Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report TR0398734893 50601251.exe

Overview

General Information

Sample Name:TR0398734893 50601251.exe
Analysis ID:526553
MD5:f245cb3e4ecc54a0883371b525eb0bb1
SHA1:71ff34129913ac8a924a28c7523885f11ca44a1c
SHA256:8371daec5ed076caa1cfdac1ce0ab350744de7d71108ae5efda80e4c54ab1d0e
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • TR0398734893 50601251.exe (PID: 6612 cmdline: "C:\Users\user\Desktop\TR0398734893 50601251.exe" MD5: F245CB3E4ECC54A0883371B525EB0BB1)
    • powershell.exe (PID: 6952 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6968 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • TR0398734893 50601251.exe (PID: 4260 cmdline: C:\Users\user\Desktop\TR0398734893 50601251.exe MD5: F245CB3E4ECC54A0883371B525EB0BB1)
      • schtasks.exe (PID: 6648 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp85D3.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6712 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8F69.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • TR0398734893 50601251.exe (PID: 6488 cmdline: "C:\Users\user\Desktop\TR0398734893 50601251.exe" 0 MD5: F245CB3E4ECC54A0883371B525EB0BB1)
    • powershell.exe (PID: 1936 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 2944 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmpC245.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • TR0398734893 50601251.exe (PID: 7024 cmdline: C:\Users\user\Desktop\TR0398734893 50601251.exe MD5: F245CB3E4ECC54A0883371B525EB0BB1)
    • TR0398734893 50601251.exe (PID: 6984 cmdline: C:\Users\user\Desktop\TR0398734893 50601251.exe MD5: F245CB3E4ECC54A0883371B525EB0BB1)
  • dhcpmon.exe (PID: 6812 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: F245CB3E4ECC54A0883371B525EB0BB1)
  • dhcpmon.exe (PID: 3516 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: F245CB3E4ECC54A0883371B525EB0BB1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 60 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    9.2.TR0398734893 50601251.exe.57d0000.6.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    9.2.TR0398734893 50601251.exe.57d0000.6.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xb184:$x1: NanoCore.ClientPluginHost
    • 0xb1b1:$x2: IClientNetworkHost
    9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xb184:$x2: NanoCore.ClientPluginHost
    • 0xc25f:$s4: PipeCreated
    • 0xb19e:$s5: IClientLoggingHost
    9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 75 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TR0398734893 50601251.exe, ProcessId: 4260, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TR0398734893 50601251.exe, ProcessId: 4260, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      System Summary:

      barindex
      Sigma detected: Suspicius Add Task From User AppData TempShow sources
      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TR0398734893 50601251.exe" , ParentImage: C:\Users\user\Desktop\TR0398734893 50601251.exe, ParentProcessId: 6612, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp, ProcessId: 6968
      Sigma detected: Powershell Defender ExclusionShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TR0398734893 50601251.exe" , ParentImage: C:\Users\user\Desktop\TR0398734893 50601251.exe, ParentProcessId: 6612, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, ProcessId: 6952
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TR0398734893 50601251.exe" , ParentImage: C:\Users\user\Desktop\TR0398734893 50601251.exe, ParentProcessId: 6612, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, ProcessId: 6952
      Sigma detected: T1086 PowerShell ExecutionShow sources
      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132821089554997111.6952.DefaultAppDomain.powershell

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TR0398734893 50601251.exe, ProcessId: 4260, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\TR0398734893 50601251.exe, ProcessId: 4260, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: TR0398734893 50601251.exeVirustotal: Detection: 27%Perma Link
      Source: TR0398734893 50601251.exeReversingLabs: Detection: 24%
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 27%Perma Link
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 24%
      Source: C:\Users\user\AppData\Roaming\bLtzKqfzc.exeVirustotal: Detection: 27%Perma Link
      Source: C:\Users\user\AppData\Roaming\bLtzKqfzc.exeReversingLabs: Detection: 24%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.4134c35.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.525426883.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398359301.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398482997.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTR
      Machine Learning detection for sampleShow sources
      Source: TR0398734893 50601251.exeJoe Sandbox ML: detected
      Machine Learning detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\bLtzKqfzc.exeJoe Sandbox ML: detected
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpackAvira: Label: TR/NanoCore.fadte
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: TR0398734893 50601251.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: TR0398734893 50601251.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Networking:

      barindex
      May check the online IP address of the machineShow sources
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeDNS query: name: 9292.freemyip.com
      Source: unknownDNS query: name: 9292.freemyip.com
      Source: unknownDNS query: name: 9292.freemyip.com
      Source: unknownDNS query: name: 9292.freemyip.com
      Source: global trafficTCP traffic: 192.168.2.7:49762 -> 185.140.53.131:9292
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: TR0398734893 50601251.exe, 00000001.00000002.298209102.0000000002DC1000.00000004.00000001.sdmp, TR0398734893 50601251.exe, 00000013.00000002.382218948.0000000002DE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: TR0398734893 50601251.exe, 00000001.00000003.255583071.0000000005D74000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: TR0398734893 50601251.exe, 00000001.00000003.258189413.0000000005D78000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: dhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: http://www.chinhdo.com
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: TR0398734893 50601251.exe, 00000001.00000003.296027500.0000000005D70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
      Source: TR0398734893 50601251.exe, 00000001.00000003.296027500.0000000005D70000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
      Source: TR0398734893 50601251.exe, 00000001.00000003.252766319.0000000005D8B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: TR0398734893 50601251.exe, 00000001.00000003.255015833.0000000005DAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.cV
      Source: TR0398734893 50601251.exe, 00000001.00000003.254947421.0000000005DAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: TR0398734893 50601251.exe, 00000001.00000003.254884642.0000000005DAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn5
      Source: TR0398734893 50601251.exe, 00000001.00000003.262739726.0000000005DAD000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: unknownDNS traffic detected: queries for: 9292.freemyip.com
      Source: dhcpmon.exe, 00000016.00000002.329110876.0000000001098000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: TR0398734893 50601251.exe, 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.4134c35.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.525426883.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398359301.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398482997.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTR

