D458ABEBBB4FF43305F1955E9D449672A2C7391E00CF12

Uniqueness

Uniqueness Score: -1.00%

Function 05592AE1, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd01f2f3547ba6af4675f6eea4e52f5ea74b055932f833064288f83196bb5ab
Instruction ID: b37b1133116f301d0df361816d381af44b375fcd4d2c1749af2ab6638b962de3
Opcode Fuzzy Hash: abd01f2f3547ba6af4675f6eea4e52f5ea74b055932f833064288f83196bb5ab
Instruction Fuzzy Hash: 9F113A78A00258DFDB14CF69D884B9CBFB2FF48315F1191A9E409A7215DB788981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 014E05D3, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373680194.00000000014E0000.00000040.00000040.sdmp, Offset: 014E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da887acdb2c7cc3d512bfb351a7dd91df29966c03858091e43473efbd9e6ee06
Instruction ID: 46a040b6c627cc24007339b9814b14c35c436f06e9b31712665c4b7622f7563a
Opcode Fuzzy Hash: da887acdb2c7cc3d512bfb351a7dd91df29966c03858091e43473efbd9e6ee06
Instruction Fuzzy Hash: 79F0A4765497806FD7128B16EC40893FFECDF8623070984ABED49CB612D165B919CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0559A51F, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0355158d11dba1f32a27a599d18e8f7a59d8ce24f85bfa10393fe1c62feaad3
Instruction ID: 182feea4bf2f5c6d4fc48972f5d5419da67ac1ececf349f5e84a25fe622acefd
Opcode Fuzzy Hash: a0355158d11dba1f32a27a599d18e8f7a59d8ce24f85bfa10393fe1c62feaad3
Instruction Fuzzy Hash: 33F0B471A4A208EBCF18EBA4D5497BD7BB9FB46305F5014A9C80923250C73D5984CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0559B72A, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639a3ee0911ba1984f40a2fe4e0c50089b880044641ec4ffd3dd9933d067226e
Instruction ID: f5841163f9b8683985f661469d04d45c6318cc1ea595b77e4fcc2ba50e56511b
Opcode Fuzzy Hash: 639a3ee0911ba1984f40a2fe4e0c50089b880044641ec4ffd3dd9933d067226e
Instruction Fuzzy Hash: C3010570904268CFDB68CF28D880BECB7B1BB46324F1085DAC109A7290CB799EC1CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05598D60, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98164e59cbf1ca876d69626a07b5426a41aa8fe28e5a621a52acca2488c4a22b
Instruction ID: fb1cb017f0b7f6fcfd59bf8e9475dccbe8f9769f78d234e4abd14590bea87c25
Opcode Fuzzy Hash: 98164e59cbf1ca876d69626a07b5426a41aa8fe28e5a621a52acca2488c4a22b
Instruction Fuzzy Hash: 84F0903094A348EFCB04DFA4D841AADBFB8FB57210F1444DAD809A7391D63D6A44DF92

Uniqueness

Uniqueness Score: -1.00%

Function 0559BD56, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0f6f37bcae5adc67721348918ac92ae533963263fd74c6f475391aa8293cd0
Instruction ID: ce5192c1c6ff10c7f4172beab960834f834f89d4b767210c1c633c237468b7b2
Opcode Fuzzy Hash: 1a0f6f37bcae5adc67721348918ac92ae533963263fd74c6f475391aa8293cd0
Instruction Fuzzy Hash: F301E97094126C8FDB68DF64D991BECB7B2BF85311F1040DA8109AB290CB359E81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 055999D0, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e192122822001d40bac8c79f9440e18afabd14636f4cb00453afe0626adb0c97
Instruction ID: 482286de597d215128dbcea36d48733944081edb6dc888e8af697d8fa2c7776f
Opcode Fuzzy Hash: e192122822001d40bac8c79f9440e18afabd14636f4cb00453afe0626adb0c97
Instruction Fuzzy Hash: E9F03674E05209EBCB54DFEAC545AADBFFAEFC5700F1190AE840563350DA356E04CB85

Uniqueness

Uniqueness Score: -1.00%

Function 014E0F66, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373680194.00000000014E0000.00000040.00000040.sdmp, Offset: 014E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3b1d045c539ff658a10f70a1b4c15074e1a3ba3eaa6fd45b35f82e3b6dd3d5
Instruction ID: 9c2150cf8344551588a576966ef97248e64a723b81c66732ea1bc10815a85ef5
Opcode Fuzzy Hash: 1d3b1d045c539ff658a10f70a1b4c15074e1a3ba3eaa6fd45b35f82e3b6dd3d5
Instruction Fuzzy Hash: A0F08CB2905204AFD240DF05EC418A6F7ECDFC4921B18C52EFC088B701E6B6AA148AF2

Uniqueness

Uniqueness Score: -1.00%

Function 0559AAF8, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4081eab635a2037bedb2deaa59e93489bf42b2cc535820184c0a2fe2df215b35
Instruction ID: ff0ac3da3ece8992490465aad81c3d90175848f43d75546dbdc3a1efea371fd8
Opcode Fuzzy Hash: 4081eab635a2037bedb2deaa59e93489bf42b2cc535820184c0a2fe2df215b35
Instruction Fuzzy Hash: 32F0B470D5A348DFCF55EFB4D50416D7FB6FB46220F1116E6C409A3291EA394E04DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014E0818, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373680194.00000000014E0000.00000040.00000040.sdmp, Offset: 014E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction ID: 61b70968d9b695fca434a3593ca8fdb5ee3b619a3c614475aeb6b21bdb22acec
Opcode Fuzzy Hash: 525cef522958239b2deb72ab7ac90410e2832b06fb356f1b7ca8807ee3c9392c
Instruction Fuzzy Hash: DCF0FB35244644DFC206CB44D944B16FBE2EB89718F24C6ADE9590B762C377A813DE81

Uniqueness

Uniqueness Score: -1.00%

Function 055900C8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3926dc039c89a958d42cdc90593d55ea398c72611771fa146f7b1a30bca219e3
Instruction ID: d229d88bf966a7ee045ea798aee6c6ecf852033ab9be075cce46b2fa93b48abe
Opcode Fuzzy Hash: 3926dc039c89a958d42cdc90593d55ea398c72611771fa146f7b1a30bca219e3
Instruction Fuzzy Hash: 13F03A7090010CDBCB08EFA9C540AADBBB2FF95300F6082A9C40437260DB706E45DB81

Uniqueness

Uniqueness Score: -1.00%

Function 0559C508, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e27130c882a1869dc576f9023f7208b053bb847f16228967da4bafd5460298
Instruction ID: 37371693931d0bb56e829e263917c675a1f3d9bc0099f8165f1e54e7bb4e8a93
Opcode Fuzzy Hash: d5e27130c882a1869dc576f9023f7208b053bb847f16228967da4bafd5460298
Instruction Fuzzy Hash: 7AF0EC31808348EFCB04CFA4E800AA8BFB4FF59200F1480EBC844A7352C63A9A01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 014E05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373680194.00000000014E0000.00000040.00000040.sdmp, Offset: 014E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02e9bfd62a28700426649165e9d3cad26f3a61a2ba9e1816db493ffcd31af80
Instruction ID: 5f6c97c95f514416f90a10ffa5d872ca2c31ca595069dc7af862546e17d9314e
Opcode Fuzzy Hash: a02e9bfd62a28700426649165e9d3cad26f3a61a2ba9e1816db493ffcd31af80
Instruction Fuzzy Hash: 9CE06D766006048B9650CF0AFC41452F798EB88630B18C06FDC0D8B701E575B5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 014AA7CF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4f0ba72d127ee2d9913b62a56b3c40ec7aad9502685c823ef0500f4216fa92e
Instruction ID: 8a2d49a84b817e8ea480fcf5543c69976ec91b77946637e6c5f0fe30d558a94f
Opcode Fuzzy Hash: d4f0ba72d127ee2d9913b62a56b3c40ec7aad9502685c823ef0500f4216fa92e
Instruction Fuzzy Hash: D6E0D8726403046BD2109F06AC42F63FF5CEB44A30F18C45BED081B702E5B6B5048AE1

Uniqueness

Uniqueness Score: -1.00%

Function 014AA14C, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ded77b4263222ffd08f064799a2ca39cbf7161b0db381f883f4b89e1722567
Instruction ID: e57176763f13c3c194e714946641be560ad5eecfc3543ae52364aa28bc1be8e5
Opcode Fuzzy Hash: 76ded77b4263222ffd08f064799a2ca39cbf7161b0db381f883f4b89e1722567
Instruction Fuzzy Hash: CAE020716403046BD2109F06EC42B63FB5CEB44930F18C4A7ED0C1B701E5F6B5048EE1

Uniqueness

Uniqueness Score: -1.00%

Function 014AAB6B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9fa0dc774249a2aa7d16a242df5694c0048fc9b5271d6c86bef90ad1ce5cc6d
Instruction ID: 1fc3a1a740b00c63d73541649a9f01234012049ff781cc6a7a6d50151280aaf1
Opcode Fuzzy Hash: e9fa0dc774249a2aa7d16a242df5694c0048fc9b5271d6c86bef90ad1ce5cc6d
Instruction Fuzzy Hash: 31E0D8726413046BD2109F06AC42B63FB5CEB84A30F18C557ED081B702D5B2B5148AE5

Uniqueness

Uniqueness Score: -1.00%

Function 014AA363, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e6b38bc05fbf0a24951dd6453641b06d7d733bf541b28334032fff1285180f
Instruction ID: fb917da31e54195bb08152fbf9dffd496c56c3511103e1e5e4497a4a16558735
Opcode Fuzzy Hash: e0e6b38bc05fbf0a24951dd6453641b06d7d733bf541b28334032fff1285180f
Instruction Fuzzy Hash: D4E0D8716417046BD2109F06EC42B63FB5CEB44930F58C457ED081B702D5B6B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 014AA8FB, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a589fe90731c805cc44a5908d6a348acbcaf2f8e42c380a5546c97dffd20cb
Instruction ID: 14904002bbc0a94b2dde9aa76f7d35733210384b9c8fd814cd583d4b62827256
Opcode Fuzzy Hash: b8a589fe90731c805cc44a5908d6a348acbcaf2f8e42c380a5546c97dffd20cb
Instruction Fuzzy Hash: 0EE0D8726403046BD2109F06AC82F63FB9CEB54A30F18C45BED081B701E5B2B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 014AA57B, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd7bdb2b43c6534f1bc23dad4ee947e9305f2429cd74071e0726f7691f72da3b
Instruction ID: c4cbc79f1fc6edadec6e57b2754d0862f7fe4d50d2522f6ae78039e49060dc93
Opcode Fuzzy Hash: fd7bdb2b43c6534f1bc23dad4ee947e9305f2429cd74071e0726f7691f72da3b
Instruction Fuzzy Hash: 13E0D8716403047BD2109F06AC42B63FB5CEB84930F18C497ED081B701D5B6B5048AE5

Uniqueness

Uniqueness Score: -1.00%

Function 014AA6A3, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373520217.00000000014A2000.00000040.00000001.sdmp, Offset: 014A2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65076f3777a47e9333822c8cd52dbfaa8655e874201ea08f74bfb0fe51534f5b
Instruction ID: b512cccc326110d774d99fe41052e3548307f90c684799d5d2bfab057243e96e
Opcode Fuzzy Hash: 65076f3777a47e9333822c8cd52dbfaa8655e874201ea08f74bfb0fe51534f5b
Instruction Fuzzy Hash: 92E0D872640304ABD2109F06AC42F63FB5CEB44A30F18C45BEE082B702E5B2B5048AF5

Uniqueness

Uniqueness Score: -1.00%

Function 0559AD78, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b02b7b7c6d32cab4f5fe168c80b94e5a0c4c2de510d5c87021dc75ea6a9d15
Instruction ID: 1353d8c8599f9ace81bc8d6e097b91be36537e964208eb46d4f362a03171a1a2
Opcode Fuzzy Hash: 23b02b7b7c6d32cab4f5fe168c80b94e5a0c4c2de510d5c87021dc75ea6a9d15
Instruction Fuzzy Hash: 48E09234C06308EFCB14DFA4E4485ADBBB5FB89315F6091AAC80A63364CB7A5D44DF84

Uniqueness

Uniqueness Score: -1.00%

Function 05592408, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404ccfbf1ce9161a5e299c919072a65615c8368e4598cafc6012132474801f4c
Instruction ID: b9d44e6348616968857ec72ee31728a7dea5a1e28b6c6522bddcafbc2844bd93
Opcode Fuzzy Hash: 404ccfbf1ce9161a5e299c919072a65615c8368e4598cafc6012132474801f4c
Instruction Fuzzy Hash: 05F06DB5844308EBCB18DFA4D50179DBBB5FB64310F6084AAD80496350D3399A81DF90

Uniqueness

Uniqueness Score: -1.00%

Function 05591130, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d091cfe54c0e1a1c4525e0810077dc50738fc2b43fab8b28535b0f3b490f9a5e
Instruction ID: 85e162b2dc6986cb5e812f67ae7de5d0b6a05114eb6c984693054c0170f0f34d
Opcode Fuzzy Hash: d091cfe54c0e1a1c4525e0810077dc50738fc2b43fab8b28535b0f3b490f9a5e
Instruction Fuzzy Hash: 1DE01230905208EBCB28DF90D5455ADBF35FB56702F51A055DC0913295C7355954EBD4

Uniqueness

Uniqueness Score: -1.00%

Function 055929F8, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c61aa49fd2462a056e7539ba28d385912ae67ea11c19807a37a57d879af6e65
Instruction ID: d7f75ffeaa66fb1debfe02412f91a227b93c3096e8bf4b62d99979e283764f5d
Opcode Fuzzy Hash: 6c61aa49fd2462a056e7539ba28d385912ae67ea11c19807a37a57d879af6e65
Instruction Fuzzy Hash: A3F03AB490130ADFDF44DF54C494A9DBFB2FB00304F10A469D4096B665DBB89845CF41

Uniqueness

Uniqueness Score: -1.00%

Function 055911B0, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0179056de3d9d9f35b59d5414aad2672ba56b05d90b62411eea0d667c032b50
Instruction ID: a59d0749cbee25396e5a83466be4b6c0ef63b43727edf8b5cf9b262e5fdac72a
Opcode Fuzzy Hash: c0179056de3d9d9f35b59d5414aad2672ba56b05d90b62411eea0d667c032b50
Instruction Fuzzy Hash: C2E0DF30841208FBCF28CFA0E8067EE7F74FB46361F20856ADC0462250C3394A41EF90

Uniqueness

Uniqueness Score: -1.00%

Function 0559C330, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 639c7539cc4af9beaab54872efd1ad6f9614c89829b1e41c1ad4b0b0b6237ce2
Instruction ID: d586d7a5638d2a20bddf2fc7a461a65da35f94caf95911f6479b243438ee114e
Opcode Fuzzy Hash: 639c7539cc4af9beaab54872efd1ad6f9614c89829b1e41c1ad4b0b0b6237ce2
Instruction Fuzzy Hash: E1F01534904208EFCF04DF98D940AADBBB5FB48300F108499EC0953351C7369A21EF80

Uniqueness

Uniqueness Score: -1.00%

Function 055923C9, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a9ce919e345295ee65d366bafbac2d2bc522c87ae03a92066fb7cd225bd4a56
Instruction ID: d5b4c964e143c58a94a5f5ad3a7f1e213cfca2a104c11e729955bba8a1024531
Opcode Fuzzy Hash: 6a9ce919e345295ee65d366bafbac2d2bc522c87ae03a92066fb7cd225bd4a56
Instruction Fuzzy Hash: 11E02639804208EBC700EFE4E6253DCBBF8FB05211F6004A6C804D3351C678AB48CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0559B1F9, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec47a5419ed05816b068020bd807868508005127b77ddc3cd94e1c53bbde0407
Instruction ID: bef7a07c23811b6113e460084a4e0390dde27ee8bc385801551216f7177dca82
Opcode Fuzzy Hash: ec47a5419ed05816b068020bd807868508005127b77ddc3cd94e1c53bbde0407
Instruction Fuzzy Hash: D6E026318492089FDF08DAD0F4057FCBF78F746321F5041A5C404E3250C27D1996CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05592DA8, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fb7b879e930f9a4a5e42a49c6f4739ad7099be5796022f7b95f132257eab42b
Instruction ID: 9c945fdca11506fad1b9a361da78b1bcd7408d67f512be79601fa2a2df63afe8
Opcode Fuzzy Hash: 9fb7b879e930f9a4a5e42a49c6f4739ad7099be5796022f7b95f132257eab42b
Instruction Fuzzy Hash: 74E08679845308EBDB04EBA4D50539CBFB8F755215F1004A6C405E2351D67C5A898B51

Uniqueness

Uniqueness Score: -1.00%

Function 05590070, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1633a1dfc1755ba5f0a29abffe6921019f3740e930af90ffd791d06abf72a4a
Instruction ID: 4f1be236d73e03272106800b24566566406caeebdc0969b10f0906f7ab7c0b58
Opcode Fuzzy Hash: a1633a1dfc1755ba5f0a29abffe6921019f3740e930af90ffd791d06abf72a4a
Instruction Fuzzy Hash: 8CE0867054220997C61CFBB4955693E7374EB52504F511C5D840637250DE765E10D765

Uniqueness

Uniqueness Score: -1.00%

Function 0559AC38, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9402aafb22eb2337f0fb125526495e6cee96cdf1acbde1435c65e4d3f6f71e11
Instruction ID: aaaa0eca894000449434d41bbd764a6257ce2b379792b20f4f46643f057dfc6f
Opcode Fuzzy Hash: 9402aafb22eb2337f0fb125526495e6cee96cdf1acbde1435c65e4d3f6f71e11
Instruction Fuzzy Hash: B8E07D30C8620D9BC714EBA4E8417ED7F7CF781311F5444B5D80463341C23D1942C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 05591E90, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7805e32cff61e1d2c4a1de22d0ba06755ffa3384bdea1a8c9dc83a0d177f8913
Instruction ID: c39e11800337553b23363ff736cfd5584e4a331d3977d852d344721e6d18f9ed
Opcode Fuzzy Hash: 7805e32cff61e1d2c4a1de22d0ba06755ffa3384bdea1a8c9dc83a0d177f8913
Instruction Fuzzy Hash: 29E09271C45208EBDF14DFA4D5027ADBFB8FB45301F1185A9D808A3340D7395544CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0559AB70, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d455a616db268c10f9879a27c5af835d350d9a83e4b4448b4c69084d2939b321
Instruction ID: 392ed8e776ad089a66bb5b183a14fdd5a5ef146fe9e18bc9c925913ed367c70c
Opcode Fuzzy Hash: d455a616db268c10f9879a27c5af835d350d9a83e4b4448b4c69084d2939b321
Instruction Fuzzy Hash: 86E02634844208DFCB14DBE4C80479C7FF9FB44218F1000A9D800D3311D23DA989CB90

Uniqueness

Uniqueness Score: -1.00%

Function 055919D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13492c65e8a6c95537a9a4ae24130ae8b14a4b5aea709865df93633d14d2737
Instruction ID: bcd390787317d70ed785f639584177a380515882231bf8fcb12979cdd0926522
Opcode Fuzzy Hash: a13492c65e8a6c95537a9a4ae24130ae8b14a4b5aea709865df93633d14d2737
Instruction Fuzzy Hash: ACE07D3184420AEBCB14DFE4E4013DC7FB4F705211F514565C809D3390C23859C2CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0559AD80, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b26b28d751592ae051a145c2d89cbf0f06e4fb6e28943273e35bc1a2399cda
Instruction ID: 8e3a0702af8021ad6ab4a0c549fd2bbd4f872a47db8af8f92341f76b6eef2e2f
Opcode Fuzzy Hash: 94b26b28d751592ae051a145c2d89cbf0f06e4fb6e28943273e35bc1a2399cda
Instruction Fuzzy Hash: 81E09A34C06208EFCB18DFA0E0085ADBB74FB89302F2091A9C80A23324CB385A04CF84

Uniqueness

Uniqueness Score: -1.00%

Function 05591DFF, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16ece7be901fadd7d1c834c938c5bd8ac3bdd6e20c4d5302805e1df0630d139
Instruction ID: 74bafcdf713fb13cff6766a7399895dbf0e1f478e50b57b14336c8b91fc72b6e
Opcode Fuzzy Hash: a16ece7be901fadd7d1c834c938c5bd8ac3bdd6e20c4d5302805e1df0630d139
Instruction Fuzzy Hash: 5CE02630D493899FCB04DFE8D8212AC7F74AB02101F50059AC80467282D6B45980CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 055987B0, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d441d0e10a5e0431411223d7dadc520695aed3126465159d62995e764b1444
Instruction ID: 8348e6f0745bc3237796c15179f9e2970e4c0c8f737b87f859f01d667ce858bb
Opcode Fuzzy Hash: 23d441d0e10a5e0431411223d7dadc520695aed3126465159d62995e764b1444
Instruction Fuzzy Hash: 2EE086B5C45208EBDB04DBA4D90579D7FB8BB15311F510095C80573790E63A56488B51

Uniqueness

Uniqueness Score: -1.00%

Function 0559C518, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af91e859aa34701819892c7cfa290512bb441a5a5077e2328751252aa700d7cc
Instruction ID: 999a108a9bcd0e926c87aef587e9a3500b23a055507ee3bff6cdc646c8cfd0bc
Opcode Fuzzy Hash: af91e859aa34701819892c7cfa290512bb441a5a5077e2328751252aa700d7cc
Instruction Fuzzy Hash: A5E0E574905208EBCB14DF94E5446ACBBB9EB88200F2080AA984553352D63AAA55DF90

Uniqueness

Uniqueness Score: -1.00%

Function 05599DD8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0b7e3b937c37ad42da9706c520c923a1761c636954b2d568918d879c1b6ee0
Instruction ID: 5f2ae27eca532057be88af895781e223cad4d798656fbe078ca0cf6ec298e757
Opcode Fuzzy Hash: 6b0b7e3b937c37ad42da9706c520c923a1761c636954b2d568918d879c1b6ee0
Instruction Fuzzy Hash: 17E0C23145E244CFDB24DB60D045BF8BB34EB45201F2148EDC009921A1C7B90854CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0559BFFB, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761f120d2ce47490c1cf5c58e8033d12469b5ee97a9999117dc7f63133da3308
Instruction ID: 6840f5bd35bff6fe71d150a63f902fcf1d5298f87168b29639be5fd153d43a37
Opcode Fuzzy Hash: 761f120d2ce47490c1cf5c58e8033d12469b5ee97a9999117dc7f63133da3308
Instruction Fuzzy Hash: EDF0157084022ACFCB68CF64E998AECBBB1FB0A305F1054E6D14AA2210DB741EC4CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05599850, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1577f099b625266ae2b963aefac6d37f79d4c5fd04a744df9132391b600e1456
Instruction ID: 60e23be777e1840f705bb0b826cbfc2ed16175f3c7ab8307a1cff6d0f5669bf7
Opcode Fuzzy Hash: 1577f099b625266ae2b963aefac6d37f79d4c5fd04a744df9132391b600e1456
Instruction Fuzzy Hash: CDE02B3108E148CFE728CB90D408BF5BF78EB01305F5819EDD00AA2171C3794540CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0559BC32, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33fd2c1f857890334a99000b9d223cbf50c620ef06c8f11ce78ced135239ad7
Instruction ID: 95789a9bf10153e33b16a6e80624129a7325ece7fabd5b4bc3ab0a454d8b6fbd
Opcode Fuzzy Hash: b33fd2c1f857890334a99000b9d223cbf50c620ef06c8f11ce78ced135239ad7
Instruction Fuzzy Hash: CAF0E5759002189FDB14CF94C940FEEB7B8FB48308F0480AAD919E7281C779AA89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0559C2E0, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af91e859aa34701819892c7cfa290512bb441a5a5077e2328751252aa700d7cc
Instruction ID: 490fcee763ca88c570d1e076cf0c9514ebbd367c7885bc4d8ce24fb79b14eb0d
Opcode Fuzzy Hash: af91e859aa34701819892c7cfa290512bb441a5a5077e2328751252aa700d7cc
Instruction Fuzzy Hash: 87E0E57490520CEFCB14DFD4D540AACFBB5AB89200F2080AA984563351C63A9A55DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0559A4EA, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0130971ab1cd4231edcc1a13b40a7341f7834a25c29b6403effbb7a4d4782c8
Instruction ID: 6dc569cb02c1498cad13111dead0a66de3d4e1bc543674a455ab5b9c671c9d3d
Opcode Fuzzy Hash: b0130971ab1cd4231edcc1a13b40a7341f7834a25c29b6403effbb7a4d4782c8
Instruction Fuzzy Hash: 7AE0C270D4A308EBCF18EFA4D4002AD7FB8FB81305F6045AAC80823390C7399A44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0559AD3E, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b773ba5b1f0b08b54117b9d083db9fc5210673b1a4deb1d250a18c86759409b
Instruction ID: c128c532da501df5b7566b043b9e78dc69d960c864e7df3c5d43f1d098dcb33d
Opcode Fuzzy Hash: 9b773ba5b1f0b08b54117b9d083db9fc5210673b1a4deb1d250a18c86759409b
Instruction Fuzzy Hash: EFE01230C55308DFDF18DFA4D5055ADBF74FB8A312F5095A9C40923664C77A0944DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0559ABB1, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed42dac0db7537fb4aea63986307eb3e8c3037e86a2c53ac00a342667f64f04
Instruction ID: c68a3c5b8356c7b524f909539edf7b3e6abb9f19ece52c33d0794ae0002357be
Opcode Fuzzy Hash: 0ed42dac0db7537fb4aea63986307eb3e8c3037e86a2c53ac00a342667f64f04
Instruction Fuzzy Hash: 41D095F184B284DFDB40D954C80036D77DDE715321F040C514404A2340D57D59089790

Uniqueness

Uniqueness Score: -1.00%

Function 05592A2A, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7d6a2e30cbb8c3e2bd0f0ca6ce543613d57f06afe7040da718d175ea7cba2e
Instruction ID: 1d935a52945c8b54a57142c25a86d9279c65fd1b0b208c0f4b642fc366368cb4
Opcode Fuzzy Hash: cc7d6a2e30cbb8c3e2bd0f0ca6ce543613d57f06afe7040da718d175ea7cba2e
Instruction Fuzzy Hash: 87F09BB8A01309CFCB04DFA4D498A9CBFB2FB48305F605129E80AAB268DB741D45CF10

Uniqueness

Uniqueness Score: -1.00%

Function 055988C8, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48eeed6545f633df0b6c1bfc62ae9152c788690fa2d209aeb4e3437bbafa9750
Instruction ID: 67a4a63d318b38b016a0896e99d0bfb0b7295952b6f7257b601ca048273eb3fa
Opcode Fuzzy Hash: 48eeed6545f633df0b6c1bfc62ae9152c788690fa2d209aeb4e3437bbafa9750
Instruction Fuzzy Hash: C9E08C30C46208EBCB04EFA8D5056ACBBB8FB49300F1084E9D80463341C7381A04DF90

Uniqueness

Uniqueness Score: -1.00%

Function 0559B6AD, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a32d849c8b8854aa16dab9ca8e16a5e2bb082a136e48f70e68cdef4e127c503
Instruction ID: 4d777f1614a92050b428888a68f2637ecae368e55a71eb53843fdcaff0b72c25
Opcode Fuzzy Hash: 0a32d849c8b8854aa16dab9ca8e16a5e2bb082a136e48f70e68cdef4e127c503
Instruction Fuzzy Hash: 61F0A574904218DBDF24CF95D880ADDBBB1BB49310F208199E509A7254C7755D80DF45

Uniqueness

Uniqueness Score: -1.00%

Function 0559ADD9, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78099e3276391213df96701f21672d9dc246748f9cd52b843a92c3017be6f124
Instruction ID: 4ebefd7bf84785069f7e43b5008250618ba4c0f34408f188b820eedae8d7b8a5
Opcode Fuzzy Hash: 78099e3276391213df96701f21672d9dc246748f9cd52b843a92c3017be6f124
Instruction Fuzzy Hash: 03E08C30C05308EFCB14DFA4D0452ADBF74FB88301F1080A9C80463354C3740A84CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0559A4F0, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 388866f0041028e7821813f9637ca0b173a1a41979977f1da85c82dd5fdb366a
Instruction ID: 2d3771dfe0e780cbcac2e79e5cdb907eb387586f2834f690918098cb026f01da
Opcode Fuzzy Hash: 388866f0041028e7821813f9637ca0b173a1a41979977f1da85c82dd5fdb366a
Instruction Fuzzy Hash: E4D0177094A218DBCF18EFA4D5006ADBBB9BB85302F6045A9C80923394C73A9A44DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0559C558, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c2754bcae048ee3e91190d9da19c89f3e18a37bee125d70007302fe1616244
Instruction ID: 2047511665b8f8265d873002e584c0e10caab97fa61d7230b713484aba608a6f
Opcode Fuzzy Hash: 10c2754bcae048ee3e91190d9da19c89f3e18a37bee125d70007302fe1616244
Instruction Fuzzy Hash: 63D022430CA64283EB182148D84D3B533CCA356209F4E1C125548402A0CA5C9084CA61

Uniqueness

Uniqueness Score: -1.00%

Function 05598D70, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e9dfe3d0b169f5745768002701c4fc46da3fd586b8e9efd84d2b89176a65bc
Instruction ID: 49f75ddee9c12280d0f1b1b9a66d2e38f14e14a1441a0958637324b27855a0b8
Opcode Fuzzy Hash: 85e9dfe3d0b169f5745768002701c4fc46da3fd586b8e9efd84d2b89176a65bc
Instruction Fuzzy Hash: 9ED05E34846308EFDB14EFA8E5056ACBFB8FB46301F5400A9C80963350D6795A58CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0559AD06, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33efcd66fd42aeb391d12d594e0f8c2730f9e68739cbd639c1bb472a3ee5ffa6
Instruction ID: 8e832667579886de5cd4eb23a01cecc34518f8c3410420c87245f069d26f9c65
Opcode Fuzzy Hash: 33efcd66fd42aeb391d12d594e0f8c2730f9e68739cbd639c1bb472a3ee5ffa6
Instruction Fuzzy Hash: CFD0C770886308DFDF5CDA64D6016BD776CABC5211F205DAA840553551D7790D04DE94

Uniqueness

Uniqueness Score: -1.00%

Function 055987C0, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc43bcdef52a48b9640f8dd1d6f0c9d4abd8972b8e15dd5d8de442b0a150a3da
Instruction ID: f44d12d743d5f19e2647a34873e8fd40eb5aad6d632cefbee0addda62973ff76
Opcode Fuzzy Hash: bc43bcdef52a48b9640f8dd1d6f0c9d4abd8972b8e15dd5d8de442b0a150a3da
Instruction Fuzzy Hash: E4D05B34C45308EBCB14DFA4E50566DBFBCBB05311F5000D9C80573750D6355A44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05592DB8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a725b4d44a910d1c66747b257f1b64f704a01d91e507e56d1f921d1d933000
Instruction ID: b735446c9968b967e4a676cc4fd0fd938343903a14896f4a19cd8aeeadb967de
Opcode Fuzzy Hash: 61a725b4d44a910d1c66747b257f1b64f704a01d91e507e56d1f921d1d933000
Instruction Fuzzy Hash: 66D05E74946308EFCB18EFA8D5096ACBFB8FB46201F1004A9C80963351D7795A58CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05591E10, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63a8f10131e85a4abd70c9fae3a11546b39d101c6ea8f5939a6be38bc620f40
Instruction ID: e90b2cc42fc83ec4fc13f0250f03cd5bdec8a941bf442faebb5da95e3e884001
Opcode Fuzzy Hash: f63a8f10131e85a4abd70c9fae3a11546b39d101c6ea8f5939a6be38bc620f40
Instruction Fuzzy Hash: 93D05E30D05309DBCB04EFA8D5116ADBF78AB42200F5005A9C80827241E6746A40CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 05599DE8, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6ab82174961a8c55afd725e3e36712675db45a10ce900e0d3769aa752dc56d
Instruction ID: 548704e3f67ba1ed79f61d7b1c37262e974aed0d6b56147b5547283b64b64487
Opcode Fuzzy Hash: ec6ab82174961a8c55afd725e3e36712675db45a10ce900e0d3769aa752dc56d
Instruction Fuzzy Hash: 3BD0223044B308DBCB28DFA0D445B7ABB3CFB8A202F00089C840913260DB3A1D04CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 05599A50, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e854d2a95e0bb14a729085b01093202cf2a5bddf4881d24a3e34bd3d28f1b0
Instruction ID: 6b88a80f0ad3552308e285834f7fea0c40db85d4779c7471932284cfef7772f0
Opcode Fuzzy Hash: 95e854d2a95e0bb14a729085b01093202cf2a5bddf4881d24a3e34bd3d28f1b0
Instruction Fuzzy Hash: 7BD0A97084A388DBDB28DBA8C4046B97B7DEB42605F5008AD880812260CA3A9A00CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0559C408, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a372611f068fa7e286a94e2bf5489b73b5a75d7893c1ad2f5326f4cb810f8ca
Instruction ID: 4e106c86558689dad8297769999c8f6dad789e0fd7d72123c4d3a79605f5309b
Opcode Fuzzy Hash: 0a372611f068fa7e286a94e2bf5489b73b5a75d7893c1ad2f5326f4cb810f8ca
Instruction Fuzzy Hash: 31D0A9B054A308DBDB28DAA0A60077ABB6DAB46206F9004E9C40902210CA7B9D04CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 014923F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373480433.0000000001492000.00000040.00000001.sdmp, Offset: 01492000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 336f61e4129097ecc7fe7d77d40ad49bef2cbc614998e57df34853db01ba67f0
Instruction ID: 5f61c0c4a0ea9ecd9c4d78d1469dd5fa2b48c1229e563c13cd81abd7b35b3e3f
Opcode Fuzzy Hash: 336f61e4129097ecc7fe7d77d40ad49bef2cbc614998e57df34853db01ba67f0
Instruction Fuzzy Hash: 95D05E79215A919FE7268A1CC1A8F963FA4AB61B04F4644FEE8008B773C3A8D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 05599460, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8adde61f3aa5c3486a1c8e5e19d2167c1f5decd7bcd04ece625377f24f3dc360
Instruction ID: 6dfb6caa271a86dfd048bd33f3de08b6c0e77315d7672448e52a22fbd669582d
Opcode Fuzzy Hash: 8adde61f3aa5c3486a1c8e5e19d2167c1f5decd7bcd04ece625377f24f3dc360
Instruction Fuzzy Hash: F8E09274E012298BDF64DF68C89879DBBB1BF85304F5080AAC549E3380DF3809859F51

Uniqueness

Uniqueness Score: -1.00%

Function 014923BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.373480433.0000000001492000.00000040.00000001.sdmp, Offset: 01492000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bcc9bc0a2a35a05c8bd13febd8acff63028f6e8eea15e56fc85452adea710f8
Instruction ID: 7ffc1e742c5c20f2c684010b6bf8e53bcc0da42807a53a599434c21f0251f372
Opcode Fuzzy Hash: 5bcc9bc0a2a35a05c8bd13febd8acff63028f6e8eea15e56fc85452adea710f8
Instruction Fuzzy Hash: D4D05E342002818BDB25DB1CC598F5A3FD4AB41B00F0644E9AD00CB772C3B4D881C600

Uniqueness

Uniqueness Score: -1.00%

Function 0559C568, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c3b12e1dfc98efc164c4cf99b36d45a4dd2f2caa84c8b6fa61a4ad1b80f662
Instruction ID: 9219ba57a065cb0afec19178a98d38af625cdf02ee1d8be14263e037a7a3b575
Opcode Fuzzy Hash: 83c3b12e1dfc98efc164c4cf99b36d45a4dd2f2caa84c8b6fa61a4ad1b80f662
Instruction Fuzzy Hash: ECC022200CF30A83EE2C3288208C33233CCBB8B200F882C02280C0003288AEA888C8A0

Uniqueness

Uniqueness Score: -1.00%

Function 05592662, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88414917b2c90a7c5a172049045c5d1e8c043ba093a3ec645ccdfdd41b3968a8
Instruction ID: cac6df8f9f349f04afe318ccc31bba1dea4a50202071ff1e54bb21962b405ea4
Opcode Fuzzy Hash: 88414917b2c90a7c5a172049045c5d1e8c043ba093a3ec645ccdfdd41b3968a8
Instruction Fuzzy Hash: 69D01274904109DBCB60CF54D45478C7FB6FB04304F10A5A9D40972254CF780E8C8F50

Uniqueness

Uniqueness Score: -1.00%

Function 05599C5A, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4fa3f7392ea31b0fca942a88df25165494d945150c6ef6ef312b054ac9afbc2
Instruction ID: 2dae45e7bcf8e63b6adc43bf870fb7229aae1a56ab88fc8f75c237c10d6402ea
Opcode Fuzzy Hash: c4fa3f7392ea31b0fca942a88df25165494d945150c6ef6ef312b054ac9afbc2
Instruction Fuzzy Hash: 5DC00278D09208CB9B54CFA6D54459CBFF6BB49344B2196399409A3215D7341904CF00

Uniqueness

Uniqueness Score: -1.00%

Function 05599C41, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25dd05d672853989c3227ea82d5493afac51efbaa0aa3a92f7238c97b4c7a32b
Instruction ID: 026d544955f1b743d69cd954b398811bacee8069513166e23b234acd1c6b8c77
Opcode Fuzzy Hash: 25dd05d672853989c3227ea82d5493afac51efbaa0aa3a92f7238c97b4c7a32b
Instruction Fuzzy Hash: 9DB0127040C10487DB044BE0C00C32CBA33FB01305F00111AC00771884877C00404E61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05592DE9, Relevance: 5.1, Strings: 4, Instructions: 138COMMON

Download Yara Rule

Strings

f]?r, xrefs: 05592E48
`5ar, xrefs: 05592FED
:@:r, xrefs: 05592F14
>_?r, xrefs: 05592F31

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: :@:r$>_?r$`5ar$f]?r
API String ID: 0-3822966099
Opcode ID: 0dd09d6bc7deba393e2ba411f7a6eb66eb5e23bffd066ba335fd1a7a6b0823ed
Instruction ID: b3a545458cd05e6201a7826571f277b3c786226944aa3c9c153844917afef97a
Opcode Fuzzy Hash: 0dd09d6bc7deba393e2ba411f7a6eb66eb5e23bffd066ba335fd1a7a6b0823ed
Instruction Fuzzy Hash: B3516C71A002098FDB54DF6AE9417ADBFB2FFD4304F55D02ED104AB269DF7558068B90

Uniqueness

Uniqueness Score: -1.00%

Function 05592DF8, Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

f]?r, xrefs: 05592E48
`5ar, xrefs: 05592FED
:@:r, xrefs: 05592F14
>_?r, xrefs: 05592F31