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 9.2.TR0398734893 50601251.exe.57d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.TR0398734893 50601251.exe.4134c35.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.TR0398734893 50601251.exe.413060c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 9.2.TR0398734893 50601251.exe.413060c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 9.2.TR0398734893 50601251.exe.5b90000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000002.398359301.0000000002BD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000002.398482997.0000000003BD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: TR0398734893 50601251.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 9.2.TR0398734893 50601251.exe.57d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.57d0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.TR0398734893 50601251.exe.4134c35.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.4134c35.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.TR0398734893 50601251.exe.413060c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.413060c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 9.2.TR0398734893 50601251.exe.413060c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.413060c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 9.2.TR0398734893 50601251.exe.5b90000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 9.2.TR0398734893 50601251.exe.5b90000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000002.398359301.0000000002BD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000002.398482997.0000000003BD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 1_2_0136D7741_2_0136D774
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 1_2_0741C6501_2_0741C650
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 1_2_07410C101_2_07410C10
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 1_2_07413A2F1_2_07413A2F
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 1_2_074109C01_2_074109C0
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 1_2_074109B01_2_074109B0
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_00D86E819_2_00D86E81
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_055DE4719_2_055DE471
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_055DE4809_2_055DE480
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_055DBBD49_2_055DBBD4
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_0568F5F89_2_0568F5F8
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_056897889_2_05689788
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_0568A6109_2_0568A610
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_06B000409_2_06B00040
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_00776E8119_2_00776E81
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_00FAD77419_2_00FAD774
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_07050C0019_2_07050C00
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_07050C1019_2_07050C10
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_07053A2F19_2_07053A2F
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_070509B019_2_070509B0
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_070509C019_2_070509C0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_00836E8122_2_00836E81
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_0104D77422_2_0104D774
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F60C1022_2_06F60C10
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F60C0022_2_06F60C00
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F609C022_2_06F609C0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F609B022_2_06F609B0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00756E8123_2_00756E81
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_02A0D77423_2_02A0D774
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_051B919823_2_051B9198
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_051B622823_2_051B6228
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_051BB4B023_2_051BB4B0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_051B01D823_2_051B01D8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_051B01CA23_2_051B01CA
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E80C0023_2_06E80C00
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E80C1023_2_06E80C10
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E83A2F23_2_06E83A2F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E809C023_2_06E809C0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E809B023_2_06E809B0
      Source: TR0398734893 50601251.exe, 00000001.00000002.303597997.0000000007360000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000001.00000003.267353997.0000000007672000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameScopeTr.exeL vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000001.00000002.298209102.0000000002DC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTransactionalFileManager.dllf# vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000009.00000000.288718625.0000000000E15000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameScopeTr.exeL vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000009.00000002.525426883.00000000030E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000013.00000002.379544931.0000000000805000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameScopeTr.exeL vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exe, 00000013.00000002.386085520.0000000006D50000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameTransactionalFileManager.dllf# vs TR0398734893 50601251.exe
      Source: TR0398734893 50601251.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: bLtzKqfzc.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: TR0398734893 50601251.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: bLtzKqfzc.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: dhcpmon.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: TR0398734893 50601251.exeVirustotal: Detection: 27%
      Source: TR0398734893 50601251.exeReversingLabs: Detection: 24%
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile read: C:\Users\user\Desktop\TR0398734893 50601251.exeJump to behavior
      Source: TR0398734893 50601251.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe "C:\Users\user\Desktop\TR0398734893 50601251.exe"
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp85D3.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe "C:\Users\user\Desktop\TR0398734893 50601251.exe" 0
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8F69.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmpC245.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exeJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmpJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exeJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp85D3.tmpJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8F69.tmpJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exeJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmpC245.tmpJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exeJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exeJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile created: C:\Users\user\AppData\Roaming\bLtzKqfzc.exeJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile created: C:\Users\user\AppData\Local\Temp\tmp20D5.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@28/16@12/2
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeMutant created: \Sessions\1\BaseNamedObjects\rTEtOISOUCyAZVrl
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_01
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{6da65a1d-13b4-4cf2-99da-e8e872dd1f17}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_01
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: TR0398734893 50601251.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: TR0398734893 50601251.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_0568B5E0 push eax; retf 9_2_0568B5ED
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_056869F8 pushad ; retf 9_2_056869F9
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 9_2_056869FA push esp; retf 9_2_05686A01
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeCode function: 19_2_07059A78 push esp; iretd 19_2_07059A79
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F69F57 pushad ; iretd 22_2_06F69F59
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F68C98 push E40742C4h; ret 22_2_06F68C9D
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F662BF push es; iretd 22_2_06F662C0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 22_2_06F608B8 push es; ret 22_2_06F608D8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_051BE3E9 push 04051C8Eh; ret 23_2_051BE3F5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_051BA9BF push ecx; ret 23_2_051BAA15
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E89F57 pushad ; iretd 23_2_06E89F59
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E88C98 push E4056DC4h; ret 23_2_06E88C9D
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E8AC7D push FFFFFF8Bh; iretd 23_2_06E8AC7F
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E862BA push es; iretd 23_2_06E862C0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_06E808B8 push es; ret 23_2_06E808D8
      Source: initial sampleStatic PE information: section name: .text entropy: 7.71324859014
      Source: initial sampleStatic PE information: section name: .text entropy: 7.71324859014
      Source: initial sampleStatic PE information: section name: .text entropy: 7.71324859014
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile created: C:\Users\user\AppData\Roaming\bLtzKqfzc.exeJump to dropped file
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeFile opened: C:\Users\user\Desktop\TR0398734893 50601251.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.2e0c068.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.2dec068.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.2.dhcpmon.exe.2bbc160.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 22.2.dhcpmon.exe.2cfc160.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000016.00000002.330253981.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.298209102.0000000002DC1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.382218948.0000000002DE1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6812, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3516, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: TR0398734893 50601251.exe, 00000001.00000002.298209102.0000000002DC1000.00000004.00000001.sdmp, TR0398734893 50601251.exe, 00000013.00000002.382218948.0000000002DE1000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000002.330253981.0000000002CD1000.00000004.00000001.sdmp, dhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: TR0398734893 50601251.exe, 00000001.00000002.298209102.0000000002DC1000.00000004.00000001.sdmp, TR0398734893 50601251.exe, 00000013.00000002.382218948.0000000002DE1000.00000004.00000001.sdmp, dhcpmon.exe, 00000016.00000002.330253981.0000000002CD1000.00000004.00000001.sdmp, dhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exe TID: 6672Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7152Thread sleep time: -9223372036854770s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exe TID: 6796Thread sleep time: -17524406870024063s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exe TID: 6704Thread sleep time: -36505s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exe TID: 6640Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exe TID: 4256Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6836Thread sleep time: -32781s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6920Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4916Thread sleep time: -36741s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6728Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6481Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2089Jump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeWindow / User API: threadDelayed 6181Jump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeWindow / User API: threadDelayed 3148Jump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeWindow / User API: foregroundWindowGot 745Jump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 36505Jump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 32781
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 36741
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: dhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
      Source: dhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: dhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: TR0398734893 50601251.exe, 00000009.00000003.366346725.0000000001405000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: dhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeMemory written: C:\Users\user\Desktop\TR0398734893 50601251.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeMemory written: C:\Users\user\Desktop\TR0398734893 50601251.exe base: 400000 value starts with: 4D5AJump to behavior
      Adds a directory exclusion to Windows DefenderShow sources
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exeJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exeJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exeJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmpJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exeJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp85D3.tmpJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8F69.tmpJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exeJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmpC245.tmpJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exeJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeProcess created: C:\Users\user\Desktop\TR0398734893 50601251.exe C:\Users\user\Desktop\TR0398734893 50601251.exeJump to behavior
      Source: TR0398734893 50601251.exe, 00000009.00000002.526890507.0000000003502000.00000004.00000001.sdmpBinary or memory string: Program ManagerHaql
      Source: TR0398734893 50601251.exe, 00000009.00000002.524635312.0000000001B80000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
      Source: TR0398734893 50601251.exe, 00000009.00000002.526990999.00000000035E6000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: TR0398734893 50601251.exe, 00000009.00000002.524635312.0000000001B80000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: TR0398734893 50601251.exe, 00000009.00000002.524635312.0000000001B80000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: TR0398734893 50601251.exe, 00000009.00000002.526377056.000000000323C000.00000004.00000001.sdmpBinary or memory string: Program Managerx
      Source: TR0398734893 50601251.exe, 00000009.00000002.524635312.0000000001B80000.00000002.00020000.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Users\user\Desktop\TR0398734893 50601251.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Users\user\Desktop\TR0398734893 50601251.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Users\user\Desktop\TR0398734893 50601251.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\TR0398734893 50601251.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.4134c35.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.525426883.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398359301.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398482997.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTR

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: TR0398734893 50601251.exe, 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: TR0398734893 50601251.exe, 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: TR0398734893 50601251.exe, 00000009.00000002.525426883.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: TR0398734893 50601251.exe, 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b94629.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.4134c35.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3f449b0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.412b7d6.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.0.TR0398734893 50601251.exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.413060c.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 9.2.TR0398734893 50601251.exe.5b90000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3f649b0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.TR0398734893 50601251.exe.3ea85a8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.TR0398734893 50601251.exe.3ec85a8.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001E.00000000.375316696.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.525426883.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.396532609.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.376626141.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398359301.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.375992266.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.398482997.0000000003BD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000000.377920267.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6612, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 4260, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: TR0398734893 50601251.exe PID: 6488, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading2Input Capture21Security Software Discovery21Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools11LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 526553 Sample: TR0398734893 50601251.exe Startdate: 22/11/2021 Architecture: WINDOWS Score: 100 54 192.168.2.1 unknown unknown 2->54 56 9292.freemyip.com 2->56 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 13 other signatures 2->66 9 TR0398734893 50601251.exe 7 2->9         started        13 TR0398734893 50601251.exe 4 2->13         started        15 dhcpmon.exe 2->15         started        17 dhcpmon.exe 2->17         started        signatures3 process4 file5 46 C:\Users\user\AppData\Roaming\bLtzKqfzc.exe, PE32 9->46 dropped 48 C:\Users\...\bLtzKqfzc.exe:Zone.Identifier, ASCII 9->48 dropped 50 C:\Users\user\AppData\Local\...\tmp20D5.tmp, XML 9->50 dropped 52 C:\Users\...\TR0398734893 50601251.exe.log, ASCII 9->52 dropped 70 Adds a directory exclusion to Windows Defender 9->70 72 Injects a PE file into a foreign processes 9->72 19 TR0398734893 50601251.exe 1 12 9->19         started        24 powershell.exe 25 9->24         started        26 schtasks.exe 1 9->26         started        signatures6 process7 dnsIp8 58 9292.freemyip.com 185.140.53.131, 49762, 49763, 49765 DAVID_CRAIGGG Sweden 19->58 40 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->40 dropped 42 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 19->42 dropped 44 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->44 dropped 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->68 28 schtasks.exe 1 19->28         started        30 schtasks.exe 19->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        file9 signatures10 process11 process12 36 conhost.exe 28->36         started        38 conhost.exe 30->38         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      TR0398734893 50601251.exe28%VirustotalBrowse
      TR0398734893 50601251.exe24%ReversingLabsWin32.Trojan.AgentTesla
      TR0398734893 50601251.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\bLtzKqfzc.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe28%VirustotalBrowse
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe24%ReversingLabsWin32.Trojan.AgentTesla
      C:\Users\user\AppData\Roaming\bLtzKqfzc.exe28%VirustotalBrowse
      C:\Users\user\AppData\Roaming\bLtzKqfzc.exe24%ReversingLabsWin32.Trojan.AgentTesla

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      9.0.TR0398734893 50601251.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.2.TR0398734893 50601251.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.2.TR0398734893 50601251.exe.5b90000.8.unpack100%AviraTR/NanoCore.fadteDownload File
      9.0.TR0398734893 50601251.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.0.TR0398734893 50601251.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.0.TR0398734893 50601251.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      9.0.TR0398734893 50601251.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.galapagosdesign.com/0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.fontbureau.coma0%URL Reputationsafe
      http://www.founder.cV0%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.fontbureau.comB.TTF0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.founder.com.cn/cn50%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.chinhdo.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      9292.freemyip.com
      		185.140.53.131
      		truefalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.apache.org/licenses/LICENSE-2.0TR0398734893 50601251.exe, 00000001.00000003.255583071.0000000005D74000.00000004.00000001.sdmpfalse
          		high
          http://www.fontbureau.comTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designersGTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
              		high
              http://www.galapagosdesign.com/TR0398734893 50601251.exe, 00000001.00000003.262739726.0000000005DAD000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designers/?TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bTheTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                  		high
                  http://www.tiro.comTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comaTR0398734893 50601251.exe, 00000001.00000003.296027500.0000000005D70000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.cVTR0398734893 50601251.exe, 00000001.00000003.255015833.0000000005DAD000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.carterandcone.comlTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/cTheTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnTR0398734893 50601251.exe, 00000001.00000003.254947421.0000000005DAD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-jones.htmlTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comB.TTFTR0398734893 50601251.exe, 00000001.00000003.296027500.0000000005D70000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn5TR0398734893 50601251.exe, 00000001.00000003.254884642.0000000005DAD000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers8TR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                          		high
                          http://www.ascendercorp.com/typedesigners.htmlTR0398734893 50601251.exe, 00000001.00000003.258189413.0000000005D78000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comTR0398734893 50601251.exe, 00000001.00000003.252766319.0000000005D8B000.00000004.00000001.sdmpfalse
                            		high
                            http://www.sandoll.co.krTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deDPleaseTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.chinhdo.comdhcpmon.exe, 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTR0398734893 50601251.exe, 00000001.00000002.298209102.0000000002DC1000.00000004.00000001.sdmp, TR0398734893 50601251.exe, 00000013.00000002.382218948.0000000002DE1000.00000004.00000001.sdmpfalse
                              		high
                              http://www.sakkal.comTR0398734893 50601251.exe, 00000001.00000002.303154380.0000000006F82000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              185.140.53.131
                              		9292.freemyip.comSweden
                              		209623DAVID_CRAIGGGfalse

                              Private

                              IP
                              192.168.2.1

                              General Information

                              Joe Sandbox Version:34.0.0 Boulder Opal
                              Analysis ID:526553
                              Start date:22.11.2021
                              Start time:18:41:25
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 14m 25s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:TR0398734893 50601251.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:39
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@28/16@12/2
                              EGA Information:Failed
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 126
                              • Number of non-executed functions: 5
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              18:42:30API Interceptor807x Sleep call for process: TR0398734893 50601251.exe modified
                              18:42:38API Interceptor59x Sleep call for process: powershell.exe modified
                              18:42:49Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\TR0398734893 50601251.exe" s>$(Arg0)
                              18:42:50AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              18:42:52Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                              18:42:55API Interceptor2x Sleep call for process: dhcpmon.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASN