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: :@:r$>_?r$`5ar$f]?r
API String ID: 0-3822966099
Opcode ID: bf926580b82945c1e6352c41e9478ca12761185dd28534fe5acb4e763b68dfe9
Instruction ID: 4058851f85e6ba4bb160fcdd5c6acc872ea2b97f3cf1f420b076adf03f46542d
Opcode Fuzzy Hash: bf926580b82945c1e6352c41e9478ca12761185dd28534fe5acb4e763b68dfe9
Instruction Fuzzy Hash: B7516C70A002098FDB54DF6AE940BADBFB6FFD4304F51D02ED108AB269DFB558068B90

Uniqueness

Uniqueness Score: -1.00%

Function 0559BF92, Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

#, xrefs: 0559BFD4

Memory Dump Source

Source File: 00000000.00000002.375064887.0000000005590000.00000040.00000001.sdmp, Offset: 05590000, based on PE: false

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4c5476bc388e789b768124f1f3a563fd36ea3f558307abd8e1a2519f45711ae4
Instruction ID: d50782b92cab83746b9329441b5e3b92cc36e28b3b7c33d0f3c7673cfc5256ae
Opcode Fuzzy Hash: 4c5476bc388e789b768124f1f3a563fd36ea3f558307abd8e1a2519f45711ae4
Instruction Fuzzy Hash: 74F0F631A191288BDF24CE58E8907ECB7B6BB46315F5054D6C14DA6150C7399E84CF41

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 6716 Parent PID: 6388 RegSvcs.exeCOMMON

Executed Functions

Function 04FB23A0, Relevance: 6.5, APIs: 4, Instructions: 505COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB23F2
MonitorFromRect.USER32 ref: 04FB256D

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: e1dbe3000650bcd8d37767f61d953e5b10c2a370bc1f854c921b79d313335e57
Instruction ID: 44e83c46bc4f483e03e8b0c9cb7e4a7a5fe6136bf61b7003da43c757ea678fbb
Opcode Fuzzy Hash: e1dbe3000650bcd8d37767f61d953e5b10c2a370bc1f854c921b79d313335e57
Instruction Fuzzy Hash: 1B12D235E00215CFC724DF2AC8886ADBBF2BF85311F2585A9D445EB385EB74A847CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04FB89D8, Relevance: 3.5, APIs: 2, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52939a073c70a108e039e775d727d51503c25738ae5d316a13f51d752265b37d
Instruction ID: 7515804bc95e783cd0d61cc22878acb255428483d76c58451a72d98254569d10
Opcode Fuzzy Hash: 52939a073c70a108e039e775d727d51503c25738ae5d316a13f51d752265b37d
Instruction Fuzzy Hash: F012ED71E10215CFCB14EF6AC4846ADBBF6BFC6340F14856AE5469B344DB74E882DB81

Uniqueness

Uniqueness Score: -1.00%

Function 04FB2FA8, Relevance: 1.7, APIs: 1, Instructions: 239COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB301C

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: b248147badb4ace5211cbe8d67e06e8e3f2ec2c6c5c424a7d0b36debf44f22d6
Instruction ID: 4957ae52cf54f1fe79fc7812e60d2f74a7d12853d8dbad0fe56ef6c226fdd41e
Opcode Fuzzy Hash: b248147badb4ace5211cbe8d67e06e8e3f2ec2c6c5c424a7d0b36debf44f22d6
Instruction Fuzzy Hash: B281BF36F015159BD704DB6EC844AAEBBF3AFC9350F2A8475D805DB359DE31AC028B90

Uniqueness

Uniqueness Score: -1.00%

Function 050E2998, Relevance: 1.6, APIs: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E2A4B

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 511ddc38d383492f5776122c49f0a0652eef0adec92b16a28a5f6c1f9faa7909
Instruction ID: 9680d4750865f02fdfc601a6bb2cd3171c578b60219819d97e2e24819087e64f
Opcode Fuzzy Hash: 511ddc38d383492f5776122c49f0a0652eef0adec92b16a28a5f6c1f9faa7909
Instruction Fuzzy Hash: A2317A7650A3C0AFD7138B209C55B56BFB8AF07210F1984DBE984DF1A3D268A949C772

Uniqueness

Uniqueness Score: -1.00%

Function 050E1463, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 050E14E3

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 8a17e029d52ef2e9c43d70e31cfa91b45283f4169b6f4bdcb4c6d1f08207f5fa
Instruction ID: db47015250af8ae20fbf3d2f046f17bf119e467ecd69416795f720bcccef8fed
Opcode Fuzzy Hash: 8a17e029d52ef2e9c43d70e31cfa91b45283f4169b6f4bdcb4c6d1f08207f5fa
Instruction Fuzzy Hash: C621D376509780AFDB138F25DC40B56BFF4EF06210F1884DAE9858F263D2749908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050E2EA6, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E2F16

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 5fa2929f9d530d89f1212192fd3c341f03341e78d3bc44c76eee5c6a8e1d7e3c
Instruction ID: f1e7a74dd30827eeb725fbd1711156beac1bbeeb95d043cecf4467b767698af4
Opcode Fuzzy Hash: 5fa2929f9d530d89f1212192fd3c341f03341e78d3bc44c76eee5c6a8e1d7e3c
Instruction Fuzzy Hash: 18119D72400604AEEB21CF55DC85FABFBECEF04310F14896BEA499B211D674A5098BB1

Uniqueness

Uniqueness Score: -1.00%

Function 050E29EA, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E2A4B

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 7f036889b06778baa7f370f386dd8168aebe2e5b4fdf6310ae9edd792f619aea
Instruction ID: 28376de150fe20466dd29f983d389055dbb7f12fd0ca581074873019c942a169
Opcode Fuzzy Hash: 7f036889b06778baa7f370f386dd8168aebe2e5b4fdf6310ae9edd792f619aea
Instruction Fuzzy Hash: BE119075500204AFE721DF55ED85FAAFBECEF04310F18846BEE459B241D6B4A504CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050E149A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 050E14E3

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 1da5c81d9fd4b202d7fe9a18bd555372296c0c4b6ae02f99377132b205ca4ad8
Instruction ID: c91da3f3ee287e4b3065924c87c7ff168590aa491a7c3e3c158ad22379d2ce6c
Opcode Fuzzy Hash: 1da5c81d9fd4b202d7fe9a18bd555372296c0c4b6ae02f99377132b205ca4ad8
Instruction Fuzzy Hash: 3D117076500604DFDB21CF55E884B6AFBE4EF04320F1884AADE4A8B751D375E418CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050E17E8, Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 050E1845

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 310fa97c97ab6015444f95ffe527c580b176fa01db1edcf2f55670b2c5fe6a6c
Instruction ID: 7a49861d27f8a7e679d4718cd7a845ea33c4464c770d9be49b293f5c1c24cfcb
Opcode Fuzzy Hash: 310fa97c97ab6015444f95ffe527c580b176fa01db1edcf2f55670b2c5fe6a6c
Instruction Fuzzy Hash: 7011C271409780AFDB228F15DC45E62FFF4EF06220F08C49EEE844B662D275A918DB62

Uniqueness

Uniqueness Score: -1.00%

Function 050E11C2, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 050E11F4

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 08699e9c4eefcecf3747163fe4a40d6ff7f7c9dfdfc4748867bcc3f74e6300b0
Instruction ID: 411c79325802f3c75884b06d61bb339c45db7f75cee44ef5f738439f45e14630
Opcode Fuzzy Hash: 08699e9c4eefcecf3747163fe4a40d6ff7f7c9dfdfc4748867bcc3f74e6300b0
Instruction Fuzzy Hash: BA018B71904240AFDB10CF55E88476AFFE4EF44220F28C4AADE488F216D2B9A508CB62

Uniqueness

Uniqueness Score: -1.00%

Function 050E180A, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 050E1845

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 5fd1a1cab9d8e1963a3a9fce8c3e702baf3ecacfff2a09da3274669e7817415c
Instruction ID: eef8f66e7ccc5fcd23b7e8fc71e7f609e2a97160ceed517accf938575e614170
Opcode Fuzzy Hash: 5fd1a1cab9d8e1963a3a9fce8c3e702baf3ecacfff2a09da3274669e7817415c
Instruction Fuzzy Hash: B3018F35400640DFDB20CF55E984B6AFFE1FF04720F18C09ADE894B611D275A418DB62

Uniqueness

Uniqueness Score: -1.00%

Function 02872477, Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.625049751.0000000002872000.00000040.00000001.sdmp, Offset: 02872000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2d9b8fd454eea1f996c4ba38c6f62cfe5f59588cc9746c6a9253919e09007be
Instruction ID: ba428da812075e89d3ba05cca9b380de4065d479e3d0fdd73d173519a7f86a62
Opcode Fuzzy Hash: b2d9b8fd454eea1f996c4ba38c6f62cfe5f59588cc9746c6a9253919e09007be
Instruction Fuzzy Hash: CD32F56D90E3D29FC7174B744874694BFB2AF1724971D25CBCCC0CA0ABE229C946C76A

Uniqueness

Uniqueness Score: -1.00%

Function 04FB09A5, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 179COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB0A2E
MonitorFromRect.USER32 ref: 04FB0AD9
MonitorFromRect.USER32(00000000,00000001), ref: 04FB0B2A

Strings

X1ar, xrefs: 04FB0A5A
X1ar, xrefs: 04FB0A98
X1ar, xrefs: 04FB0A50
X1ar, xrefs: 04FB0AA2

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID: X1ar$X1ar$X1ar$X1ar
API String ID: 2578442757-346077691
Opcode ID: dffc491ebf07b610b9ad239c2e468c11945c20f30fbc6a650ef28e903e03d10e
Instruction ID: 1e3c91c24cc1d2dcaa3914c201f3c46145a2495bdde6f2ddd0ade7d6ef8fcdb9
Opcode Fuzzy Hash: dffc491ebf07b610b9ad239c2e468c11945c20f30fbc6a650ef28e903e03d10e
Instruction Fuzzy Hash: C051C13AB40215DFCB14AFA9D854AAFB7B2EF85704F208465E546DB294DF30AD03CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0681, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB07CA
MonitorFromRect.USER32 ref: 04FB0812
MonitorFromRect.USER32 ref: 04FB0848

Strings

Zkp^, xrefs: 04FB06A1, 04FB06A6

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID: Zkp^
API String ID: 2578442757-4109753845
Opcode ID: 3b34def2da7e8ff2c7c71682ef783b941774c8590bdd6668e3ea9e3965f067f9
Instruction ID: 7e92255874f978024ccc5f64222797a7d60e7f42063d40683bdeb02fef5bf708
Opcode Fuzzy Hash: 3b34def2da7e8ff2c7c71682ef783b941774c8590bdd6668e3ea9e3965f067f9
Instruction Fuzzy Hash: 4B416E3EB402018BC7047B7DEC585AEBB72BFC0711B64496AE543CA2A9DF705C568BD2

Uniqueness

Uniqueness Score: -1.00%

Function 04FB8670, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB8742
MonitorFromRect.USER32 ref: 04FB8757

Strings

]Dkp^, xrefs: 04FB869E, 04FB86A3

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID: ]Dkp^
API String ID: 2578442757-2082484882
Opcode ID: 0e42bcfa1f9f5f040836bc0639b00c4f21c422e1f229386603d640f8beaf939f
Instruction ID: 6646b88c2ca405f0a49e3063ccd2f3903aca632c6250bd828573e22341c79a2f
Opcode Fuzzy Hash: 0e42bcfa1f9f5f040836bc0639b00c4f21c422e1f229386603d640f8beaf939f
Instruction Fuzzy Hash: 7031AF36724204CBC704BB3AE4089AD3BABEBC5764B548569E942CB355EF71EC02DB81

Uniqueness

Uniqueness Score: -1.00%

Function 04FB8320, Relevance: 4.8, APIs: 3, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d9c2eb493b72f0f594ff3e61e988c7d542a3acf5400d6ec253f3983cff82ef
Instruction ID: 32b64810b7ca1383767af19b4d936b33a1cecd60a000ce2b9f5003ed5b9aa227
Opcode Fuzzy Hash: a3d9c2eb493b72f0f594ff3e61e988c7d542a3acf5400d6ec253f3983cff82ef
Instruction Fuzzy Hash: 0DA16776E00219CFCB14EFA9C5846DEFBF4FF89350F24856AD496A7250E730A846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 04FB21F8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB2217

Strings

r*+, xrefs: 04FB230F

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID: r*+
API String ID: 2578442757-3221063712
Opcode ID: 7d6c42035372bf97098f4403a177dcbf3c7ebea1c45b30bf610b2f9ee3c1e4e5
Instruction ID: 8c1012ed1c395996c51deff476986516d98e3f3ba07c289d282152b669817da0
Opcode Fuzzy Hash: 7d6c42035372bf97098f4403a177dcbf3c7ebea1c45b30bf610b2f9ee3c1e4e5
Instruction Fuzzy Hash: 4B414235E04209DFDB44DFA6C5496EEBBB1FF46300F1184AAC442D7264E734AA06DF92

Uniqueness

Uniqueness Score: -1.00%

Function 04FBDEB7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FBDF21

Strings

l_r, xrefs: 04FBDF73

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID: l_r
API String ID: 2578442757-1875860616
Opcode ID: 46a68df4406ba8594a0a9d1e398e762194000b439a4292f030330e679e0339c0
Instruction ID: 5444f88f3643acda3f78477e607e2df61c99c9b6481a5fe859b81442f7bb44dd
Opcode Fuzzy Hash: 46a68df4406ba8594a0a9d1e398e762194000b439a4292f030330e679e0339c0
Instruction Fuzzy Hash: 75219236B08114CBCB059B6AD4003EEBBE6FB8A315F14456AE486D7744EB35EC439BD2

Uniqueness

Uniqueness Score: -1.00%

Function 04FBACFF, Relevance: 3.2, APIs: 2, Instructions: 231COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FBAD3F
MonitorFromRect.USER32(00000000,00000000,00000000,00000000,?,?), ref: 04FBAE12

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: cf6f86e04750354f021b6f6e15bc061b9b536fe30a027aa6ebea8ee0c2292aa6
Instruction ID: 4f6ff58dc0ad301bdbc5baefd3338b7797846f51c74a318edd26db6110f947bd
Opcode Fuzzy Hash: cf6f86e04750354f021b6f6e15bc061b9b536fe30a027aa6ebea8ee0c2292aa6
Instruction Fuzzy Hash: 2A81BF75B005158BD704EB68C880B6E7BA7FFC5700FA58638D6059B798DF70AC06CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0871, Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB0812
MonitorFromRect.USER32 ref: 04FB0848

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: be36139dd7550c711472befd30a2146c2f0f828e3117884c2f211a0f155cd75d
Instruction ID: 8bcfb53fe2f5f13a7dbbfaab0bc9943a028e1a33eb07984f5469c939e1d608e5
Opcode Fuzzy Hash: be36139dd7550c711472befd30a2146c2f0f828e3117884c2f211a0f155cd75d
Instruction Fuzzy Hash: 1E01253ED801118FC7202B6DFD5C29ABB70EF41312B6958BAE086C10E5DF2059A2CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 06370EC8, Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

X1ar, xrefs: 06370FD9
l_r, xrefs: 06371080

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID: X1ar$l_r
API String ID: 0-1851361061
Opcode ID: 0d43a0a6a08d9c8a7749b27e2bda0b4bca32368c7bdfc717bd636ab5e78f4b23
Instruction ID: 205589823058dc5ace23e6e8d089ec947173ef9e110f33f003624c66f583dcb4
Opcode Fuzzy Hash: 0d43a0a6a08d9c8a7749b27e2bda0b4bca32368c7bdfc717bd636ab5e78f4b23
Instruction Fuzzy Hash: ED51B575E00249DFDBA8DFB8C4506AEBBF6AB89300F54456DD406DB344DB38A806CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0637103D, Relevance: 2.6, Strings: 2, Instructions: 86COMMON

Download Yara Rule

Strings

X1ar, xrefs: 06370FD9
l_r, xrefs: 06371080

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID: X1ar$l_r
API String ID: 0-1851361061
Opcode ID: c5f0f9b5afe4de752abff1ee7c54f9511eb7abb9c757e2d15f6956aec48137f7
Instruction ID: 72e418dc8557a90e92cfc27dddf4a43e1d4ca710923b0b9a982a7442b6ea6a37
Opcode Fuzzy Hash: c5f0f9b5afe4de752abff1ee7c54f9511eb7abb9c757e2d15f6956aec48137f7
Instruction Fuzzy Hash: 8B319376A012448FDB58DFB9C4546AEB7F2BFC9304F548569C446DB385DB34A80ACBC2

Uniqueness

Uniqueness Score: -1.00%

Function 06371049, Relevance: 2.6, Strings: 2, Instructions: 86COMMON

Download Yara Rule

Strings

X1ar, xrefs: 06370FD9
l_r, xrefs: 06371080

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID: X1ar$l_r
API String ID: 0-1851361061
Opcode ID: c5f0f9b5afe4de752abff1ee7c54f9511eb7abb9c757e2d15f6956aec48137f7
Instruction ID: 72e418dc8557a90e92cfc27dddf4a43e1d4ca710923b0b9a982a7442b6ea6a37
Opcode Fuzzy Hash: c5f0f9b5afe4de752abff1ee7c54f9511eb7abb9c757e2d15f6956aec48137f7
Instruction Fuzzy Hash: 8B319376A012448FDB58DFB9C4546AEB7F2BFC9304F548569C446DB385DB34A80ACBC2

Uniqueness

Uniqueness Score: -1.00%

Function 04FBEA98, Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FBEC41

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: d7da6311eff82ac136e8f1f380ba8f27313139ff975aa20ed5efcf1cfaf36376
Instruction ID: d0623667baba45371f7d239c4ae564eab0c2c57b4a268cc69f317c4fdd30550a
Opcode Fuzzy Hash: d7da6311eff82ac136e8f1f380ba8f27313139ff975aa20ed5efcf1cfaf36376
Instruction Fuzzy Hash: F1713835B04208CFDB15DF6AC484AE9BBF1BF8A311F149459E496A7760DB70F882DB90

Uniqueness

Uniqueness Score: -1.00%

Function 04FBBE89, Relevance: 1.7, APIs: 1, Instructions: 181COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32(-057A6EEC,00000001,00000000,?), ref: 04FBBFE4

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: ed74c628b9827f0ec198e902cc8ba5a77030ebf8196217d69388bf576b0b3c3f
Instruction ID: 4b1741875ce89741b7452e31feebc7612ffb04909fd515ea2008478165ea66e6
Opcode Fuzzy Hash: ed74c628b9827f0ec198e902cc8ba5a77030ebf8196217d69388bf576b0b3c3f
Instruction Fuzzy Hash: 745117322042418FD719CF19CCC4BAAB7B6FB86310F5A89A9D595CFA52D730F846CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04FBE330, Relevance: 1.7, APIs: 1, Instructions: 164COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32(?,?,?,00000048), ref: 04FBE38F

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: f06a588687b62d2100bea0df5a24f35860d771a47087839dcc18dcd2c6549b3c
Instruction ID: 673a8e1f7f2d63ae7e3e0dd5cdd729118b144f661cdeb4052e8cd0459ef496cb
Opcode Fuzzy Hash: f06a588687b62d2100bea0df5a24f35860d771a47087839dcc18dcd2c6549b3c
Instruction Fuzzy Hash: 98518E36B00218DFCF04DFA9D8408EEBBB7FF85310B158465E90AAB215DB30BD469B91

Uniqueness

Uniqueness Score: -1.00%

Function 04FBCDF8, Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FBCEC4

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 5d7b24f68441f5541a98a17053ec8b2fa66f5a01130f770d174ede973b2ac224
Instruction ID: 5df402d1d61f872bf3f3edc147480333ba061a2dadc3d3cc9c1131f74dfcbd7d
Opcode Fuzzy Hash: 5d7b24f68441f5541a98a17053ec8b2fa66f5a01130f770d174ede973b2ac224
Instruction Fuzzy Hash: A341A236A00785DFD714DF7BC8445ABBBF2EB8A314B14CA6DD49697680DB30B8428B90

Uniqueness

Uniqueness Score: -1.00%

Function 04FBEA88, Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FBEC41

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 07c4117051f7572dfd89bf83844582daa8a4f014b1cbb1da51d5f9e95c89f414
Instruction ID: 86297c5f4f4073ffde6266b5806606d34a6b7c9be808deddd73c8abe6ca22abb
Opcode Fuzzy Hash: 07c4117051f7572dfd89bf83844582daa8a4f014b1cbb1da51d5f9e95c89f414
Instruction Fuzzy Hash: AE517E35A04604CFDB15CF6AC484BE9BBF1FF49311F148859D492A7660DB70F882DB80

Uniqueness

Uniqueness Score: -1.00%

Function 050E1950, Relevance: 1.6, APIs: 1, Instructions: 126networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 050E1A46

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: cdecb4209a46c508944cfce996a924d7c5eff8deb56503df5998bd369b0d15e0
Instruction ID: cadd167bea598d2a5b5ac3dd1716bac54427bd80df74e29afffceed75b9bc374
Opcode Fuzzy Hash: cdecb4209a46c508944cfce996a924d7c5eff8deb56503df5998bd369b0d15e0
Instruction Fuzzy Hash: 5C41246540E7C06FD3138B318C61A61BFB4AF47614B0E85CBE8C4CF5A3D269690AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0170, Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB018B

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: b1f3380d1e1e9f6ef557a779da8040edc410790384effcb92e5e4db0651bc495
Instruction ID: 439a7a2a0742ebf0a9e14f35f1a4ec809fd9a676f5935b9893487f1d7ee3f488
Opcode Fuzzy Hash: b1f3380d1e1e9f6ef557a779da8040edc410790384effcb92e5e4db0651bc495
Instruction Fuzzy Hash: F331CF74B043548FEB119F78D840B2A7FE9EF86604F1404A9E981CB392EB71AC018760

Uniqueness

Uniqueness Score: -1.00%

Function 04FBEE60, Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 04FB23A0: MonitorFromRect.USER32 ref: 04FB23F2

Part of subcall function 04FB23A0: MonitorFromRect.USER32 ref: 04FB256D

MonitorFromRect.USER32(?,?,?,?), ref: 04FBEF29

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: edffaa4d4d4e64a0f04133b356f40e6034fdaa1c2d20a1e23fb095317cf39b53
Instruction ID: 8f4689a06bcc86d0422852efa14ce8afab80ecc66d098a344fa52f1a97683f92
Opcode Fuzzy Hash: edffaa4d4d4e64a0f04133b356f40e6034fdaa1c2d20a1e23fb095317cf39b53
Instruction Fuzzy Hash: C6319437A041149FCF05EF69D8448EEBBB2EF8A311B050865E946AB250DB71BD1ACBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04FBEE51, Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 04FB23A0: MonitorFromRect.USER32 ref: 04FB23F2

Part of subcall function 04FB23A0: MonitorFromRect.USER32 ref: 04FB256D

MonitorFromRect.USER32(?,?,?,?), ref: 04FBEF29

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: e5f08b275c84d6cabdcd074e4731ebc53c4e4052bbb1ef31eefb119ed1111c85
Instruction ID: 0607ec2ceec512dbc87d5e18f94b4c5ea083ea9ca66194fe44750c4e1eaa0703
Opcode Fuzzy Hash: e5f08b275c84d6cabdcd074e4731ebc53c4e4052bbb1ef31eefb119ed1111c85
Instruction Fuzzy Hash: BF31C436A001149BDF01EF69D8449EEBBB2EF8A310F054865E546AB250DB71B90ADBD1

Uniqueness

Uniqueness Score: -1.00%

Function 04FBE321, Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32(?,?,?,00000048), ref: 04FBE38F

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 492ae73862d729fccf680fd87d8c146865995bbbefd44b73476ae45b33569d93
Instruction ID: d31dd7e6d19414b44d816f1da6027ac86b78bb295f9e61585217a615ec2974c1
Opcode Fuzzy Hash: 492ae73862d729fccf680fd87d8c146865995bbbefd44b73476ae45b33569d93
Instruction Fuzzy Hash: 17318F36B00218DFCF04DFA5D8449EEBBB7BF85300F154436E54AAB261EB31AD069B91

Uniqueness

Uniqueness Score: -1.00%

Function 04FB20D0, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB21C6

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: c22bc1e0e738b1a9a361b9a6e00a6f3db76880827021964d95e6be91a41ad4ef
Instruction ID: f084ed5358483d391961034890ccc0203d3f058e5c050288a2742a5eb80131da
Opcode Fuzzy Hash: c22bc1e0e738b1a9a361b9a6e00a6f3db76880827021964d95e6be91a41ad4ef
Instruction Fuzzy Hash: 84315231B04206DFDB05DF99C8845BE7BB1EB86340B1284A6D5959B355E730BC43C791

Uniqueness

Uniqueness Score: -1.00%

Function 050E0EB8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 050E0F5B

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 86e584d9a70bdcc45a20ea95e457dc70a328e0cf77f6a1233f3690fed9145aa5
Instruction ID: 4be43fb9fd324369447c80ce98ca63820f20829f09f880055bf5454e5540d42f
Opcode Fuzzy Hash: 86e584d9a70bdcc45a20ea95e457dc70a328e0cf77f6a1233f3690fed9145aa5
Instruction Fuzzy Hash: C031D372004344AFEB228F64DC44F67BFACEF46310F0488AAF985CB152D264A519CB70

Uniqueness

Uniqueness Score: -1.00%

Function 050E3069, Relevance: 1.6, APIs: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 050E3126

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 90987c84eda2b9c207801b081c6eebcda0aec8fc046d8d7c5c35bc21a7aeaa65
Instruction ID: b6454a198effea78a86cacb6fafa4a5f4cb18c26e9bdba8510968f82ae1dcd98
Opcode Fuzzy Hash: 90987c84eda2b9c207801b081c6eebcda0aec8fc046d8d7c5c35bc21a7aeaa65
Instruction Fuzzy Hash: B731C17150D3C05FD7038B258C65B66BFB8EF47620F1A81CBD8848F2A3E2246909C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 050E0C58, Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 050E0D1A

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: d5e8a99aa7b330f7308544ed7a264cc6a6a5fcec9b0b23591150a8b95fc3a195
Instruction ID: 3ae47d730a44f2a60ac17c3022179b77a2ada0546f61b263c3cedaa648590124
Opcode Fuzzy Hash: d5e8a99aa7b330f7308544ed7a264cc6a6a5fcec9b0b23591150a8b95fc3a195
Instruction Fuzzy Hash: AF316B7140D3C06FD7038B658C51B62BFB4EF87610F0E85DBE9848F5A3D225A91AC7A2

Uniqueness

Uniqueness Score: -1.00%

Function 050E0390, Relevance: 1.6, APIs: 1, Instructions: 93registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 050E045E

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 90eb3ba2bcde56b39a169e4e648ddd07d32a377c1d9166cadb1d43c0223a964a
Instruction ID: 9b084a27b94894e3b8d78b6b6f25900159864725c8b5ea8993c3c02f5d35920e
Opcode Fuzzy Hash: 90eb3ba2bcde56b39a169e4e648ddd07d32a377c1d9166cadb1d43c0223a964a
Instruction Fuzzy Hash: D231D7B2004344AFE7228F10DC41FA6FFB8EF06710F14459EEA859B152D3A5A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050E07F4, Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 050E0899

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 52d1f8ac54e5949bb178a6b713e3e81416608bc669ae251b2cc155d2c9e05a7e
Instruction ID: 1c5075736581964f8321c494d3890e94c1f032be8a5a16f9ea48ee58d3c5901c
Opcode Fuzzy Hash: 52d1f8ac54e5949bb178a6b713e3e81416608bc669ae251b2cc155d2c9e05a7e
Instruction Fuzzy Hash: 8F31ADB1504380AFE722CF65DD44F66BFE8EF46210F1884AEE9858B252D375E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0287AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0287AAB1

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: fa42159afe4a99898e61a21304fb48e0ce47bdcce3a464d282bcdf6daf209dbe
Instruction ID: fdd242b40938d2dd1c6831078753cf432239709b040c5075b1a8c4e4da2136f5
Opcode Fuzzy Hash: fa42159afe4a99898e61a21304fb48e0ce47bdcce3a464d282bcdf6daf209dbe
Instruction Fuzzy Hash: 3431C272404384AFE7228B24CC45F67FFACEF06710F08849BED849B252D264E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04FB50E0, Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 04FB23A0: MonitorFromRect.USER32 ref: 04FB23F2

MonitorFromRect.USER32 ref: 04FB5106

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: dd2cd2bd2f42f49c693cde51f6db6969e523e523ef270ea7255e516720067be9
Instruction ID: 80bfb2c79bf4bc6737806f03efbc9bf5b413a744d67d09fdc1c7a212ade5e05d
Opcode Fuzzy Hash: dd2cd2bd2f42f49c693cde51f6db6969e523e523ef270ea7255e516720067be9
Instruction Fuzzy Hash: 2A218D35A003099FDB04DFAAC8146EEFBF6AFC9308F104429C406AB355EB74A946CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 050E0FB9, Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E105C

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: eb5742098c7002c2443c185f89a337594f1ab00f7c249c046d63aaa66f7bb165
Instruction ID: 649954e0117333636413ddd213c803bddb4cbc4822adaa1e3d12e923e1ed99fc
Opcode Fuzzy Hash: eb5742098c7002c2443c185f89a337594f1ab00f7c249c046d63aaa66f7bb165
Instruction Fuzzy Hash: 0531F671509380AFE7128B24DC55FA6BFA8EF43710F1884DBE9848F293D265A508C761

Uniqueness

Uniqueness Score: -1.00%

Function 050E2720, Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E27BD

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 012bf742a771140cf43a2ff89d9b072e9e2fe1742b18f0cbe45b5f388c2dde70
Instruction ID: d5ffd0cdbf8a509ca7705e7b6aebedc549760b83bb0a18ec4ae78d1255803476
Opcode Fuzzy Hash: 012bf742a771140cf43a2ff89d9b072e9e2fe1742b18f0cbe45b5f388c2dde70
Instruction Fuzzy Hash: 7131D172409380AFEB128F64DC45FA6BFB8EF16314F1884DBE9849B192D225A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 050E00F6, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 050E019D

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 8d4d1b3c4f22f05b887a3c001e78ed618c961bdfa8699984c2c367a9ce267152
Instruction ID: 46d2ad343e2dfda6c0c3356ca76b5720a33ed7ec552df0f525a6f9e0a7837482
Opcode Fuzzy Hash: 8d4d1b3c4f22f05b887a3c001e78ed618c961bdfa8699984c2c367a9ce267152
Instruction Fuzzy Hash: 78319171509780AFE712CB65DC85F5AFFF8EF06210F18849AE984CF292D375A909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0287AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 0287ABB4

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 74ce119d2e6024b7f3cb0b0c31f01a4741ccc18a78ef6bccd65741d1afd602de
Instruction ID: e30fff77ef557120dab9166d1d704108390f73741932f5aac571132e8ba6d23f
Opcode Fuzzy Hash: 74ce119d2e6024b7f3cb0b0c31f01a4741ccc18a78ef6bccd65741d1afd602de
Instruction Fuzzy Hash: F031B376108384AFD722CB65CC84F66BFB8EF06310F08849AE985CB252D364E548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FB001C, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB0082

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 6cc8ff827ffd4c5348344a5d601193cda3559e825f36d62b1eb4be42ea848361
Instruction ID: d00c9c7515d5b7547f357bfded18347313fc4624533ff1afae1b9cfd64eb85ce
Opcode Fuzzy Hash: 6cc8ff827ffd4c5348344a5d601193cda3559e825f36d62b1eb4be42ea848361
Instruction Fuzzy Hash: 8B316679609381CFC706EB78D85405A3FB6FF42205B0544AED982CB256FE749C0BDB62

Uniqueness

Uniqueness Score: -1.00%

Function 050E2B83, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E2C29

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: f0a27f67f26f4ac330d14e455879ac1d650671be712291d1f8ffade80811c61a
Instruction ID: 324a1e268472760deaa3accc4be6e3c4bd536143a6e5ccaa797fb03e24e80d8e
Opcode Fuzzy Hash: f0a27f67f26f4ac330d14e455879ac1d650671be712291d1f8ffade80811c61a
Instruction Fuzzy Hash: A1318D71409380AFDB22CB25DC54F96BFB8EF06310F1884DAE9849B263D265A509C761

Uniqueness

Uniqueness Score: -1.00%

Function 050E22B4, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 050E2366

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: ce8f122588662780c9f5c8a062a644c146394911acf69a3fcd8cb13e20d0a3e2
Instruction ID: 69cd613f825df9a88d9a0ee6020b3eb1f25d51f40270d3216d834f1e15cf535b
Opcode Fuzzy Hash: ce8f122588662780c9f5c8a062a644c146394911acf69a3fcd8cb13e20d0a3e2
Instruction Fuzzy Hash: 3631A2B2404780AFE722CB65DC45F96FFF8FF06320F04859EE9849B252D365A909CB65

Uniqueness

Uniqueness Score: -1.00%

Function 050E04AB, Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E055C

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 24f38e8e4f4d06717f0fb882def0abdb16311b2643c6b383eee5b5020d042953
Instruction ID: 91da4ecfdc38576905bb8bcbcc82726c42bbee583c4c8cc85f4b580a1b41244c
Opcode Fuzzy Hash: 24f38e8e4f4d06717f0fb882def0abdb16311b2643c6b383eee5b5020d042953
Instruction Fuzzy Hash: 9B31A272109780AFD722CB65DC54F57BFF8AF07310F0884DAE9859B262D264A809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0287AF50, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0287AFEA

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 138ee5d472d8126fadcb66b44b4a829c621475185f254c75fbf9180efc218c3c
Instruction ID: c9780bab0c73dbc26a4024b48fb23dfe9ee498ea7267c91e77164d9e6714d9df
Opcode Fuzzy Hash: 138ee5d472d8126fadcb66b44b4a829c621475185f254c75fbf9180efc218c3c
Instruction Fuzzy Hash: 2831717540E7C06FD7138B658C51B26BFB4EF47610F0A41DBE884CB5A3D228A919C762

Uniqueness

Uniqueness Score: -1.00%

Function 04FBF010, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32(?,?,?,?,?,00000000), ref: 04FBF0D9

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 0a61a035104cefaeae405872dd7726f7e2a5bdf21570a64eb728d911ec7935e9
Instruction ID: 2d359296737df818acc2d026790da050035326ae2a8a10425ba2a72b1afc8ea0
Opcode Fuzzy Hash: 0a61a035104cefaeae405872dd7726f7e2a5bdf21570a64eb728d911ec7935e9
Instruction Fuzzy Hash: 51312B35E00508DFDB44DFB9C840ADEBBB6EF89300F108029EA15EB251EB36A951DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0287A120, Relevance: 1.6, APIs: 1, Instructions: 83networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0287A1C2

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 494b2a998f64b22d39b438faf14657a75856cc60659cfd94a007c7f247d894ae
Instruction ID: 549b017df992838da74779deb0c558e8f2a69e6cb65db17003f919e0cc8b972f
Opcode Fuzzy Hash: 494b2a998f64b22d39b438faf14657a75856cc60659cfd94a007c7f247d894ae
Instruction Fuzzy Hash: 3631D37140D3C06FD7038B758C55B62BFB4EF47620F1981DBD9848F293D229A919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 04FBA988, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FBAA0F

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 6593af2e5ec71958c09c4c1cc1f94e19c53c84e9ca6aa315b88dad72d8ae46bc
Instruction ID: 5ecf16628f817a141fe94cbb6a9d0ac460ef23add87aae15f77ccd331551675c
Opcode Fuzzy Hash: 6593af2e5ec71958c09c4c1cc1f94e19c53c84e9ca6aa315b88dad72d8ae46bc
Instruction Fuzzy Hash: 63218235F00245CBCB14EFB9C9409DEB7B6BB85700F104969D182AB684EB70B946DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 050E2D8D, Relevance: 1.6, APIs: 1, Instructions: 80networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E2E22

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: cc36ff1979b999fba9905ecc2e6abef7c6c71e0df502e41252cd841ee9b36885
Instruction ID: d6768f179292d02233f313309f22f8b2e4db80d28f401a508b963f117cc99f13
Opcode Fuzzy Hash: cc36ff1979b999fba9905ecc2e6abef7c6c71e0df502e41252cd841ee9b36885
Instruction Fuzzy Hash: 1C21A172404344AFEB228F55DC44FA7BFFCEF45310F0484AAEA859B252D275A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050E0EDE, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E2C), ref: 050E0F5B

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 386227969abb31c4521f22969fd661184718b408d12fd2071e7a460a870e18e8
Instruction ID: 2137e911b79735730553da058663d0adc84efb767bbf63f05e344db6015daeaf
Opcode Fuzzy Hash: 386227969abb31c4521f22969fd661184718b408d12fd2071e7a460a870e18e8
Instruction Fuzzy Hash: DD21BD72500704AFEB218F64DC85FABFBACEF04320F14886AEE459B651D670A5188B71

Uniqueness

Uniqueness Score: -1.00%

Function 050E02AB, Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 050E0353

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9972d71aab1f32a18fc8ee0b0e30e091368b819cb54f639f9fc9c6ff24df5697
Instruction ID: db650b992f4ccdf0372e645281bc5a21c5640615fff914f422458137ce7a205c
Opcode Fuzzy Hash: 9972d71aab1f32a18fc8ee0b0e30e091368b819cb54f639f9fc9c6ff24df5697
Instruction Fuzzy Hash: D221B775009780AFE7228B20DC45FA6FFB8EF06310F1884DAE9849B192D265A909C771

Uniqueness

Uniqueness Score: -1.00%

Function 050E21D2, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 050E225D

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: ab9115eb2ac04b8c416e7be4de36027a1325bc256d2bd610a3f9d17c52e609a9
Instruction ID: 17a9f73c9ba352414ffbd7e00fa60be94d9396742643fd4c7d41f4695f26b21a
Opcode Fuzzy Hash: ab9115eb2ac04b8c416e7be4de36027a1325bc256d2bd610a3f9d17c52e609a9
Instruction Fuzzy Hash: F8219FB1509380AFE721CB65DC45F66FFE8EF45210F18849EE9849B252D375A908CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050E08F0, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E0985

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 096638addb3381dfb2a843a7b26caa544e642fdb05d3ec5aa450b3b351efecb1
Instruction ID: 26ae4a9802b497096886d373a4df08078a8016a71aab6eff853cf4f990893f8b
Opcode Fuzzy Hash: 096638addb3381dfb2a843a7b26caa544e642fdb05d3ec5aa450b3b351efecb1
Instruction Fuzzy Hash: AA21F8B64087846FE7128B25DC54FA7BFB8EF47720F18809BED849B253D264A905C771

Uniqueness

Uniqueness Score: -1.00%

Function 050E1A72, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 050E1AFE

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 91809e222e406ab1393b0f9737331e4081241417a42dcda285cd79b98d7a8f6d
Instruction ID: af4ed9f884bbe816bb4e260eb71b10f9ab75302752bda470f8dd999f85acde6a
Opcode Fuzzy Hash: 91809e222e406ab1393b0f9737331e4081241417a42dcda285cd79b98d7a8f6d
Instruction Fuzzy Hash: EC21BF71408380AFE722CF61DC44FA6FFF8EF46210F08849EEA859B252D375A408CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050E2E86, Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E2F16