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):693760
                              Entropy (8bit):7.310160824686315
                              Encrypted:false
                              SSDEEP:12288:BmsTtD00GPFzPtmeQzDYoO863iRWl91tMgTq:BmsTC0GNJmeQfYT3iRWf1yYq
                              MD5:F245CB3E4ECC54A0883371B525EB0BB1
                              SHA1:71FF34129913AC8A924A28C7523885F11CA44A1C
                              SHA-256:8371DAEC5ED076CAA1CFDAC1CE0AB350744DE7D71108AE5EFDA80E4C54AB1D0E
                              SHA-512:EDC01E12E62A2A127209E22D86BA647BEC26726CAF0C19ECF8F72C8D02277A6DF5FCA94E98C86377DCAC2C0C0A020F62FA59983AB959373E1F10D0F0C0A200B9
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Virustotal, Detection: 28%, Browse
                              • Antivirus: ReversingLabs, Detection: 24%
                              Reputation:unknown
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...OG.a..............0.............>0... ...@....@.. ....................................@................................../..O....@............................................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc..............................@..B................ 0......H.......xj..LG......k......(~..........................................b..}......}......(,.....*r..}......}.....r...p(,.....**...(3....*...|7...%(.....{....X(......|7...%(.....{....X(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*....0..A..........B...%...%...%...%..........%.r...p.%.rM..p.%.r[..p.(......+..*^..}.....(.......(.....*....0..,.......
                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Reputation:unknown
                              Preview: [ZoneTransfer]....ZoneId=0
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TR0398734893 50601251.exe.log
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):1310
                              Entropy (8bit):5.345651901398759
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                              MD5:D918C6A765EDB90D2A227FE23A3FEC98
                              SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                              SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                              SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                              Malicious:true
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1310
                              Entropy (8bit):5.345651901398759
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                              MD5:D918C6A765EDB90D2A227FE23A3FEC98
                              SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                              SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                              SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                              Malicious:false
                              Reputation:unknown
                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):22268
                              Entropy (8bit):5.6039199473406995
                              Encrypted:false
                              SSDEEP:384:zhtCDURZHX89PGKpCRYSBKn0jultI2DpaeQ99gtfpSx+T1MarZlbAV7KWD25ZBDW:zD8dGyL4K0CltZFat8tVCSfw0VW
                              MD5:A8FC0D308EE9DAC3FC72B4F6BE60F60B
                              SHA1:4EF8A31D28B4ABFA7E6F55A5E18F3C70B7E7FAE1
                              SHA-256:C27116B6EAA7BD5DE8C8F226ED3D02913665E57E3EFE47E571C3DA363FD9381F
                              SHA-512:387539BA110D128DCE17A9E97027F560A2ABD2DE1863D7DB4574A81D75E26FA58C0FAC187D4FA169464D65902AD66041FDB5F7B5001D5B63F7E2849E18F591B7
                              Malicious:false
                              Reputation:unknown
                              Preview: @...e...........v.........C.Q.=.=...T...,.r..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gkkyk2a.4bc.psm1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sq4dvbwi.034.ps1
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:very short file (no magic)
                              Category:dropped
                              Size (bytes):1
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:3:U:U
                              MD5:C4CA4238A0B923820DCC509A6F75849B
                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                              Malicious:false
                              Reputation:unknown
                              Preview: 1
                              C:\Users\user\AppData\Local\Temp\tmp20D5.tmp
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:XML 1.0 document, ASCII text
                              Category:dropped
                              Size (bytes):1612
                              Entropy (8bit):5.138222953452563
                              Encrypted:false
                              SSDEEP:24:2di4+S2qh/dp1Kd+y1modHUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtCxvn:cgeHMYrFdOFzOzN33ODOiDdKrsuTGv
                              MD5:D0F8ABDCF7855BE5F44D41001BC8B4B9
                              SHA1:F0491430B13410A02307F0F7BBC8801E10569759
                              SHA-256:A534BD817D80EF08E0134EB64A31FCFC730E9A8856B813F9736A1AFD4A65EC5E
                              SHA-512:D0E18C0D5D548627F72C5F7CF8F91FD4D5A3EAAF8C14D435A0BA767BB061D77472F710CEB5E85593C55C9D0656025A34FF21AD02C26BD8628ED08F39AFD0177F
                              Malicious:true
                              Reputation:unknown
                              Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvai
                              C:\Users\user\AppData\Local\Temp\tmp85D3.tmp
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1315
                              Entropy (8bit):5.15107733589013
                              Encrypted:false
                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK09r9xtn:cbk4oL600QydbQxIYODOLedq329j
                              MD5:475679C76B7A902D42BD17BF990EF85B
                              SHA1:30D575A6ABB5C510673E64B023D421106BBFA8B0
                              SHA-256:A47745504B38190742287EB75F6498FF062CC4FF37B133F5D4357D98CF9B68E8
                              SHA-512:AEE89FE7DD3B6F536DF7D06927481BCA118E542B735E72524540588C57A00152D7867B4B8DE673FB429562E0A9F764781A45FE21A0D9439FD13EA6DF0181B868
                              Malicious:false
                              Reputation:unknown
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                              C:\Users\user\AppData\Local\Temp\tmp8F69.tmp
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):1310
                              Entropy (8bit):5.109425792877704
                              Encrypted:false
                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                              Malicious:false
                              Reputation:unknown
                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                              C:\Users\user\AppData\Local\Temp\tmpC245.tmp
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:XML 1.0 document, ASCII text
                              Category:dropped
                              Size (bytes):1612
                              Entropy (8bit):5.138222953452563
                              Encrypted:false
                              SSDEEP:24:2di4+S2qh/dp1Kd+y1modHUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtCxvn:cgeHMYrFdOFzOzN33ODOiDdKrsuTGv
                              MD5:D0F8ABDCF7855BE5F44D41001BC8B4B9
                              SHA1:F0491430B13410A02307F0F7BBC8801E10569759
                              SHA-256:A534BD817D80EF08E0134EB64A31FCFC730E9A8856B813F9736A1AFD4A65EC5E
                              SHA-512:D0E18C0D5D548627F72C5F7CF8F91FD4D5A3EAAF8C14D435A0BA767BB061D77472F710CEB5E85593C55C9D0656025A34FF21AD02C26BD8628ED08F39AFD0177F
                              Malicious:false
                              Reputation:unknown
                              Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvai
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:ISO-8859 text, with no line terminators
                              Category:dropped
                              Size (bytes):8
                              Entropy (8bit):3.0
                              Encrypted:false
                              SSDEEP:3:1G8:b
                              MD5:F194EBA2A5B030A89E0924B2723CFFF3
                              SHA1:D3770575989A6A60508D6C459BB7613885AAD7AA
                              SHA-256:5D3911ED91DB035F88564D64E1ACD3253D8EDABC0EFB50B83A13BFBBB8F84B46
                              SHA-512:790DEDC3AD650CE7EAFEBF38E78A27E37F2821EC416D892BE4AE163309BA348ABF36FE732456FAC8E32DAFCCAA6E88FF077CA8B4038A71B7D08B98181CD35390
                              Malicious:true
                              Reputation:unknown
                              Preview: .#..*..H
                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):52
                              Entropy (8bit):4.678912497395635
                              Encrypted:false
                              SSDEEP:3:oN0naRRx3VMW7n6Gn:oNcSRTX76G
                              MD5:6D23CA5B932A39B404EAABECC2D3282E
                              SHA1:C403AB90DD6ACEF2299F0B1CC626A8E16793D11C
                              SHA-256:3CA34E26F5DB3A21563A5CE3FFA753ECFF055E9CF0759AC815CA01EDD2954561
                              SHA-512:CD10A79389291E31A57C0EC68848E44E0766DFE679C5E86FDEC4C85973C2B4F4E1661B1A82FC0970D19A196B2D5DE59C27ACB69542463CF984FAD6C3C8D4A388
                              Malicious:false
                              Reputation:unknown
                              Preview: C:\Users\user\Desktop\TR0398734893 50601251.exe
                              C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):693760
                              Entropy (8bit):7.310160824686315
                              Encrypted:false
                              SSDEEP:12288:BmsTtD00GPFzPtmeQzDYoO863iRWl91tMgTq:BmsTC0GNJmeQfYT3iRWf1yYq
                              MD5:F245CB3E4ECC54A0883371B525EB0BB1
                              SHA1:71FF34129913AC8A924A28C7523885F11CA44A1C
                              SHA-256:8371DAEC5ED076CAA1CFDAC1CE0AB350744DE7D71108AE5EFDA80E4C54AB1D0E
                              SHA-512:EDC01E12E62A2A127209E22D86BA647BEC26726CAF0C19ECF8F72C8D02277A6DF5FCA94E98C86377DCAC2C0C0A020F62FA59983AB959373E1F10D0F0C0A200B9
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Virustotal, Detection: 28%, Browse
                              • Antivirus: ReversingLabs, Detection: 24%
                              Reputation:unknown
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...OG.a..............0.............>0... ...@....@.. ....................................@................................../..O....@............................................................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc..............................@..B................ 0......H.......xj..LG......k......(~..........................................b..}......}......(,.....*r..}......}.....r...p(,.....**...(3....*...|7...%(.....{....X(......|7...%(.....{....X(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*...|7...%(......{....ZX(......|7...%(......{....ZX(.....*....0..A..........B...%...%...%...%..........%.r...p.%.rM..p.%.r[..p.(......+..*^..}.....(.......(.....*....0..,.......
                              C:\Users\user\AppData\Roaming\bLtzKqfzc.exe:Zone.Identifier
                              Process:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Reputation:unknown
                              Preview: [ZoneTransfer]....ZoneId=0
                              C:\Users\user\Documents\20211122\PowerShell_transcript.226533.DYqwUES1.20211122184236.txt
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):5825
                              Entropy (8bit):5.396902799265613
                              Encrypted:false
                              SSDEEP:96:BZi6/NaqDo1ZJZv6/NaqDo1ZEaMyjZK6/NaqDo1Z1TCC5Ze:8
                              MD5:F33207262F5C04CE12B6D75FF00124B7
                              SHA1:57097622FABDFC7810D70F2868496E62C9386306
                              SHA-256:C3995E9A0E243E0D6E579B1BAC4421A37E1900DC57B31A9FEA2B4577CC0380F4
                              SHA-512:F915154122F5E6653F4167A9E35E3727F1F3ACA24580319DF83A14998A490828532D28EE445E1ED5E7136BA221419F61F2C1FF6B90ADB066E227D968BA6CE38C
                              Malicious:false
                              Reputation:unknown
                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20211122184238..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 226533 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\bLtzKqfzc.exe..Process ID: 6952..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211122184238..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\bLtzKqfzc.exe..**********************..Windows PowerShell transcript start..Start time: 20211122184550..Username: computer\user..RunAs User: DE