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 23c3995771748f2460db0350f5b7170211b37b6d5d9d30c2c0496f7336918f20
Instruction ID: b2133fc8772f44248940110a114157f5309aa953ecff0ef8f73e8c3157fd8692
Opcode Fuzzy Hash: 23c3995771748f2460db0350f5b7170211b37b6d5d9d30c2c0496f7336918f20
Instruction Fuzzy Hash: 56217F72404344AFDB228F55DC45FA7BFBCEF45310F0485ABEA859B252D274A509CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB21E9, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB2217

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 4e02b51d852015f8c4dee1d39e0cb0745ab3ca4a629f28a6434a3d9123492ca0
Instruction ID: ab2099c94dac8d6b419ded652746f661ca328828e556d32572868a401b49e5d6
Opcode Fuzzy Hash: 4e02b51d852015f8c4dee1d39e0cb0745ab3ca4a629f28a6434a3d9123492ca0
Instruction Fuzzy Hash: A6314B35E08209DFEB44DFA9C5486ED7BB1FF46300F1148A6C842D72A5E730AE46DB92

Uniqueness

Uniqueness Score: -1.00%

Function 050E081A, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 050E0899

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1672a7f01920d9e8415d352bd8cfc468aadc4b4e0c2eedd7e2dd6de1dcfd1eb2
Instruction ID: aa4e3b7d91dfb1f00b40b2929d97135758eccb3687982d153b3e0520f19a3553
Opcode Fuzzy Hash: 1672a7f01920d9e8415d352bd8cfc468aadc4b4e0c2eedd7e2dd6de1dcfd1eb2
Instruction Fuzzy Hash: CD219C75504600AFEB21DF65DD48F6AFBE8EF04210F14846AEA858B241D3B1E404CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 050E0B79, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E0C10

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: bcf31ccc89ee027dbdefbe4c758946500374749df88b97373fa49fb387936426
Instruction ID: a076ca6f480dd48d6c186dc3143e903310efc9dbe48deaeb4368aad2ea9ec7f0
Opcode Fuzzy Hash: bcf31ccc89ee027dbdefbe4c758946500374749df88b97373fa49fb387936426
Instruction Fuzzy Hash: 00219DB2508744AFE7218B15DC85F67BFF8EF05310F18849AE9859B252D264E809CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050E03CA, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(?,00000E2C), ref: 050E045E

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9063c4ee8707153e6e6589924657829b6ace44c65d71309f986ca9903b352eb4
Instruction ID: 18e91df2ac2a1b432c5ac5ac110dcd047452f122151e88200e15106b0cd22146
Opcode Fuzzy Hash: 9063c4ee8707153e6e6589924657829b6ace44c65d71309f986ca9903b352eb4
Instruction Fuzzy Hash: 5421F5B2100204AFFB21DF15DD45FABFBACEF05710F10855AEE459A281D6B1A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050E09C0, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E0A51

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: bb278755d64e55c517f89a577761bd5e801781e106655300d565b6e5e339a742
Instruction ID: 250e4b287e2e7366266989cdfa8825e15f2e4c314a49c6be8b300a44a7959290
Opcode Fuzzy Hash: bb278755d64e55c517f89a577761bd5e801781e106655300d565b6e5e339a742
Instruction Fuzzy Hash: 1E21B272409380AFD7228F64DC44F56BFB8EF46314F08849BEA849B253C264A409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 04FB8C16, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB8C89

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 69eed4712c4029abd599caaa0dda676e279bc10fbf2739e4ccbb798d1a37f2af
Instruction ID: fc75c323c9988ffc6e369d2723a9234c9d20734cd19931181a967afc0bee3ca3
Opcode Fuzzy Hash: 69eed4712c4029abd599caaa0dda676e279bc10fbf2739e4ccbb798d1a37f2af
Instruction Fuzzy Hash: 8931AAB4E10245CFDB20EF66D44479EBBF2BF85314F10D12AD505AB259DBB0A48ADF81

Uniqueness

Uniqueness Score: -1.00%

Function 04FB25DE, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB2651

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 211e77c492fa9574a438caf78ce5d8feb805c0ff90386ca2ea0b9f9b425ea1fb
Instruction ID: da5b296f8eae6ef1e56a8a136575ff30a181660a51f306d0052342e3eaaa6bcd
Opcode Fuzzy Hash: 211e77c492fa9574a438caf78ce5d8feb805c0ff90386ca2ea0b9f9b425ea1fb
Instruction Fuzzy Hash: C231A435E00285CFDB50DF6AD84869DBBF2BF85315F21C5A9C0459B254DB74A44ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 0287AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0287AAB1

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b0026d7ff8f28873f5cd0507efc55cd246573976ac941f345bd811a8039c530a
Instruction ID: e0e0559438dcadef510c777e33fcd19a7a78c3ca0f5e33daee4ba990234fc634
Opcode Fuzzy Hash: b0026d7ff8f28873f5cd0507efc55cd246573976ac941f345bd811a8039c530a
Instruction Fuzzy Hash: 4D21CD76500704AFE7219B64CD84F6BFBECEF04710F14851AEE45DA241D664E8188BB1

Uniqueness

Uniqueness Score: -1.00%

Function 050E012A, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 050E019D

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: fc2a3282243f5ed4e93cf396167b4d017b1c7b2b19a2b96a41657ab16e5b16f8
Instruction ID: 4a777dd762971feadf1c89ca12b9f9a905d60c90bc8ac8a989801a6a613120a0
Opcode Fuzzy Hash: fc2a3282243f5ed4e93cf396167b4d017b1c7b2b19a2b96a41657ab16e5b16f8
Instruction Fuzzy Hash: 70218E71504200AFE720DF65DD89F6AFBE8EF05610F1884AAED858F241E7B5E505CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050E0723, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 050E079F

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: be38d8d35a1b882fbce471401e9d52fffd3bf203e1b881d504e93c6791a3c9d8
Instruction ID: 6382ff005d4aec5db2c22612ba28bb92f908dd347f965a1be4e7d6960dd063ef
Opcode Fuzzy Hash: be38d8d35a1b882fbce471401e9d52fffd3bf203e1b881d504e93c6791a3c9d8
Instruction Fuzzy Hash: 2521D3729093809FD752CB25DC58B56BFE8EF02210F0980EAE985CF252E274E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050E0A9B, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 050E0B1E

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 971f20eba30945de1d924b16da665772650838987b36c422ad5254f023877991
Instruction ID: 4539816bc37e4d428669d7e87cf7338364d682908db37b5c2770c7c5302e42e4
Opcode Fuzzy Hash: 971f20eba30945de1d924b16da665772650838987b36c422ad5254f023877991
Instruction Fuzzy Hash: D121B3B15083809FD712CB25DC55B63BFE8AF16314F1880DAED84DB253D265D404C771

Uniqueness

Uniqueness Score: -1.00%

Function 050E10BF, Relevance: 1.6, APIs: 1, Instructions: 71fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 050E114B

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: e8a56bb97435add5dbf4c362472b64d9fbc45e8fdc931ac85797915fc2974e1a
Instruction ID: 01c4220a75ccc65972406a66919f38043bf4d9e2f86f39a258d95e9c53c4eb26
Opcode Fuzzy Hash: e8a56bb97435add5dbf4c362472b64d9fbc45e8fdc931ac85797915fc2974e1a
Instruction Fuzzy Hash: 2021D871504380AFE7218B25DC45F66FFA8EF46710F18809AFD459B292D374A944C761

Uniqueness

Uniqueness Score: -1.00%

Function 0287AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 0287ABB4

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0afee592e921412350a7e10c568fd36c1dd5841450d8cdffe2d8981f6b704298
Instruction ID: ca5ae74099133865c839e31e92ce3c8f7ccc9458f8474dde9abff3cd54a80ca2
Opcode Fuzzy Hash: 0afee592e921412350a7e10c568fd36c1dd5841450d8cdffe2d8981f6b704298
Instruction Fuzzy Hash: 24216D79504604AFE720CE65DC80F6BFBECEF04710F14846AEA49DB251D760E408CA71

Uniqueness

Uniqueness Score: -1.00%

Function 050E1530, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 050E159C

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c1d22aab9754f0fa6b8ec2cd15ec76fb6d9aefcdc82ce956b883479e93b72fad
Instruction ID: 25a64268ccf68900b1eb25c34fe91e3c588af5dc2fab516cff5fa0bb9893067c
Opcode Fuzzy Hash: c1d22aab9754f0fa6b8ec2cd15ec76fb6d9aefcdc82ce956b883479e93b72fad
Instruction Fuzzy Hash: 1D21C3725093C49FDB038B25EC54A92BFF4AF07224F1980DAED858F663D274A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050E21F2, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 050E225D

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: fb6c78a0d118bceb0a73d794d7f9ce2865c2e7310a58327c59b1fe7b4ba45039
Instruction ID: 5f442ed9f28cb8d1ab191fd83560094612aa5f3a3d215ee92cf96a27958f585f
Opcode Fuzzy Hash: fb6c78a0d118bceb0a73d794d7f9ce2865c2e7310a58327c59b1fe7b4ba45039
Instruction Fuzzy Hash: 4721AEB1504200AFEB20DF65DC85F6AFBE8EF44320F24846EEE858B241D375A405CB76

Uniqueness

Uniqueness Score: -1.00%

Function 050E1A92, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 050E1AFE

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 6fd7bdcf9f98ccd245c5de5d2b96b83ff59451bcae50caf90afa99e0e73f71d4
Instruction ID: 72aacbc1cfce7b6d96a0ec729a927e0848b0b0fb591b22f2be46f98c5dd98c81
Opcode Fuzzy Hash: 6fd7bdcf9f98ccd245c5de5d2b96b83ff59451bcae50caf90afa99e0e73f71d4
Instruction Fuzzy Hash: 8C21CF71500600AFEB21CF65DD45F6AFBE8EF48310F14845EEE858B242E3B5A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050E2DB2, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASend.WS2_32(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E2E22

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: Send
String ID:
API String ID: 121738739-0
Opcode ID: 5fa2929f9d530d89f1212192fd3c341f03341e78d3bc44c76eee5c6a8e1d7e3c
Instruction ID: 91d457fa2c947f91ce2480793f803d0abe86cf59dd5b42d70bbd2881bd482319
Opcode Fuzzy Hash: 5fa2929f9d530d89f1212192fd3c341f03341e78d3bc44c76eee5c6a8e1d7e3c
Instruction Fuzzy Hash: 0611AF72400604AFEB21CF55DC84FABFBECEF08310F14846BEA459B211D675A519CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 050E15E5, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,250A6237,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 050E1656

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 65acf73851ceb93e1c83ec7245546f5619dc9aedbc53abab263b3d5750cf931e
Instruction ID: 77aac3e75fc92a57bf4fd1b22a695c624d0948dc7c51577e9543aa709d9d27b0
Opcode Fuzzy Hash: 65acf73851ceb93e1c83ec7245546f5619dc9aedbc53abab263b3d5750cf931e
Instruction Fuzzy Hash: 152192715093849FD712CF65DC84B96BFF8EF06210F1984EAE985CF263D274A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050E01F4, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 050E0264

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 67cc5ce5f8b9375c74ba260ddd8c0d76a89ac08716ff407efb8d050258601a36
Instruction ID: 74c4cc9efb2ab446b0505915b601eda8a0815490746e013991abf31fef49bb07
Opcode Fuzzy Hash: 67cc5ce5f8b9375c74ba260ddd8c0d76a89ac08716ff407efb8d050258601a36
Instruction Fuzzy Hash: A921A4B28057849FD712CF54ED89B56BFA8FF42320F0980DADD849F653D274A905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050E22F2, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 050E2366

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: b4862eb3aa0ecbdfa0f09d55ec5bd5126e19c002b76a9f790cee2a91aafe8dd9
Instruction ID: 9c11af66ddc5204b35536652cf1bc39796cd00249ac9ff23a24d23d0dc71e61c
Opcode Fuzzy Hash: b4862eb3aa0ecbdfa0f09d55ec5bd5126e19c002b76a9f790cee2a91aafe8dd9
Instruction Fuzzy Hash: 25219D71500604AFE721CF65DD85FAAFBE9EF08320F14845EEA849B241D375A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 04FB50D0, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 04FB23A0: MonitorFromRect.USER32 ref: 04FB23F2

MonitorFromRect.USER32 ref: 04FB5106

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 92421f553305ca0198245c3d872f034c6811f55b3ba9941db2c8c4c86c52a1bf
Instruction ID: 5a0992b6b6ae64dab23f481a91b412a052b728c965c11d8d2493bb277c43a0b8
Opcode Fuzzy Hash: 92421f553305ca0198245c3d872f034c6811f55b3ba9941db2c8c4c86c52a1bf
Instruction Fuzzy Hash: 2C114C71D04349AFEB11DFA9C8046DEBFF1AF86308F114865C945AF2A2DB78654ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 050E0B9E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E0C10

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: db2b4a3d3e0bf52e91b65aee44b7ae426f1ba2dabfc016b82d2a9661bb98d00e
Instruction ID: b2dd20d24858410d458a68b17ea9300f493184dc44d41e140cd3e4b0ae0059df
Opcode Fuzzy Hash: db2b4a3d3e0bf52e91b65aee44b7ae426f1ba2dabfc016b82d2a9661bb98d00e
Instruction Fuzzy Hash: 84119072500604AFEB21DF15EC85F6BFBECEF04710F14845AEE45AB241D6B4E409CA71

Uniqueness

Uniqueness Score: -1.00%

Function 050E04EA, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E055C

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f323a9b38265a82081a391cafd3f96707d99660ffd65aa2e40f5b729363017c3
Instruction ID: c78c47b964f2bea2b9015ba273202e7fa36cccf7e2e2e50552d9fd761a8fa38e
Opcode Fuzzy Hash: f323a9b38265a82081a391cafd3f96707d99660ffd65aa2e40f5b729363017c3
Instruction Fuzzy Hash: 6B11BE72500600EFEB20CF15EC84F6BFBE8EF04720F14846AEE469B251D6A4E409CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050E275E, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E27BD

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 97db00762961150d51f9a18a98c333b89d98f1c330cb0d401d846d5a90f1bc32
Instruction ID: 030d6cdc1daf512c9989f346b76af812ac4a3a206eb8b6a91a3bb38d067a9901
Opcode Fuzzy Hash: 97db00762961150d51f9a18a98c333b89d98f1c330cb0d401d846d5a90f1bc32
Instruction Fuzzy Hash: 8C119072500600AFEB21CF65ED85F6BFBACEF05720F14846BEE459B251D674A408CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050E2BC2, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E2C29

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 26daa869dfa6688d894cadf2410f8684d4e1acbda5cb9971b9841074751f01e2
Instruction ID: d51ec7aef04488a8485c928975b46488f3b436187e9ddc7aa0bba03c316138e0
Opcode Fuzzy Hash: 26daa869dfa6688d894cadf2410f8684d4e1acbda5cb9971b9841074751f01e2
Instruction Fuzzy Hash: 1711BE75500600EEEB21DF55EC84FABFBECEF04710F24846AEE499B251D674A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050E12F8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 050E1362

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d61a4de3d9f4e448bd0dc8734ba1b0652fd437a413fa944face2b395d780fcc5
Instruction ID: a67038820c5795a295b08f3c63a0ab4b1edbf11dbf5aed8c7993d8b643a899ca
Opcode Fuzzy Hash: d61a4de3d9f4e448bd0dc8734ba1b0652fd437a413fa944face2b395d780fcc5
Instruction Fuzzy Hash: A9117F729093809FD761CF65DC85B67BFE8EF45210F1884AAED85CB652E274E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050E1006, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNELBASE(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E105C

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: CodeExitProcess
String ID:
API String ID: 3861947596-0
Opcode ID: d4d0a86bacdc6a6a53d6520836971dcf0db38024e74535b3f3dfcc3ed74886d5
Instruction ID: 1e67e41b4bba02709ac0f044f2555e442d8c478150eacf9dac74cb446fb606be
Opcode Fuzzy Hash: d4d0a86bacdc6a6a53d6520836971dcf0db38024e74535b3f3dfcc3ed74886d5
Instruction Fuzzy Hash: 0711E371500244AFEB11DF25EC85FABBBA8EF45320F1484ABEE04DB241D6B4A404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0287B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0287B841

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bae406a57e5e22d67364f3dc387e5a3effce3d725d8ab6dbd84b3a1e36d69038
Instruction ID: eaca4080d87fa52dca5a6220e167fa0f8658f71ae0e434e2c9fb1e40821810eb
Opcode Fuzzy Hash: bae406a57e5e22d67364f3dc387e5a3effce3d725d8ab6dbd84b3a1e36d69038
Instruction Fuzzy Hash: E7218E764097C09FDB128B21DC50AA2BFB0EF17314F0D84DAEDC44F263D265A958DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0287A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0287A58A

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9d44dd647db986597e661de41e13d08cf39b63a389e437480721829e1b4e7875
Instruction ID: 64affbe8a327f33aa54239018673a7e43f5473770458e502788eda502163a8ac
Opcode Fuzzy Hash: 9d44dd647db986597e661de41e13d08cf39b63a389e437480721829e1b4e7875
Instruction Fuzzy Hash: 76118476409780AFDB228F55DC44B62FFF4EF4A210F0884DAEE898B252D375A518DB61

Uniqueness

Uniqueness Score: -1.00%

Function 050E02DE, Relevance: 1.6, APIs: 1, Instructions: 60registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(?,00000E2C), ref: 050E0353

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 320ff0876f8215efd1779565018f07be5b3f4c50ff81301df8ecc1fba95a4c1a
Instruction ID: b3bc964785ca5456a0ecd254932e16ab60b970c606a6de99d71ef6202f304ab8
Opcode Fuzzy Hash: 320ff0876f8215efd1779565018f07be5b3f4c50ff81301df8ecc1fba95a4c1a
Instruction Fuzzy Hash: F911B271500600EFEB31DF25DC45F6AFBA8EF05710F24849AEE455A291D2B5A909CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 050E10E2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00000E2C), ref: 050E114B

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 8f2aa9cbd3bec1f67ee95911c368785a3bceeddf4c2abf252d4974e1e1a7c1f3
Instruction ID: 8495e941a1e42faf2812f146614d9e3db70bbd3de6d8a8df98332936c8d1743b
Opcode Fuzzy Hash: 8f2aa9cbd3bec1f67ee95911c368785a3bceeddf4c2abf252d4974e1e1a7c1f3
Instruction Fuzzy Hash: 6B112971500600AFF720DB15EC81F7AFB98DF05720F28C0AAEE459B381D6B4A544CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050E09F2, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E0A51

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 291e832fda64bdae79623bd5e84b7fc0a9e2b413ca1e31c6eba00f7665d31f4d
Instruction ID: 12e43179393567c211d71ff8920bf92e1bc10ec47dde5e6b1fbf46612757f296
Opcode Fuzzy Hash: 291e832fda64bdae79623bd5e84b7fc0a9e2b413ca1e31c6eba00f7665d31f4d
Instruction Fuzzy Hash: 4811B271400604AEEB21CF55EC45F6AFBA8EF44310F18846BEE499B241D2B5A5048BB1

Uniqueness

Uniqueness Score: -1.00%

Function 0287BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0287BBB9

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d455e2ba83ce76f650e5d360fecfaeda4f247570753c661527272993ff73f32f
Instruction ID: 15fef5f99c6ede31828aadcf801e30daba2bebd6db5db186b2718acab05422ac
Opcode Fuzzy Hash: d455e2ba83ce76f650e5d360fecfaeda4f247570753c661527272993ff73f32f
Instruction Fuzzy Hash: 5811BE76409780AFDB228F25DC45B52FFB4EF06220F0884DEED858B663D265A458DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0287BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0287BE70