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.310160824686315
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              • Win32 Executable (generic) a (10002005/4) 49.78%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              File name:TR0398734893 50601251.exe
                              File size:693760
                              MD5:f245cb3e4ecc54a0883371b525eb0bb1
                              SHA1:71ff34129913ac8a924a28c7523885f11ca44a1c
                              SHA256:8371daec5ed076caa1cfdac1ce0ab350744de7d71108ae5efda80e4c54ab1d0e
                              SHA512:edc01e12e62a2a127209e22d86ba647bec26726caf0c19ecf8f72c8d02277a6df5fca94e98c86377dcac2c0c0a020f62fa59983ab959373e1f10d0f0c0a200b9
                              SSDEEP:12288:BmsTtD00GPFzPtmeQzDYoO863iRWl91tMgTq:BmsTC0GNJmeQfYT3iRWf1yYq
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...OG.a..............0.............>0... ...@....@.. ....................................@................................

                              File Icon

                              Icon Hash:d4d4d4d4d4c4d4d4

                              Static PE Info

                              General

                              Entrypoint:0x48303e
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0x619B474F [Mon Nov 22 07:31:27 2021 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:v4.0.30319
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              aas
                              add byte ptr [eax], al
                              add byte ptr [esi], cl
                              add byte ptr [eax], al
                              add byte ptr [edx+08h], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x82fec0x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x27fe8.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x810540x81200False0.846968023959data7.71324859014IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rsrc0x840000x27fe80x28000False0.066162109375data4.88686576028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xac0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0x842800x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                              RT_ICON0x94aa80x94a8data
                              RT_ICON0x9df500x5488data
                              RT_ICON0xa33d80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 255, next used block 4278190080
                              RT_ICON0xa76000x25a8data
                              RT_ICON0xa9ba80x10a8data
                              RT_ICON0xaac500x988data
                              RT_ICON0xab5d80x468GLS_BINARY_LSB_FIRST
                              RT_GROUP_ICON0xaba400x76data
                              RT_VERSION0xabab80x344data
                              RT_MANIFEST0xabdfc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Version Infos

                              DescriptionData
                              Translation0x0000 0x04b0
                              LegalCopyrightCopyright 2018
                              Assembly Version1.0.0.0
                              InternalNameScopeTr.exe
                              FileVersion1.0.0.0
                              CompanyName
                              LegalTrademarks
                              Comments
                              ProductNamePortalOverlapDetector
                              ProductVersion1.0.0.0
                              FileDescriptionPortalOverlapDetector
                              OriginalFilenameScopeTr.exe

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 22, 2021 18:42:56.264987946 CET497629292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:42:56.289038897 CET929249762185.140.53.131192.168.2.7
                              Nov 22, 2021 18:42:56.952244043 CET497629292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:42:56.976357937 CET929249762185.140.53.131192.168.2.7
                              Nov 22, 2021 18:42:57.561363935 CET497629292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:42:57.585977077 CET929249762185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:02.951915979 CET497639292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:02.977057934 CET929249763185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:03.561923027 CET497639292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:03.588546991 CET929249763185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:04.265078068 CET497639292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:04.292613983 CET929249763185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:09.275240898 CET497659292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:09.299293995 CET929249765185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:09.812411070 CET497659292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:09.836608887 CET929249765185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:10.343769073 CET497659292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:10.368030071 CET929249765185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:14.384462118 CET497699292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:14.409018040 CET929249769185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:14.969136953 CET497699292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:14.993705034 CET929249769185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:15.578519106 CET497699292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:15.603188038 CET929249769185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:19.625451088 CET497719292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:19.649784088 CET929249771185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:20.235312939 CET497719292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:20.259782076 CET929249771185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:20.829252958 CET497719292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:20.853341103 CET929249771185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:24.862373114 CET497749292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:24.886487961 CET929249774185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:25.438829899 CET497749292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:25.468293905 CET929249774185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:26.032625914 CET497749292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:26.056696892 CET929249774185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:31.006181955 CET497819292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:31.030275106 CET929249781185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:31.533024073 CET497819292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:31.557014942 CET929249781185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:32.064357042 CET497819292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:32.088397980 CET929249781185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:37.566045046 CET497839292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:37.590603113 CET929249783185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:38.158592939 CET497839292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:38.183608055 CET929249783185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:38.861836910 CET497839292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:38.886480093 CET929249783185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:43.287142038 CET497909292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:43.313277960 CET929249790185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:43.909112930 CET497909292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:43.932987928 CET929249790185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:44.612274885 CET497909292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:44.636317968 CET929249790185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:48.645354033 CET498149292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:48.669897079 CET929249814185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:49.362699032 CET498149292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:49.387068987 CET929249814185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:49.956582069 CET498149292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:49.981035948 CET929249814185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:54.008384943 CET498259292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:54.032459974 CET929249825185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:54.535037994 CET498259292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:54.559367895 CET929249825185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:55.066251993 CET498259292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:55.090214968 CET929249825185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:59.099176884 CET498279292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:59.123878002 CET929249827185.140.53.131192.168.2.7
                              Nov 22, 2021 18:43:59.629189014 CET498279292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:43:59.655045033 CET929249827185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:00.160480022 CET498279292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:00.184974909 CET929249827185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:04.983974934 CET498299292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:05.008469105 CET929249829185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:05.520273924 CET498299292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:05.544728994 CET929249829185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:06.067190886 CET498299292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:06.091680050 CET929249829185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:10.940007925 CET498399292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:10.964031935 CET929249839185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:11.473891973 CET498399292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:11.497879982 CET929249839185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:12.005242109 CET498399292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:12.029294968 CET929249839185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:16.435203075 CET498539292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:16.459328890 CET929249853185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:16.974375010 CET498539292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:17.000811100 CET929249853185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:17.505692959 CET498539292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:17.530899048 CET929249853185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:21.539437056 CET498579292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:21.563847065 CET929249857185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:22.068577051 CET498579292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:22.093142986 CET929249857185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:22.601186991 CET498579292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:22.629250050 CET929249857185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:26.648516893 CET498599292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:26.672760963 CET929249859185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:27.178472042 CET498599292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:27.203597069 CET929249859185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:27.709687948 CET498599292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:27.734880924 CET929249859185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:31.742029905 CET498609292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:31.766318083 CET929249860185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:32.272540092 CET498609292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:32.297055960 CET929249860185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:32.803874016 CET498609292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:32.828074932 CET929249860185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:37.027096033 CET498619292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:37.051549911 CET929249861185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:37.554352999 CET498619292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:37.578794003 CET929249861185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:38.085602045 CET498619292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:38.110135078 CET929249861185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:42.305854082 CET498629292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:42.330362082 CET929249862185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:42.836003065 CET498629292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:42.860768080 CET929249862185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:43.367348909 CET498629292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:43.391727924 CET929249862185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:47.421571970 CET498639292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:47.446093082 CET929249863185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:47.963629961 CET498639292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:47.987974882 CET929249863185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:48.503870010 CET498639292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:48.528572083 CET929249863185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:52.540401936 CET498649292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:52.565030098 CET929249864185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:53.079062939 CET498649292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:53.103787899 CET929249864185.140.53.131192.168.2.7
                              Nov 22, 2021 18:44:53.611963987 CET498649292192.168.2.7185.140.53.131
                              Nov 22, 2021 18:44:53.636528969 CET929249864185.140.53.131192.168.2.7

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 22, 2021 18:42:56.064798117 CET5976253192.168.2.78.8.8.8
                              Nov 22, 2021 18:42:56.250201941 CET53597628.8.8.8192.168.2.7
                              Nov 22, 2021 18:43:02.829432011 CET5432953192.168.2.78.8.8.8
                              Nov 22, 2021 18:43:02.850032091 CET53543298.8.8.8192.168.2.7
                              Nov 22, 2021 18:43:09.085760117 CET5805253192.168.2.78.8.8.8
                              Nov 22, 2021 18:43:09.271630049 CET53580528.8.8.8192.168.2.7
                              Nov 22, 2021 18:43:30.819693089 CET5078153192.168.2.78.8.8.8
                              Nov 22, 2021 18:43:31.003617048 CET53507818.8.8.8192.168.2.7
                              Nov 22, 2021 18:43:37.544235945 CET5491153192.168.2.78.8.8.8
                              Nov 22, 2021 18:43:37.564265966 CET53549118.8.8.8192.168.2.7
                              Nov 22, 2021 18:43:43.264965057 CET5086053192.168.2.78.8.8.8
                              Nov 22, 2021 18:43:43.284579992 CET53508608.8.8.8192.168.2.7
                              Nov 22, 2021 18:44:04.800498962 CET4924753192.168.2.78.8.8.8
                              Nov 22, 2021 18:44:04.982683897 CET53492478.8.8.8192.168.2.7
                              Nov 22, 2021 18:44:10.916512966 CET5228653192.168.2.78.8.8.8
                              Nov 22, 2021 18:44:10.935914040 CET53522868.8.8.8192.168.2.7
                              Nov 22, 2021 18:44:16.413800001 CET5606453192.168.2.78.8.8.8
                              Nov 22, 2021 18:44:16.434004068 CET53560648.8.8.8192.168.2.7
                              Nov 22, 2021 18:44:36.836651087 CET6145753192.168.2.78.8.8.8
                              Nov 22, 2021 18:44:37.021974087 CET53614578.8.8.8192.168.2.7
                              Nov 22, 2021 18:44:42.118063927 CET5836753192.168.2.78.8.8.8
                              Nov 22, 2021 18:44:42.304447889 CET53583678.8.8.8192.168.2.7
                              Nov 22, 2021 18:44:47.401452065 CET6059953192.168.2.78.8.8.8
                              Nov 22, 2021 18:44:47.421081066 CET53605998.8.8.8192.168.2.7