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 010e9fb8d85af85426e5711d941a814e86628f94792c86601f12a14cbd2c58be
Instruction ID: b31c0bbe635866eef536f7dd9d50243479d8d85ca0593dbab4faced21da7d3f7
Opcode Fuzzy Hash: 010e9fb8d85af85426e5711d941a814e86628f94792c86601f12a14cbd2c58be
Instruction Fuzzy Hash: F9118E754093C0AFDB138B25DC44B62FFB4DF47624F0980DAED848F263D269A908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0287B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0287B78A

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 47ded4a08ed20e18430a642cdaaae2479383d2dcb4dff373334444838c16fad2
Instruction ID: b33fd96b46ea1ba2b185802d79915bd49b5725375f58eb5164e5f5b0024c9f52
Opcode Fuzzy Hash: 47ded4a08ed20e18430a642cdaaae2479383d2dcb4dff373334444838c16fad2
Instruction Fuzzy Hash: 8311A236404380AFDB228F54DC44B52FFF4EF49310F08849EEE898B622D375A418CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050E118F, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 050E11F4

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 7ea678cee7fae478ce60850fbe7d3cfddee60cd64890ad75022321b6ff26d9f7
Instruction ID: e8fb491b89f897c8cf12f63e664e263c1f94bd5a39c0463b0f4ea8068e42bc99
Opcode Fuzzy Hash: 7ea678cee7fae478ce60850fbe7d3cfddee60cd64890ad75022321b6ff26d9f7
Instruction Fuzzy Hash: 5B1190714093C0AFD7128B64EC44B56BFF4EF46224F1984DBED848F263D279A549CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0287BEB4, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0287BF0C

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 4cffbd88bf921664ba8ab9a05f5390a5cb7b1852fac5cdfc345ad0667a64ac23
Instruction ID: 7a1bb8cc99c0b0f419525e0ded4ebace33fcfb3a419d7382c5dd03eaad67d7b9
Opcode Fuzzy Hash: 4cffbd88bf921664ba8ab9a05f5390a5cb7b1852fac5cdfc345ad0667a64ac23
Instruction Fuzzy Hash: 1411CE76504380AFDB11CF65DC85B56BFE8EF02220F0880AAED49CF252D374E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 050E131A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 050E1362

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: b508a9702d45fbe944da2a2f7fb7e3e0b6824d381020363f07473cf785dfb429
Instruction ID: bc951fe08b68b1911be666f0974dab311b43ef4276af2a2c7beafa6f49f1f381
Opcode Fuzzy Hash: b508a9702d45fbe944da2a2f7fb7e3e0b6824d381020363f07473cf785dfb429
Instruction Fuzzy Hash: 21116571A046009FDB60CF69EC85B6AFBE8EF44710F1884AADD49CB745E674E804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050E0AD6, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 050E0B1E

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: b508a9702d45fbe944da2a2f7fb7e3e0b6824d381020363f07473cf785dfb429
Instruction ID: 043e48f3fdb5e67c46c5c1dfbafa654071175ee5da4d506e7b7fb7f2d23fb823
Opcode Fuzzy Hash: b508a9702d45fbe944da2a2f7fb7e3e0b6824d381020363f07473cf785dfb429
Instruction Fuzzy Hash: 7A1170716002049FDB50CF69E889B6AFBD8FB04314F1880AADD49CB241D6B4E404CB71

Uniqueness

Uniqueness Score: -1.00%

Function 050E0932, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E2C,250A6237,00000000,00000000,00000000,00000000), ref: 050E0985

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: d2a5d65b6393cf9678877c5d8b3fd1f664f13f85b9a1efd20636d6360a2efe08
Instruction ID: eebeece9e6f05f9effe1ac87608fceffde4e010d44f9c2aff8c801a238c559aa
Opcode Fuzzy Hash: d2a5d65b6393cf9678877c5d8b3fd1f664f13f85b9a1efd20636d6360a2efe08
Instruction Fuzzy Hash: 3101D271500604AEE710CF19EC85F6BFBA8EF45720F24809BEE449B341D6B4A5088BB5

Uniqueness

Uniqueness Score: -1.00%

Function 050E075A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 050E079F

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 1b152df77b20a23af4656cd2b81ecea958faa404e7bab4b8cd2e988ab2877a3f
Instruction ID: c9601f18da6efe782c16b0919995feab47ee11debb38d70a5ac93d88dc8cd662
Opcode Fuzzy Hash: 1b152df77b20a23af4656cd2b81ecea958faa404e7bab4b8cd2e988ab2877a3f
Instruction Fuzzy Hash: 7911A171A002409FDB50CF69E98CB6AFBD8EF04220F18C0AADD49DB641E6B4E404CF71

Uniqueness

Uniqueness Score: -1.00%

Function 0287A75B, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0287A7BC

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 64608a1c981b215b3c780bed315636350b748fa6861b9979c8ba315fc112bc6d
Instruction ID: dfc5839b944bd4d287f6f68edb9a99c3c4074550ad93c5ae4eebd684c976a017
Opcode Fuzzy Hash: 64608a1c981b215b3c780bed315636350b748fa6861b9979c8ba315fc112bc6d
Instruction Fuzzy Hash: 3E11E075408384AFDB12CF14DC84B52BFB4EF02220F0880DAED888F253D375A508CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 050E1616, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

K32EnumProcesses.KERNEL32(?,?,?,250A6237,00000000,?,?,?,?,?,?,?,?,72F43C38), ref: 050E1656

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: EnumProcesses
String ID:
API String ID: 84517404-0
Opcode ID: 7b2d3ae03183d94fd3046503a20b9601906ffed0b74d0db82f1a74ab980758ac
Instruction ID: d3417c0aa45f588071e66913c9a7ba9fa0dbbe65de5eb6f235b3750df2322f24
Opcode Fuzzy Hash: 7b2d3ae03183d94fd3046503a20b9601906ffed0b74d0db82f1a74ab980758ac
Instruction Fuzzy Hash: 2911C0715002449FDB50CF69E884B6AFBE8EF05320F28C4AADE49CB251D2B4E408CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0287A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0287A926

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 17697470ce8203be8a586d3e41bbe330ca054773882a93a4220074710f8d27a4
Instruction ID: efe68c6aa8b48e4afe95355620489fcdf6efd9e3c2f72b482c0714a4c02a83d3
Opcode Fuzzy Hash: 17697470ce8203be8a586d3e41bbe330ca054773882a93a4220074710f8d27a4
Instruction Fuzzy Hash: 3711C235409784AFC7228F55DC85B52FFF4EF06220F09C4DAEE898B262C375A418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 050E0CCA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNELBASE(?,00000E2C,?,?), ref: 050E0D1A

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: FileNameTemp
String ID:
API String ID: 745986568-0
Opcode ID: 210519292aa746479d73780f2961aeaaab98458166e2db18312da0cf81dc0368
Instruction ID: e624e4fb965aa881a888eb74af0325df814dfd717a00d1da4918c770a2b87241
Opcode Fuzzy Hash: 210519292aa746479d73780f2961aeaaab98458166e2db18312da0cf81dc0368
Instruction Fuzzy Hash: 0D01B172900600ABD710DF16DC86F26FBA8FB88B20F14816AED088B741E331B515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 050E30D6, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E2C,?,?), ref: 050E3126

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 0400fc275ae08ed305bd2eb31163a3dc67c7e754661a8fd6ed0dfd3e14836bb7
Instruction ID: 9d509e97ced0c702feafc8b1fc74a162c61dd5d322e13ef3b5639e0e3bcefe2c
Opcode Fuzzy Hash: 0400fc275ae08ed305bd2eb31163a3dc67c7e754661a8fd6ed0dfd3e14836bb7
Instruction Fuzzy Hash: A901B172900600ABD710DF16DC86F26FBA8EB88B20F14816AED088B741E331B515CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0287BED2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?), ref: 0287BF0C

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: ed1d186a231a46f01b2d2ce4ed946256e054baee7df2927b7f49a0ca7a4bfa80
Instruction ID: dcd753ee6fd6f75ecfc2418068ea37bc3bf271851f883ed051d3c78d236b127a
Opcode Fuzzy Hash: ed1d186a231a46f01b2d2ce4ed946256e054baee7df2927b7f49a0ca7a4bfa80
Instruction Fuzzy Hash: A2019E79A002449FDB10CF69D88576AFB98DF00724F0880AADD49CB746E674E408CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0287A172, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E2C,?,?), ref: 0287A1C2

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 31549a08329dbb2d430bd25eb48b27374bd30d367f2ad8d7ec0afb64342cb19a
Instruction ID: 40e7c1be2cdfeae94c0f75bfc8ca67890d77b20272e7a1956e1bb4fd87958cad
Opcode Fuzzy Hash: 31549a08329dbb2d430bd25eb48b27374bd30d367f2ad8d7ec0afb64342cb19a
Instruction Fuzzy Hash: FF017172900600ABD710DF56DD86B26FBA8EB88A20F14816AED089B741E375B515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0287A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0287A58A

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5bfb75ce19b323dc60f79648a4aa638f3ab8e9d5cd30347fcd6ef758fa0b8d95
Instruction ID: c70a13613712f017e3bb907b814ee74666e096de5df4b056fa5079d4368fa1fe
Opcode Fuzzy Hash: 5bfb75ce19b323dc60f79648a4aa638f3ab8e9d5cd30347fcd6ef758fa0b8d95
Instruction Fuzzy Hash: A0018036400604EFDB218F95D984B56FFE4EF08320F08C59ADE498B615D375E018DF62

Uniqueness

Uniqueness Score: -1.00%

Function 0287B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32 ref: 0287B78A

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 25ee8a55156e2aec421bad9b3b58f30fe7bcffd28ee76573a7a09896c403c79a
Instruction ID: 47404a81bea4f473da314668537750b62c933eb469882bf2697135480c24f625
Opcode Fuzzy Hash: 25ee8a55156e2aec421bad9b3b58f30fe7bcffd28ee76573a7a09896c403c79a
Instruction Fuzzy Hash: E6016D3A400604EFDB218F95D884B66FFE5EF08324F08C5AADE898B612D375E418DF61

Uniqueness

Uniqueness Score: -1.00%

Function 050E0232, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 050E0264

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 051e8c6f4917096561839010ae3041c3c4c9b1b9a25603b4d391e07dde6497bd
Instruction ID: 58bcfab8782b3e521a8b26ef7288602f14d5eb25f45aad8a54ca34f187e6daee
Opcode Fuzzy Hash: 051e8c6f4917096561839010ae3041c3c4c9b1b9a25603b4d391e07dde6497bd
Instruction Fuzzy Hash: 9101DF719002009FDB50CF69E88876AFFE4EF40220F18C0ABDD498F306D6B5A408CB62

Uniqueness

Uniqueness Score: -1.00%

Function 050E156A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 050E159C

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 123a45fa9e092e647e34642329290506b57fc4fb23e747989d50794454377758
Instruction ID: 39bcaab39e3130f8e1768435398201efe6fd8ee05c13682c755df0ac33c5f557
Opcode Fuzzy Hash: 123a45fa9e092e647e34642329290506b57fc4fb23e747989d50794454377758
Instruction Fuzzy Hash: A501B172500644DFDB10CF59E884B6AFBE4EF44220F28C0ABDD4A8F601D674A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 050E19F6, Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI(?,00000E2C,?,?), ref: 050E1A46

Memory Dump Source

Source File: 00000007.00000002.629161044.00000000050E0000.00000040.00000001.sdmp, Offset: 050E0000, based on PE: false

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 6fe102a1d8fdb91f1825b7b6b39e6c99a4b242f7998b9dbece67544bc4ee2d0c
Instruction ID: d948ccb4eeb1cf74380ac0c5d99f308c8c0ad3b28d63f2cd8af25e5ceffa3243
Opcode Fuzzy Hash: 6fe102a1d8fdb91f1825b7b6b39e6c99a4b242f7998b9dbece67544bc4ee2d0c
Instruction Fuzzy Hash: DF01AD72900600ABD210DF16DC82F26FBA8FB88B20F14811AED084B741E371F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0287AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0287AFEA

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4d7675a7d9f2c5d0469c10cdf5d043d13d834c1ff9d8c4c1c05087c0b75d10aa
Instruction ID: 3253882da1e13f011cd92f7bbcc60969a0b6d63c20f386bdda0e555c7c14ae81
Opcode Fuzzy Hash: 4d7675a7d9f2c5d0469c10cdf5d043d13d834c1ff9d8c4c1c05087c0b75d10aa
Instruction Fuzzy Hash: DA01AD72900600ABD610DF16DC82F26FBA8FB88B20F14815AED084B741E335F916CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0287BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0287BBB9

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 61332c46a23916a6977d5cd09a59494943df88c030d39f1a84c98f6c5ae35be8
Instruction ID: 1689e5ba4a2bc19cddb9f7b30e6e769fd2419b650b2d5ab4af1a9221042d7a7f
Opcode Fuzzy Hash: 61332c46a23916a6977d5cd09a59494943df88c030d39f1a84c98f6c5ae35be8
Instruction Fuzzy Hash: 7101BC3A500604DFDB208F56D884B66FFA0EF04324F08C0AADE4A8B626D375E418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0287A78A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0287A7BC

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: cb7edf9357272060a4fa1de41a6919017b2f947f6714a8ef83c89e9e14dff361
Instruction ID: a10df8d298bcef418797b835631d42a262227ec7c12471b9bb8be175a20c1288
Opcode Fuzzy Hash: cb7edf9357272060a4fa1de41a6919017b2f947f6714a8ef83c89e9e14dff361
Instruction Fuzzy Hash: 7001AD798042449FDB10CF55D88476AFFE4EF04220F18C0AADE888F306D2B9E508CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0287B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 0287B841

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a97788d70fbe0da2cbc2cab1e350dc44b0fb237e6bf8aebd2d1f91d0e102af5b
Instruction ID: 70b3159a4c0e98a4d2591e43c7755dda4f8f3e2963aa8a5fd040f83358718991
Opcode Fuzzy Hash: a97788d70fbe0da2cbc2cab1e350dc44b0fb237e6bf8aebd2d1f91d0e102af5b
Instruction Fuzzy Hash: 8E018F39800644DFDB208F55D884B66FFA0EF08324F08C09ADE494B222D375E418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0287A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0287A926

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5ebad78eb483654f992355e28f1d28f4aacd7795e7060dea38d0affb287991ed
Instruction ID: a394f91ca8090688aa7f2dd3b3cf88e4f05f362cb7d5dbf55ecbdeac634b191b
Opcode Fuzzy Hash: 5ebad78eb483654f992355e28f1d28f4aacd7795e7060dea38d0affb287991ed
Instruction Fuzzy Hash: E101AD39800604DFDB208F55D885766FFA0EF05721F08C0AADE8A8B252C3B5E418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0287BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 0287BE70

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: fe9b093fc87ccf3cd042d3ddd9068c65db23c21dca751f33b60afae9067a52ec
Instruction ID: 3936f749dcda74ee99b0f8f2c48f4a15411e3ebf23578d024dd2ade17957a56a
Opcode Fuzzy Hash: fe9b093fc87ccf3cd042d3ddd9068c65db23c21dca751f33b60afae9067a52ec
Instruction Fuzzy Hash: 6FF0A43A804644DFDB108F55D884762FFA0DF04324F18C09ADE494B316D3B5E408CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0287A372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0287A3A4

Memory Dump Source

Source File: 00000007.00000002.625062297.000000000287A000.00000040.00000001.sdmp, Offset: 0287A000, based on PE: false

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: fe9b093fc87ccf3cd042d3ddd9068c65db23c21dca751f33b60afae9067a52ec
Instruction ID: bf5011418a215619955375820b24e8307e78dcb1b56a2a9b3f9f46f9ea9f5d7a
Opcode Fuzzy Hash: fe9b093fc87ccf3cd042d3ddd9068c65db23c21dca751f33b60afae9067a52ec
Instruction Fuzzy Hash: B3F0AF39804644DFDB248F15D88476AFFA0EF04324F18C09ADE498B756D7B9E408CF62

Uniqueness

Uniqueness Score: -1.00%

Function 04FBAB5F, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FBAB74

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 720106394ae45febfa9d82eb772b3e40bd6d2cc2cce0fa400700cae80df4db9e
Instruction ID: 49cadb7fa353f71459307b08e3e33d37b64fe3391b85959553714df2d8da6dda
Opcode Fuzzy Hash: 720106394ae45febfa9d82eb772b3e40bd6d2cc2cce0fa400700cae80df4db9e
Instruction Fuzzy Hash: E9F02B227083544FD70623799419B993FE68FC7714F1540A9E957C77A3EF259C034392

Uniqueness

Uniqueness Score: -1.00%

Function 04FB8799, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB87BF

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 8c0c3b249d5a00ff60cec00590840604671647043c1f2f40375f060cec2a569b
Instruction ID: 6b7ddc90a5891ec76505cd2617c209088589ba5c535ca8a45ca2e10ce00f3e09
Opcode Fuzzy Hash: 8c0c3b249d5a00ff60cec00590840604671647043c1f2f40375f060cec2a569b
Instruction Fuzzy Hash: F7F05C3AF042508FC7113B6BA8047A43FEDDB8A3D5715009ADD81D3341CB30E8018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 04FB87A8, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB87BF

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: a0c98850c2614f16aefbb3ebdd49cc5b4638a55a3d95e752ab837f9ccd160ec8
Instruction ID: bd215c99110ff2eb0cc2428a21357fe1df9ba32951d6d3076bacd5e2344fffab
Opcode Fuzzy Hash: a0c98850c2614f16aefbb3ebdd49cc5b4638a55a3d95e752ab837f9ccd160ec8
Instruction Fuzzy Hash: E6E0923AF141259B8B507BAEA4142647AEEE7CD6A5324402ADD46D3348DE70AC018BD1

Uniqueness

Uniqueness Score: -1.00%

Function 04FBECF0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FBED13

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 6ce5ffd3e37a5b540137b3e31c34bf1422901a2eba358616035b697bd955ad14
Instruction ID: 39e02f4164a8dce8712093ca85dfd5a1462c1eb9b00c282d98ce49b377ef5a2f
Opcode Fuzzy Hash: 6ce5ffd3e37a5b540137b3e31c34bf1422901a2eba358616035b697bd955ad14
Instruction Fuzzy Hash: 57E0ED35A002299FCB00DBA8E8908DDBBB1FF8D324B149166E915E3381DF35A906CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04FB9350, Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32(00000000,00000000), ref: 04FB936B

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 768afd528c0cb29846752275a2b88092c74cc62b039e5e67eb7ff67e19a58c65
Instruction ID: 45a466817eeaaeab1dc064d475d0dfd6deadeb9dc1a61fb09d28a74d598519c8
Opcode Fuzzy Hash: 768afd528c0cb29846752275a2b88092c74cc62b039e5e67eb7ff67e19a58c65
Instruction Fuzzy Hash: 98D05ED374CB48AAE30212926C5AFE03B2CA743700F084452A3DB800F779C47413A2C7

Uniqueness

Uniqueness Score: -1.00%

Function 04FB7140, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB7158

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction ID: f485b8ec12ee25f68d9275b8481894fd1d6cc3628d4ec724325ad951b6e31ece
Opcode Fuzzy Hash: 9a0939ec5680cffb9ecca245d0aafbbebb033a67d769e75d7ec85179cdc98f5e
Instruction Fuzzy Hash: F4D0423AA010048FC704DB88D5949D9F7F1EB88325F28C1A6D919A7351C732ED56CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 04FB0180, Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