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Nov 22, 2021 18:42:56.064798117 CET192.168.2.78.8.8.80x1739Standard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:02.829432011 CET192.168.2.78.8.8.80xdd3bStandard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:09.085760117 CET192.168.2.78.8.8.80x9f4bStandard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:30.819693089 CET192.168.2.78.8.8.80x825bStandard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:37.544235945 CET192.168.2.78.8.8.80xc074Standard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:43.264965057 CET192.168.2.78.8.8.80x41ddStandard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:04.800498962 CET192.168.2.78.8.8.80x2c58Standard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:10.916512966 CET192.168.2.78.8.8.80x3f66Standard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:16.413800001 CET192.168.2.78.8.8.80x9ff8Standard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:36.836651087 CET192.168.2.78.8.8.80xf7eaStandard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:42.118063927 CET192.168.2.78.8.8.80x4949Standard query (0)9292.freemyip.comA (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:47.401452065 CET192.168.2.78.8.8.80x20ddStandard query (0)9292.freemyip.comA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Nov 22, 2021 18:42:56.250201941 CET8.8.8.8192.168.2.70x1739No error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:02.850032091 CET8.8.8.8192.168.2.70xdd3bNo error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:09.271630049 CET8.8.8.8192.168.2.70x9f4bNo error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:31.003617048 CET8.8.8.8192.168.2.70x825bNo error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:37.564265966 CET8.8.8.8192.168.2.70xc074No error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:43:43.284579992 CET8.8.8.8192.168.2.70x41ddNo error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:04.982683897 CET8.8.8.8192.168.2.70x2c58No error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:10.935914040 CET8.8.8.8192.168.2.70x3f66No error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:16.434004068 CET8.8.8.8192.168.2.70x9ff8No error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:37.021974087 CET8.8.8.8192.168.2.70xf7eaNo error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:42.304447889 CET8.8.8.8192.168.2.70x4949No error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)
                              Nov 22, 2021 18:44:47.421081066 CET8.8.8.8192.168.2.70x20ddNo error (0)9292.freemyip.com185.140.53.131A (IP address)IN (0x0001)

                              Code Manipulations

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: TR0398734893 50601251.exe PID: 6612 Parent PID: 5368

                              General

                              Start time:18:42:23
                              Start date:22/11/2021
                              Path:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\TR0398734893 50601251.exe"
                              Imagebase:0xaa0000
                              File size:693760 bytes
                              MD5 hash:F245CB3E4ECC54A0883371B525EB0BB1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.300853554.0000000003DC9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.298209102.0000000002DC1000.00000004.00000001.sdmp, Author: Joe Security
                              Reputation:low

                              Chronological Activities

                              Analysis Process: powershell.exe PID: 6952 Parent PID: 6612

                              General

                              Start time:18:42:35
                              Start date:22/11/2021
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bLtzKqfzc.exe
                              Imagebase:0x1110000
                              File size:430592 bytes
                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Reputation:high

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 6960 Parent PID: 6952

                              General

                              Start time:18:42:35
                              Start date:22/11/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff774ee0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: schtasks.exe PID: 6968 Parent PID: 6612

                              General

                              Start time:18:42:36
                              Start date:22/11/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bLtzKqfzc" /XML "C:\Users\user\AppData\Local\Temp\tmp20D5.tmp
                              Imagebase:0xb00000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 7072 Parent PID: 6968

                              General

                              Start time:18:42:37
                              Start date:22/11/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff774ee0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: TR0398734893 50601251.exe PID: 4260 Parent PID: 6612

                              General

                              Start time:18:42:41
                              Start date:22/11/2021
                              Path:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              Imagebase:0xd80000
                              File size:693760 bytes
                              MD5 hash:F245CB3E4ECC54A0883371B525EB0BB1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.528150611.00000000057D0000.00000004.00020000.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.292483199.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.294328099.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.293437788.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.525426883.00000000030E1000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.291833438.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.527129280.0000000004129000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, Author: Florian Roth
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.528651363.0000000005B90000.00000004.00020000.sdmp, Author: Joe Security
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.516249872.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              Reputation:low

                              Chronological Activities

                              Analysis Process: schtasks.exe PID: 6648 Parent PID: 4260

                              General

                              Start time:18:42:48
                              Start date:22/11/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp85D3.tmp
                              Imagebase:0xb00000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 6600 Parent PID: 6648

                              General

                              Start time:18:42:49
                              Start date:22/11/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff774ee0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: TR0398734893 50601251.exe PID: 6488 Parent PID: 1104

                              General

                              Start time:18:42:49
                              Start date:22/11/2021
                              Path:C:\Users\user\Desktop\TR0398734893 50601251.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\TR0398734893 50601251.exe" 0
                              Imagebase:0x770000
                              File size:693760 bytes
                              MD5 hash:F245CB3E4ECC54A0883371B525EB0BB1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, Author: Florian Roth
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.384186174.0000000003DE9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000013.00000002.382218948.0000000002DE1000.00000004.00000001.sdmp, Author: Joe Security
                              Reputation:low

                              Chronological Activities

                              Analysis Process: schtasks.exe PID: 6712 Parent PID: 4260

                              General

                              Start time:18:42:50
                              Start date:22/11/2021
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8F69.tmp
                              Imagebase:0xb00000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: conhost.exe PID: 6440 Parent PID: 6712

                              General

                              Start time:18:42:51
                              Start date:22/11/2021
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff774ee0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Analysis Process: dhcpmon.exe PID: 6812 Parent PID: 1104

                              General

                              Start time:18:42:52
                              Start date:22/11/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                              Imagebase:0x830000
                              File size:693760 bytes
                              MD5 hash:F245CB3E4ECC54A0883371B525EB0BB1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000016.00000002.330253981.0000000002CD1000.00000004.00000001.sdmp, Author: Joe Security
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 28%, Virustotal, Browse
                              • Detection: 24%, ReversingLabs

                              Chronological Activities

                              Analysis Process: dhcpmon.exe PID: 3516 Parent PID: 3292

                              General

                              Start time:18:42:59
                              Start date:22/11/2021
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                              Imagebase:0x750000
                              File size:693760 bytes
                              MD5 hash:F245CB3E4ECC54A0883371B525EB0BB1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000017.00000002.341866745.0000000002B91000.00000004.00000001.sdmp, Author: Joe Security

                              Chronological Activities

                              Disassembly

                              Code Analysis

                              Reset < >

                                Analysis Process: TR0398734893 50601251.exe PID: 6612 Parent PID: 5368 TR0398734893 50601251.exeCOMMON