MonitorFromRect.USER32 ref: 04FB018B

Memory Dump Source

Source File: 00000007.00000002.628869997.0000000004FB0000.00000040.00000001.sdmp, Offset: 04FB0000, based on PE: false

Similarity

API ID: FromMonitorRect
String ID:
API String ID: 2578442757-0
Opcode ID: ef248e79bf0df950904ace2632ca6f307830de4d819640301e01829f2b58a274
Instruction ID: 40fbbcd4ded8795935089eebca480e3eee30fde7a2c278b94a4ee0cb31a6e1a5
Opcode Fuzzy Hash: ef248e79bf0df950904ace2632ca6f307830de4d819640301e01829f2b58a274
Instruction Fuzzy Hash: BFD01235640314CFCB096B74E41941833A9AF442063000C7CD80687781EF37E851CA00

Uniqueness

Uniqueness Score: -1.00%

Function 06370070, Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

MOC, xrefs: 06370236

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID: MOC
API String ID: 0-624257665
Opcode ID: 95645ae1319928c1e80d24e6d08f74e1b5a1723850c73860bc26e674d40124b7
Instruction ID: bc9a89b9762867d6a24d6223da3daea84f4894c51ec4ff43c3c429ad7a00eb9a
Opcode Fuzzy Hash: 95645ae1319928c1e80d24e6d08f74e1b5a1723850c73860bc26e674d40124b7
Instruction Fuzzy Hash: C3718AB4B04A01CFD7A8CF69C99096AFBF6BF88204B24892DD55687B50DB35F845CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 063705A8, Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7c61fbe2f7b0ffa73893324b64902ed2691a803353278ee2f41dc931ee3df5c
Instruction ID: 58f578352e91ad3eb96205736f4bd604423bba4716575133e791b7eeb8e49794
Opcode Fuzzy Hash: f7c61fbe2f7b0ffa73893324b64902ed2691a803353278ee2f41dc931ee3df5c
Instruction Fuzzy Hash: A7E17E74E00118CFDB69CF68C480A9EBBB2BF85314F158599D80AAB345DB75ED86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06370B40, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a41a74ad4f1e7e206c6439d8eb84499a72449dae8548b1465a0f6300cc92e34
Instruction ID: 038ee5a0c48a1b94559061f870968e9cfc47624a5171038ad4fc5309918b337c
Opcode Fuzzy Hash: 3a41a74ad4f1e7e206c6439d8eb84499a72449dae8548b1465a0f6300cc92e34
Instruction Fuzzy Hash: DC51B176A001149FDB59DFA8C48089EFBA7FF843107168166E80AAF216CB34FD06CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06370014, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea35c8d27994acc10912f312f98eea4621406f47965b10908ee1e4509ef56093
Instruction ID: c00cb6ea9030015d99f7e7193608f78c86457f825ece3e16317a5d9f063c0fed
Opcode Fuzzy Hash: ea35c8d27994acc10912f312f98eea4621406f47965b10908ee1e4509ef56093
Instruction Fuzzy Hash: 49410A7460D781DFD766CB34CC90DAABFF5AF42210B04459AD482C7662C739A845CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06370498, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db94263b2db6fbc96ec804dcf2446fba16f1aad87e7446d1991d2349eafb2573
Instruction ID: 178da564d9c74f197603fb4e2eb6ddca6d43ad4b50b7527965423d936d0b00c4
Opcode Fuzzy Hash: db94263b2db6fbc96ec804dcf2446fba16f1aad87e7446d1991d2349eafb2573
Instruction Fuzzy Hash: 0B313972B08214AFDBA4D7BDE8405AAFBE9EB88314B054177D109D7611C73AE842CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 063710E8, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0154b554f5ac8f88de1ba44e3484714d66f88c55d211eede74bba02595af4f20
Instruction ID: 4b4f402c9755646cde52efb4e03df3a69a580a7b723454ce8052ba93f4d8f933
Opcode Fuzzy Hash: 0154b554f5ac8f88de1ba44e3484714d66f88c55d211eede74bba02595af4f20
Instruction Fuzzy Hash: 0641F372E00208DFDB94CFA9C580A9DBBF2BF49310F28856AD415EB615D735A946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06370599, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9541ef3650a2b27e0af6cbb4250a563a122069041bb01a3f4dc20f2d98bf81
Instruction ID: bc56c4eae90cd7fa30e1397ae23e052c29ffa9b34d251815ed7b4e8861033604
Opcode Fuzzy Hash: 5f9541ef3650a2b27e0af6cbb4250a563a122069041bb01a3f4dc20f2d98bf81
Instruction Fuzzy Hash: 74311EB5E04219DFDBA8CF68C490A9DBBB5FF48300F208569D506EB745DB34A9828FD1

Uniqueness

Uniqueness Score: -1.00%

Function 06370DA0, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 279181cabf057ddfa1e8727ae0ee3b6752cd2a04480618ea41f93b912ca5e94b
Instruction ID: 1716824d312e37630679a428bf0136adc360a4ae50155a409f975088486865c7
Opcode Fuzzy Hash: 279181cabf057ddfa1e8727ae0ee3b6752cd2a04480618ea41f93b912ca5e94b
Instruction Fuzzy Hash: 7841F9B0905B54CFE3BDCB2AC544766BBE2BF84305F14886EC19A86A50CB79B445CB80

Uniqueness

Uniqueness Score: -1.00%

Function 063702C1, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52aaf04b3100814d5676d093f3aaac4530fc18136b8eb10120897d820348693e
Instruction ID: 5635543b4889682f6cb4d72e7a4a4ce25fbf3d4fddd1d8e1508d594c1dcb7959
Opcode Fuzzy Hash: 52aaf04b3100814d5676d093f3aaac4530fc18136b8eb10120897d820348693e
Instruction Fuzzy Hash: 51111976410118EFDF4A8F90DC08DA9BFB6FF49310B068494F205AB072C736D525EB92

Uniqueness

Uniqueness Score: -1.00%

Function 063702D0, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5c15c7db5d5347e3ddf96c841e710c9b6dfc78e294289ccd15544d87048a98
Instruction ID: 057022baa4954e9ec5463d4579c064ac76733016a0578ecb62f7cc496dc29c09
Opcode Fuzzy Hash: 8c5c15c7db5d5347e3ddf96c841e710c9b6dfc78e294289ccd15544d87048a98
Instruction Fuzzy Hash: 3911E376810118EFDF4A8F90DD08CA9BFB6FF49310B068495F2056B032CB36D925EB92

Uniqueness

Uniqueness Score: -1.00%

Function 06370BE0, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34910b49ecaac710ca81fd009296ccf7e6552bb4a4f6a70b820969f31908706e
Instruction ID: 377ec1c3739416ae2be2640207f0b098b798f709138a98cc5dabbe6ece10982f
Opcode Fuzzy Hash: 34910b49ecaac710ca81fd009296ccf7e6552bb4a4f6a70b820969f31908706e
Instruction Fuzzy Hash: 2511AC76E042049FDB98DBB8E8905ADBBB7BBC4211B14402AA40BEB741DA345901CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 063703F8, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e4865ed7f562cc73d9bfd89ccd48ffe3e5958d940ffc2a02e332200bbe1a91
Instruction ID: 6a72e48a7f78aedbc7a1d81f87d11ee85bc5f63e12dfe68aecd09abb16d74e98
Opcode Fuzzy Hash: 77e4865ed7f562cc73d9bfd89ccd48ffe3e5958d940ffc2a02e332200bbe1a91
Instruction Fuzzy Hash: 9311D6B1618344CFE3BD9774D4587353BA9ABA1301F0444AED44287A92CB7C984AEFD2

Uniqueness

Uniqueness Score: -1.00%

Function 0288AEC0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.625124242.0000000002882000.00000040.00000001.sdmp, Offset: 02882000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c91f317618d06e4096a792ffb810f6a7b480a6fe43672cef998540ecfd3ff2
Instruction ID: 347a3f8b6acc13b7de786633d3d65f7449313e547616c66df7beb08d4f4f6896
Opcode Fuzzy Hash: b1c91f317618d06e4096a792ffb810f6a7b480a6fe43672cef998540ecfd3ff2
Instruction Fuzzy Hash: 3611ECB5608301AFD350CF59DC80E57FBE8EB88660F14891EFD9897311D371E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 063703E9, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d736133d741ec10745bab003f6143f877a218d979fe3cd62e1ca510e0aa7cf0b
Instruction ID: b0cbb4d925fc1790c30af8e484950649d39828df0730ff416d7e53d18427f62c
Opcode Fuzzy Hash: d736133d741ec10745bab003f6143f877a218d979fe3cd62e1ca510e0aa7cf0b
Instruction Fuzzy Hash: B501B1B2A14204CFE3BC9764E44877537ADA7A0206F04806ED04293A92CB3C9886EFD2

Uniqueness

Uniqueness Score: -1.00%

Function 06370D90, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73bc0034042993a67fccf589609316a851ba0e51341027551ff36df6c85152f
Instruction ID: 3d60d9b5c4f228b1d185b09e523c470565591dc947246ef0ca57ad125c075ed3
Opcode Fuzzy Hash: a73bc0034042993a67fccf589609316a851ba0e51341027551ff36df6c85152f
Instruction Fuzzy Hash: 89F0A771A4A744DFD75AC6A488657A57B759F42100F0D84DEC095C7992C339A406CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 063712E0, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07b8091a21b70c97966315bd2c7fc163afff2ca8f193c1fc741dd7df2313e8b
Instruction ID: 77a3d8ffd586b049bb2d004c1c569734f3ed3f35a6786f3492e590fbc2e2fa30
Opcode Fuzzy Hash: d07b8091a21b70c97966315bd2c7fc163afff2ca8f193c1fc741dd7df2313e8b
Instruction Fuzzy Hash: 03E0862E30012457F654E56CCC527B6778EC7C5611B09886BE549D7781C996CC0693D1

Uniqueness

Uniqueness Score: -1.00%

Function 06370380, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edbadacb456ef3edc2a17efc80008688d9aba79ff1196d1051a8f9059108cd1e
Instruction ID: 3e82175b428b5dc70330ef979646bb94a427d58453ab42326409350372a4e2fb
Opcode Fuzzy Hash: edbadacb456ef3edc2a17efc80008688d9aba79ff1196d1051a8f9059108cd1e
Instruction Fuzzy Hash: 76F03971116108EBE7589F10DC4EE6A3F79AB81201F048425F44796680CB34AD42EBC7

Uniqueness

Uniqueness Score: -1.00%

Function 0288AF0F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.625124242.0000000002882000.00000040.00000001.sdmp, Offset: 02882000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2c30163777e4d088d3bb76ba60c7d5ddbe8e5a6e6be27d92e729d808c9a682
Instruction ID: afdc44ac56658791d4c50202cbf3240c31856e010d10764ca5676e23e5ae7567
Opcode Fuzzy Hash: 0e2c30163777e4d088d3bb76ba60c7d5ddbe8e5a6e6be27d92e729d808c9a682
Instruction Fuzzy Hash: BCE0D8B290060467D2108E47AC81B63FB58EB50A30F14C557EE0C1F301E275B5048AF5

Uniqueness

Uniqueness Score: -1.00%

Function 06370A9D, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c481682fb3167d12f347181931d1520ab92374e619190140c00d87d9e431a097
Instruction ID: e49bbde394884060cc81e530603b1a7ebb0e3d7944efafad8c1490f47e887a16
Opcode Fuzzy Hash: c481682fb3167d12f347181931d1520ab92374e619190140c00d87d9e431a097
Instruction Fuzzy Hash: E9E022B5E542848FFBB853ACEC087E87722AB80729F080492D002820C1C7B82998CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 063712F0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d613ef671d92eacb9b6431d91af2af103eb132bf1e1a7336715780e2da826ab
Instruction ID: 84982459985326f7846f9afa7454c6fcbe4b763a639afa37443b0d50121c34dd
Opcode Fuzzy Hash: 6d613ef671d92eacb9b6431d91af2af103eb132bf1e1a7336715780e2da826ab
Instruction Fuzzy Hash: D6D0A73D340128175508F5ADC81087A77CFDBC5611304846FFA09D7341CDE2DC0283D1

Uniqueness

Uniqueness Score: -1.00%

Function 06371270, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5358e00f842e96489cb97b308e4ba89949b5cb55e8e2172085f39658e1dbd3ab
Instruction ID: d472bc45cda0431c55bfc647614dd36ae348cf22fc7c5585c666b313b8ce3c69
Opcode Fuzzy Hash: 5358e00f842e96489cb97b308e4ba89949b5cb55e8e2172085f39658e1dbd3ab
Instruction Fuzzy Hash: 32D0522780C208CEFBF08248C005331737D9783619F0C876BC14BEAC818AAE80529ACB

Uniqueness

Uniqueness Score: -1.00%

Function 063712B0, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c944cb7d1dcea489661aad716ce6a30487fc8e64c30bc7d91b881deebb8525
Instruction ID: 46a1311d469fc32f481b682ca00acc324616697f85f472eecf3b4a1062aaa637
Opcode Fuzzy Hash: 96c944cb7d1dcea489661aad716ce6a30487fc8e64c30bc7d91b881deebb8525
Instruction Fuzzy Hash: C6D0C712128184C9F3E42A66A405A753ADC7787905B0CC411E587E4D41EF5DD40557F6

Uniqueness

Uniqueness Score: -1.00%

Function 06371329, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512e240ba5b2ef0ddbff89a9cc03c4fe1dddb1758559a3734341a474914f4f18
Instruction ID: 514e659149d9223eb266aadaff0bd8e81f2b0376b6ffbe279baea176b8b6ac0d
Opcode Fuzzy Hash: 512e240ba5b2ef0ddbff89a9cc03c4fe1dddb1758559a3734341a474914f4f18
Instruction Fuzzy Hash: 0AC08C2A64430847E98272B8E80732DF30C4B80120F8588229588C3280EA64A403014A

Uniqueness

Uniqueness Score: -1.00%

Function 028723F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.625049751.0000000002872000.00000040.00000001.sdmp, Offset: 02872000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0365aa24382d94eb62b11f43b5185510184976630638ca681c21c863a120a8c
Instruction ID: 442e21041aacbdb9155bdc99635da20735026667673d07e253a9f62745f7efbf
Opcode Fuzzy Hash: a0365aa24382d94eb62b11f43b5185510184976630638ca681c21c863a120a8c
Instruction Fuzzy Hash: D2D05E7D215A818FD326CA1CC1A8B953B94BB51B08F4684FDEC00CB667C368D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 028723BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.625049751.0000000002872000.00000040.00000001.sdmp, Offset: 02872000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c55af8b6e4c864629987fd3a3120874001ba97d493e971d92163c0abbd25075d
Instruction ID: 2c28554ddcfc49ed6b8ab9bd820d4f38734745aa96e645ab4d0fb34e26759669
Opcode Fuzzy Hash: c55af8b6e4c864629987fd3a3120874001ba97d493e971d92163c0abbd25075d
Instruction Fuzzy Hash: 85D05E382046818BC715DB0CC594F5937D4AB41B04F0A45ECAC00CB676C3A4D881C600

Uniqueness

Uniqueness Score: -1.00%

Function 063710B0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e4c56058e3cf57620e813df1b0154d10908011f127d3b0bfab93ef3220ad154
Instruction ID: be8e2d99262c5ccdb8fafe0a4535ea499a45ad2d9cd2f176ad3979828504f84d
Opcode Fuzzy Hash: 2e4c56058e3cf57620e813df1b0154d10908011f127d3b0bfab93ef3220ad154
Instruction Fuzzy Hash: 62C0801F1081C19FDB135611DC521B233A56652100399509140C9CA559C01D981F8BD2

Uniqueness

Uniqueness Score: -1.00%

Function 06371338, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.630694649.0000000006370000.00000040.00000001.sdmp, Offset: 06370000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34880b58d8f4a74f9d4108fb9a57adbb0d85b2ac3f0b8654cc6aa81dd590ffd7
Instruction ID: 7c64a484871d66af9f0dcc3999a700921bcd9f091faa2ce6346f71ad2225bf6b
Opcode Fuzzy Hash: 34880b58d8f4a74f9d4108fb9a57adbb0d85b2ac3f0b8654cc6aa81dd590ffd7
Instruction Fuzzy Hash: 86B01224A8170C47DD9433F5A80811CB34C1D84524BC00811594D43240FF74B8104497

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: RegSvcs.exe PID: 6852 Parent PID: 936 RegSvcs.exeCOMMON

Executed Functions

Function 0129A587, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 0129A63A

Memory Dump Source

Source File: 0000000C.00000002.389832834.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 1ff409cb45297239dd1f2f403a87f9a42192bcc68f1eddd06cb0b9a77a01ad4b
Instruction ID: 92d64dd769b8a1afa1097730a0fd38b32dcbbbade5d001be8ffef04be42b4032
Opcode Fuzzy Hash: 1ff409cb45297239dd1f2f403a87f9a42192bcc68f1eddd06cb0b9a77a01ad4b
Instruction Fuzzy Hash: 58319F7250D3C06FD3038B259C51B62BFB4AF83614F1A81DBD8848F193E224A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0129A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,4C6F3015,00000000,00000000,00000000,00000000), ref: 0129A53D

Memory Dump Source

Source File: 0000000C.00000002.389832834.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e3b7359982439bbf9b2c1c1c46cae2e2b9fd97a3961f2b37f8374a4cc2169f12
Instruction ID: b1155536ded7218d595670a42712c0298e1432d5e77addd3b5a5415a8c92b698
Opcode Fuzzy Hash: e3b7359982439bbf9b2c1c1c46cae2e2b9fd97a3961f2b37f8374a4cc2169f12
Instruction Fuzzy Hash: 34218371409380AFDB228B65DC55F96BFB8EF46310F0884DBEA849F153D265A509CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0129A5C6, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 0129A63A

Memory Dump Source

Source File: 0000000C.00000002.389832834.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 1d4cbce26a714db67125a5f990b0652f73cd0b167b2c8688daa4bd1647fb145d
Instruction ID: c41f5d2b9fc81ce46ecc2b05d9c3ce6f9e6ec337700a6b354927d23914ef9b21
Opcode Fuzzy Hash: 1d4cbce26a714db67125a5f990b0652f73cd0b167b2c8688daa4bd1647fb145d
Instruction Fuzzy Hash: 2611E2714043406FD311CB15DC42F62BFB8EB85A20F0485AAED489B642D270B915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0129A1F4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0129A269

Memory Dump Source

Source File: 0000000C.00000002.389832834.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 6958f8d6daab4cd8e304e59353bed41de2eccad5c9d15297a778e4303fd88346
Instruction ID: 92fa71db1976d6d450553da00da038942290a4dc428cf7fcb66bea808d91a4d9
Opcode Fuzzy Hash: 6958f8d6daab4cd8e304e59353bed41de2eccad5c9d15297a778e4303fd88346
Instruction Fuzzy Hash: 9E215C3540D7C49FD7138B298C95A52BFB4EF43220F0A80DBD9848F1A3D269A909DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0129A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,4C6F3015,00000000,00000000,00000000,00000000), ref: 0129A53D

Memory Dump Source

Source File: 0000000C.00000002.389832834.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 5563c74398733cc2c78023b388e255382dffc02bf99fb9592c462957ab767481
Instruction ID: c4a8e4f24e159c5a94b7d296360bd2ebc7ed1ee7365cc519a5ddcc5166609437
Opcode Fuzzy Hash: 5563c74398733cc2c78023b388e255382dffc02bf99fb9592c462957ab767481
Instruction Fuzzy Hash: 3011BF71900700EFEB21CF59EC45F6AFBA8EF44320F14846BEE499B251D7B4A4088B71