                                Executed Functions

                                Function 0741C650, Relevance: .3, Instructions: 317COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4505ad96edfb6bd549caefcefb16fab6fe8f19d67eed0230903fdc14401d714a
                                • Instruction ID: 30f1bcf13e532f36e74887eaf35bd6a90b05707e94534f2599a1a3f114361d88
                                • Opcode Fuzzy Hash: 4505ad96edfb6bd549caefcefb16fab6fe8f19d67eed0230903fdc14401d714a
                                • Instruction Fuzzy Hash: E4C1C4B1E40612CFCB14EF69C9C0AEAB7B6BF85304F15856AD405AB751DB31EC42CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0136D280, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0136D2F0
                                • GetCurrentThread.KERNEL32 ref: 0136D32D
                                • GetCurrentProcess.KERNEL32 ref: 0136D36A
                                • GetCurrentThreadId.KERNEL32 ref: 0136D3C3
                                Memory Dump Source
                                • Source File: 00000001.00000002.297825953.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 4fee1b4e406636325e3df2da1537cc3748ebaa4761eed74ea29dce2ba7cdf22d
                                • Instruction ID: 8a866ad8b1a0f590ea27637e805691f1db503a7e23c82b0de8e36e795db02034
                                • Opcode Fuzzy Hash: 4fee1b4e406636325e3df2da1537cc3748ebaa4761eed74ea29dce2ba7cdf22d
                                • Instruction Fuzzy Hash: 1B5156B4A00749CFDB14CFA9D5487EEBBF4AF49318F24C459E059A7254C7349849CF61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0136D290, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0136D2F0
                                • GetCurrentThread.KERNEL32 ref: 0136D32D
                                • GetCurrentProcess.KERNEL32 ref: 0136D36A
                                • GetCurrentThreadId.KERNEL32 ref: 0136D3C3
                                Memory Dump Source
                                • Source File: 00000001.00000002.297825953.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 1d8ca4c97e36b017f45c3844839bc37d325906ac67e9832e2c6ff2b6548f0325
                                • Instruction ID: 746246b208e6c9c3954c0f77db843eeb33f6fa19a9af75ed2f9035c2b01382a4
                                • Opcode Fuzzy Hash: 1d8ca4c97e36b017f45c3844839bc37d325906ac67e9832e2c6ff2b6548f0325
                                • Instruction Fuzzy Hash: A25145B4A00749CFDB14CFA9D588BEEBBF8AF48318F24C459E059A7254C734A845CF65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07417D60, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71injectionCOMMON
                                Download Yara Rule
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07417DF8
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID: >
                                • API String ID: 3559483778-325317158
                                • Opcode ID: c71585b35170c1d200682268f15444feecce531edba0a2631c15039fa5958ef2
                                • Instruction ID: a08bfdb96f183ec85a90de8c077a41e0365306ffb3561bfbc6d1be81220e20fb
                                • Opcode Fuzzy Hash: c71585b35170c1d200682268f15444feecce531edba0a2631c15039fa5958ef2
                                • Instruction Fuzzy Hash: E1216BB59003499FDB10DFA9C880BEEBBF5FF48314F10882AE919A7240C7789944CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07417FE5, Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07418226
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 95f794325d5a860c6bc798a4597f97354b73bf9f5209dbcebe3b58178d4b9581
                                • Instruction ID: 114a7d25dfb6085d527eab0e4f8b1ef1b9a9cb5c54455f23572d1947d8b5cb7a
                                • Opcode Fuzzy Hash: 95f794325d5a860c6bc798a4597f97354b73bf9f5209dbcebe3b58178d4b9581
                                • Instruction Fuzzy Hash: 5D918FB1D00619CFDB20DFA8C8807EEBBB6BF44314F1585AAE849A7240DB749985CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07417FF0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07418226
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: ee01845f4736294d1ab0cc0fdbd860e9dc5c2a28f61a265e07fdb925b2a48d1a
                                • Instruction ID: f62f0fe89c219be0d95efe063c7488bfb9ad2c02a17ca4a38bca59b9c9c7a4e4
                                • Opcode Fuzzy Hash: ee01845f4736294d1ab0cc0fdbd860e9dc5c2a28f61a265e07fdb925b2a48d1a
                                • Instruction Fuzzy Hash: 68917FB1D00619CFDB10DFA8C8807EEBBB6BF48314F1585AAE849A7240DB749985CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0136AF8B, Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0136B1DE
                                Memory Dump Source
                                • Source File: 00000001.00000002.297825953.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 98070fbffd616287adf394c76a4e5eb74875b2ab6f7e5b8d940e5e0723b5b5db
                                • Instruction ID: af71ea77ae88293f2606204d044c97e2b04e0f3fc8d719ca7485de6836048061
                                • Opcode Fuzzy Hash: 98070fbffd616287adf394c76a4e5eb74875b2ab6f7e5b8d940e5e0723b5b5db
                                • Instruction Fuzzy Hash: 9B814970A00B058FD724DF69C05479ABBF9FF88208F00892ED59AD7A44DB75E849CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01365367, Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                Download Yara Rule
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 01365421
                                Memory Dump Source
                                • Source File: 00000001.00000002.297825953.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 8a8180cef0ccc60d3cde03f16511dc768319b5d87ab42111ad1f68fd27214652
                                • Instruction ID: 4e1ca971e98dd3869952e6de3bd84265c0fe9bc8a96bd651aad6bb69c7a024c2
                                • Opcode Fuzzy Hash: 8a8180cef0ccc60d3cde03f16511dc768319b5d87ab42111ad1f68fd27214652
                                • Instruction Fuzzy Hash: 68512471D00719CFDB21CFA9C8447DEBBB8BF48308F2484AAD048AB251C775A94ACF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01363CAC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 01365421
                                Memory Dump Source
                                • Source File: 00000001.00000002.297825953.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 967089ee1124ce35ce5479beaa1aa8bc857dc6489c7347d52cc7b56d68177433
                                • Instruction ID: 45d691d0b90e996bc8556549589e86e4dcc5f942ee2b4bde1d080b69ebdece9e
                                • Opcode Fuzzy Hash: 967089ee1124ce35ce5479beaa1aa8bc857dc6489c7347d52cc7b56d68177433
                                • Instruction Fuzzy Hash: F141F271D00618CBDB24CFA9C884BDEBBB9BF48308F608469D408BB255DB756946CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07417D68, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07417DF8
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 4b73e5a6698a4b2674023539dfa48d51ccb1048d4c5241d1b3129635fbb1fde3
                                • Instruction ID: ebcddb10654b6fa3be73d8a8d7a00daf061cb2a95920cf4c19687a63d9ce3664
                                • Opcode Fuzzy Hash: 4b73e5a6698a4b2674023539dfa48d51ccb1048d4c5241d1b3129635fbb1fde3
                                • Instruction Fuzzy Hash: 79215CB5900349DFCB00DFA9C8807EEBBF5FF48314F10882AE915A7240D7749955CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07417BC8, Relevance: 1.6, APIs: 1, Instructions: 66threadinjectionCOMMON
                                Download Yara Rule
                                APIs
                                • SetThreadContext.KERNELBASE(?,00000000), ref: 07417C4E
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID: ContextThread
                                • String ID:
                                • API String ID: 1591575202-