Uniqueness

Uniqueness Score: -1.00%

Function 0129A5EA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 0129A63A

Memory Dump Source

Source File: 0000000C.00000002.389832834.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 4dcf48ccfac69afde289f4946dfa803fd657bf8a29a70f765a883414d51b2dc9
Instruction ID: 9216111ac1915872339f875a8ffaa4b4161a63fabe0b47bc3de69dfa042cba95
Opcode Fuzzy Hash: 4dcf48ccfac69afde289f4946dfa803fd657bf8a29a70f765a883414d51b2dc9
Instruction Fuzzy Hash: 2B017172500600ABD710DF16DC86F26FBA8EB88B20F14856AED089B741E371B515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0129A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 0129A269

Memory Dump Source

Source File: 0000000C.00000002.389832834.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 2578b5fb6cec0eaae09cfddc9d12f3065930679079db95c2157b605022e8497a
Instruction ID: d0c7c2b429df2aeb128b1242744fca5bb978c92489a4f4b021ad213af298f505
Opcode Fuzzy Hash: 2578b5fb6cec0eaae09cfddc9d12f3065930679079db95c2157b605022e8497a
Instruction Fuzzy Hash: 78F0A9308147449FDB108F1DD885762FFA0EF44620F18C0EADE094F212D2BAA848CEA2

Uniqueness

Uniqueness Score: -1.00%

Function 012B05D0, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.389867643.00000000012B0000.00000040.00000040.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbadea6b7537c97759532a726dd83481d477fec55add8c9dac97b4b7c83bed9e
Instruction ID: 9c71ddcca9166e68a1d68c84edf35c075a859a5d9f762fda61fd255837138d61
Opcode Fuzzy Hash: fbadea6b7537c97759532a726dd83481d477fec55add8c9dac97b4b7c83bed9e
Instruction Fuzzy Hash: 7301F7765087806FD7028F069C40862FFB8DE86670718C09FED498B612E225A804CB72

Uniqueness

Uniqueness Score: -1.00%

Function 012B05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.389867643.00000000012B0000.00000040.00000040.sdmp, Offset: 012B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4a38cd70b10b917673cdbb6c25d6500224efa3f4fa6727ec98c63e9179b484
Instruction ID: 67727c47e10612e1a17d644a9ccaf07b49a93756bbf846c075a85c4f6975717d
Opcode Fuzzy Hash: 7e4a38cd70b10b917673cdbb6c25d6500224efa3f4fa6727ec98c63e9179b484
Instruction Fuzzy Hash: 40E09276600A008BD650DF0BEC45452F7D8EB88630B18C07FDC0D8B711E235B504CEA5

Uniqueness

Uniqueness Score: -1.00%

Function 012923F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.389823852.0000000001292000.00000040.00000001.sdmp, Offset: 01292000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05010c99113e802ed1104e418b48b9f5dd5e0e4ae77cfa5db4c195d37ffd87eb
Instruction ID: 35abd2dc70a7bc24fa8878c2a74665257f3d3965bd44290949e88c42a624cd6c
Opcode Fuzzy Hash: 05010c99113e802ed1104e418b48b9f5dd5e0e4ae77cfa5db4c195d37ffd87eb
Instruction Fuzzy Hash: DED05E79225A929FE7268A1CC1A8B953FA4EB61B04F4644FDE9008B663C368D981D200

Uniqueness

Uniqueness Score: -1.00%

Function 012923BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.389823852.0000000001292000.00000040.00000001.sdmp, Offset: 01292000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963dbd7ebc494bfd244c0fe41ce35aae2bc66b3289630854ec345c532a6e6131
Instruction ID: 099418217d6f8f2500427e9c44eb053a37768a6d7a7372c74e43c1e91f2d95bd
Opcode Fuzzy Hash: 963dbd7ebc494bfd244c0fe41ce35aae2bc66b3289630854ec345c532a6e6131
Instruction Fuzzy Hash: 19D05E342102828BDB15DB0CC594F593BD4AF41B00F0644E8BE008B662C3A4D881C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 7024 Parent PID: 936 dhcpmon.exeCOMMON

Executed Functions

Function 00CBA587, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 00CBA63A

Memory Dump Source

Source File: 0000000F.00000002.393069944.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: e662d3d85ecf1f433c4d6f775e2fb19cdbfdff40d1b1ee3070e83a873e4d6bdc
Instruction ID: ec86731e1e4f1d1e73def1df2a4ab2b5db08bfbbe2cdc625519c9ed6293cb2dc
Opcode Fuzzy Hash: e662d3d85ecf1f433c4d6f775e2fb19cdbfdff40d1b1ee3070e83a873e4d6bdc
Instruction Fuzzy Hash: 24319F7250D3C06FD3138B218C65B62BFB4AF43614F1A81CBD8848F193E224A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,0D171BCF,00000000,00000000,00000000,00000000), ref: 00CBA53D

Memory Dump Source

Source File: 0000000F.00000002.393069944.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1cb1e72587a7c3371c896249547aa66251181aa78e6dab31ac948fdf892481ce
Instruction ID: 840abe0a84f4c2f19cd7afd4fb27cdcfec85434a6de5142675f849ba4b4d7a2d
Opcode Fuzzy Hash: 1cb1e72587a7c3371c896249547aa66251181aa78e6dab31ac948fdf892481ce
Instruction Fuzzy Hash: 0421A371409380AFD7228F65DC55F96BFB8EF46310F0884DBE9849F153D264A509C772

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA5C6, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 00CBA63A

Memory Dump Source

Source File: 0000000F.00000002.393069944.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 5d79d125c35b88e7d4793de8a8e7474a4e832c8d8864103a8bb5788b3dec8783
Instruction ID: b85a7c9d6b5185ef2ddb6234eb1937dff815994b9c42a60a3392bc9e669ef6d1
Opcode Fuzzy Hash: 5d79d125c35b88e7d4793de8a8e7474a4e832c8d8864103a8bb5788b3dec8783
Instruction Fuzzy Hash: 5911E2715043406FD311CF15DC42F72BFB8EB85A20F0485AAED488B642E270B915CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA1F4, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00CBA269

Memory Dump Source

Source File: 0000000F.00000002.393069944.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 6312e0fe00bcde0c7485447489fabe53097ae546d8fcadb70d6a448de53729ae
Instruction ID: 3180c98c30d2aa9a5182b9dff619713c9009401dd0559f4907109ec1d2681482
Opcode Fuzzy Hash: 6312e0fe00bcde0c7485447489fabe53097ae546d8fcadb70d6a448de53729ae
Instruction Fuzzy Hash: ED216D3540D7C49FD7138B258C95A92BFB4EF03220F0E80DBD9848F1A3D269A949CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000E2C,0D171BCF,00000000,00000000,00000000,00000000), ref: 00CBA53D

Memory Dump Source

Source File: 0000000F.00000002.393069944.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 673c4624e8c39272c447f43172b57703fa91f9ac938058d3aef7a846d3c00506
Instruction ID: 3f3c0cf942aab36f3f6907f7aa432230ea9bb0cb9b03751bedc0dd4752b15f60
Opcode Fuzzy Hash: 673c4624e8c39272c447f43172b57703fa91f9ac938058d3aef7a846d3c00506
Instruction Fuzzy Hash: AB11BF71400604EEEB21CF55DC45FAAFBA8EF44720F1484ABEE859B251D674A5088B72

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA5EA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000E2C,?,?), ref: 00CBA63A

Memory Dump Source

Source File: 0000000F.00000002.393069944.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 8b20768cf733fafe467752a619996c87719ecae17561abaad7faec4417bcab29
Instruction ID: 6a48aac6fbfae42059aa333efbd466121ab50777e0f78e1622222b5e98248734
Opcode Fuzzy Hash: 8b20768cf733fafe467752a619996c87719ecae17561abaad7faec4417bcab29
Instruction Fuzzy Hash: 28017172540700ABD710DF16DC86F36FBA8EB88B20F14856AED089B741E771F515CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNELBASE ref: 00CBA269

Memory Dump Source

Source File: 0000000F.00000002.393069944.0000000000CBA000.00000040.00000001.sdmp, Offset: 00CBA000, based on PE: false

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: b5d72355bf37428ef76f21a4040d7148027e543712ae478d5997f748da7e3d4e
Instruction ID: ba0c6f1dfa6efb7bfcbe38f4050b0b377c6a6959208e2b0579669d280d0d1fbb
Opcode Fuzzy Hash: b5d72355bf37428ef76f21a4040d7148027e543712ae478d5997f748da7e3d4e
Instruction Fuzzy Hash: D6F0AF309046449FDB108F1AD8857A2FFA0EF04720F18C0AADD494B256D2BAA948CAA3

Uniqueness

Uniqueness Score: -1.00%

Function 027305AF, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.393458987.0000000002730000.00000040.00000040.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df8dc261be3974fd1cae187a94e40d0510ec01677719ecd9b46d55d1e606a52
Instruction ID: 58f0355265c6cc5387a48abb86904ef90923d483becbcf83ac46070ce6cc3832
Opcode Fuzzy Hash: 4df8dc261be3974fd1cae187a94e40d0510ec01677719ecd9b46d55d1e606a52
Instruction Fuzzy Hash: 4411E57664C380AFD712CF26AC144A2BFB4DEC722470C849FED4CCB152E268A508CB61

Uniqueness

Uniqueness Score: -1.00%

Function 027305F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.393458987.0000000002730000.00000040.00000040.sdmp, Offset: 02730000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53dbcdf90f62559d8c12315cf04f868f68e209173b82293ecf76ab6fde955fdb
Instruction ID: 5ca03974dbd4ca5e810e54c554fe2019c0674452289ddfc4fc5448488249e033
Opcode Fuzzy Hash: 53dbcdf90f62559d8c12315cf04f868f68e209173b82293ecf76ab6fde955fdb
Instruction Fuzzy Hash: 33E06D766446009BD650CF0AEC41462F7E8EB88630B18C06FDC0D8B711E675B5048EA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CB23F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.393046572.0000000000CB2000.00000040.00000001.sdmp, Offset: 00CB2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd9914cf2f218af2c5965d0efb7ea79183380640f011d0f00c1749403eb4d7c
Instruction ID: 42b973595b93fccf8707770c3c62ea2c1d37ec17b703b9591aed285fba9443cc
Opcode Fuzzy Hash: cbd9914cf2f218af2c5965d0efb7ea79183380640f011d0f00c1749403eb4d7c
Instruction Fuzzy Hash: 06D05E79255A818FD3268A1CC1A8BD53F94EF51B05F4644FDE8008BA63C368DA81E600

Uniqueness

Uniqueness Score: -1.00%

Function 00CB23BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.393046572.0000000000CB2000.00000040.00000001.sdmp, Offset: 00CB2000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5060afb996c7f02252f8e19cb6754a6c578137ff028aed2a2c001e1ab42429e7
Instruction ID: f460689ed47e42a5e8e1661d48843db5b0d40c4706aa7413c2bb127c005bbcaf
Opcode Fuzzy Hash: 5060afb996c7f02252f8e19cb6754a6c578137ff028aed2a2c001e1ab42429e7
Instruction Fuzzy Hash: B7D05E342002818BC715DB0CC594F9937D8AB41B00F0644E8AC108B672C3A8DDC1C600

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: dhcpmon.exe PID: 4408 Parent PID: 3440 dhcpmon.exeCOMMON

Executed Functions

Function 02980120, Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

:@:r, xrefs: 029802C5

Memory Dump Source

Source File: 00000012.00000002.409951866.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID: :@:r
API String ID: 0-1441432688
Opcode ID: 657ea99eb56f89ae758162f30a91a22516c51c307b667b22929dcdedd1f350d2
Instruction ID: c6d0c1f089085d2bcdfb9ad5b65c23cff3c6577caef4be75caefa78932ae775e
Opcode Fuzzy Hash: 657ea99eb56f89ae758162f30a91a22516c51c307b667b22929dcdedd1f350d2
Instruction Fuzzy Hash: 93719531B00211CFD715EB78D858B697BF3BBA8745F1885A9E806873A4DF719D84CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02980818, Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.409951866.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b091b2f5cbd7343ae056d47ebe6dc6b33f68d1b47d0bc22956f36c126d1bbe4f
Instruction ID: 32c8a19b6d32d1a5e235d68d642764946395b88f36a35b8f7896ddc105881a8c
Opcode Fuzzy Hash: b091b2f5cbd7343ae056d47ebe6dc6b33f68d1b47d0bc22956f36c126d1bbe4f
Instruction Fuzzy Hash: 35F18031200702CFDB18EF64D894B2A77A6BBE4759B18C5ACD5478B398DB71E846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 029806E8, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.409951866.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c8c5dd837a7ba0333b88b5399e3515ebf6ff9a3c1e63c72fec2231faa0ff53
Instruction ID: d33497e838bff6e00bdc2145137697b17e394e2251a28db4b6ef82fb48071b71
Opcode Fuzzy Hash: e9c8c5dd837a7ba0333b88b5399e3515ebf6ff9a3c1e63c72fec2231faa0ff53
Instruction Fuzzy Hash: 56313C703012118FC7597F7CD018A2E3AE6AFC5305B2504BAE406CF7A2EE76DC869796

Uniqueness

Uniqueness Score: -1.00%

Function 029806F8, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.409951866.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 100938d184044b21302b3951fc3091da10667aa17c30fc57e934d695460e4600
Instruction ID: ccb16b05157266c5aaff5e44b39cf493268f3f50b266df24652436f36e023705
Opcode Fuzzy Hash: 100938d184044b21302b3951fc3091da10667aa17c30fc57e934d695460e4600
Instruction Fuzzy Hash: B121EB303012118FC759BF7CD058A2E3AE6AFC5305B1504BAE40ACF7A1EE76DC859796

Uniqueness

Uniqueness Score: -1.00%

Function 02980DD0, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.409951866.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: babe951386bba186d536dbb1587163a1fe9d10b3345f47b4a02ec3f1a72f08da
Instruction ID: b38728b837489bfa9ce2e843e8c0b2e644cfe748699019b6e2a64ce2b974ef9d
Opcode Fuzzy Hash: babe951386bba186d536dbb1587163a1fe9d10b3345f47b4a02ec3f1a72f08da
Instruction Fuzzy Hash: 8E21E4327042449FC704E7B8D810BAE3FBAAFC6610B1480E6D505CB392CF319D06D7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0298010F, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.409951866.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a5ff8c4cb42554aa7654735683f2e0cc1257e6a04342ef65ca75560d0ebd05
Instruction ID: 49122e07dabcc18deb460bc0298bae51ba747ea09fd135542651e7f6171abd6b
Opcode Fuzzy Hash: 30a5ff8c4cb42554aa7654735683f2e0cc1257e6a04342ef65ca75560d0ebd05
Instruction Fuzzy Hash: E621CC70D042888FDB11EF7888597EEBFF0AF4A314F1840AAC445E7261DB350A4ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 029D05CF, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.410009725.00000000029D0000.00000040.00000040.sdmp, Offset: 029D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778d9b4280859e71a9f5531f0bc446b66efd48177cce6cdfa1d4e1747a2c0348
Instruction ID: 8fee5cdb7c294338be7190466e13c1881d3e3ddc9326508e171d98c06620c8dd
Opcode Fuzzy Hash: 778d9b4280859e71a9f5531f0bc446b66efd48177cce6cdfa1d4e1747a2c0348
Instruction Fuzzy Hash: 8B01A7715497806FD7028B16EC41C53BFE8DF87270B0980AFED49CB612D265A909CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 02980EF7, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.409951866.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89e26aeeef9bf30ca6110f74f76122bef69ec60ef6ba797e17e2083deac7e25
Instruction ID: 5b185a9309246ae1b9411b3476451ec4d7325be619fe5b3771d8bdd203b6e649
Opcode Fuzzy Hash: a89e26aeeef9bf30ca6110f74f76122bef69ec60ef6ba797e17e2083deac7e25
Instruction Fuzzy Hash: 60F0BE312083408FC350FB6CD850A5A3BFAAF9932071484ABE448C7765DA25AC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 029800C0, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.409951866.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e0662a13e7bd2965864acc7c112f3c321c195211b7c0fffd3e4d5afce74fb2
Instruction ID: 3dbe7a1c4293b28c282fb1ee4c13bc665a4be142b6b694199d5f94407872cadd
Opcode Fuzzy Hash: 45e0662a13e7bd2965864acc7c112f3c321c195211b7c0fffd3e4d5afce74fb2
Instruction Fuzzy Hash: BAF08C71D082899FCB40DFB898459DEBFF0EE09220B2080AAC448E7212E3311616CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 029D05F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.410009725.00000000029D0000.00000040.00000040.sdmp, Offset: 029D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 564e3d8ea0b0ff93adc3e88f2a480ac8724cc472d946f5a645f6c3ac9db0cf43
Instruction ID: 5e640d6f65e5da8ab80d48071d9331758ecbfaaf13bd6fdbfacd9bbecb9329b6
Opcode Fuzzy Hash: 564e3d8ea0b0ff93adc3e88f2a480ac8724cc472d946f5a645f6c3ac9db0cf43
Instruction Fuzzy Hash: 9FE092766006008BD650CF0BEC41452FBD8EB88630B18C07FDC0D8B710E135B508CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 02980DC0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.409951866.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c0c3d02fceb31b80f28a6b1dc7b0d409ff2ed88791d6681c5db58ce048636c
Instruction ID: 05c06b7dd2394025970ed3c259596385cc40a010bdb67cbe9dea55c33b9fe73f
Opcode Fuzzy Hash: 99c0c3d02fceb31b80f28a6b1dc7b0d409ff2ed88791d6681c5db58ce048636c
Instruction Fuzzy Hash: 1EE020316083805FD71567749C187C53F74EF07114F1844DEE4808F1A6D767AD16C392

Uniqueness

Uniqueness Score: -1.00%

Function 029800D0, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.409951866.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c66a01cf511ecf110770a294b47199df3ce54f91b8415ca9abed8189891b7a
Instruction ID: ea9cb6ada228110ee8fbb287176ac6c06e43aeec1cc3d8ec202e3c2922747bd4
Opcode Fuzzy Hash: 51c66a01cf511ecf110770a294b47199df3ce54f91b8415ca9abed8189891b7a
Instruction Fuzzy Hash: 23E09A71D0521D9F8F40EFB999456DEBFF8EA48251F100466D508F3200E33156158BE1

Uniqueness

Uniqueness Score: -1.00%

Function 02980F08, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.409951866.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adf9feeccdfde8d4ce96a61f473163091369aef839c1d9137b364a274dcf333e
Instruction ID: 941640d6f92b51cd6d8124e4b8ffea8a6dcc5427ab1c61c14eee6ac49642f8bd
Opcode Fuzzy Hash: adf9feeccdfde8d4ce96a61f473163091369aef839c1d9137b364a274dcf333e
Instruction Fuzzy Hash: 03E01A367101108FC3A4FB6CE844A5A37EBABE932071440A6E809D7368DA71AC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 029803C5, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.409951866.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72017328c8210df6c48a8cf2b31dc323507c074e1b54d3ad07648085444a8f4a
Instruction ID: 5d6474cf3af742644e5fbfd0a3cdd3aefa883de7c4bf924afb8cc663ce265250
Opcode Fuzzy Hash: 72017328c8210df6c48a8cf2b31dc323507c074e1b54d3ad07648085444a8f4a
Instruction Fuzzy Hash: EAF01C30A402258FEB14ABA4C55C7AD7EF0AF88315F18055AE403A72A0CF740988CB44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report GHhMZFFEmf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre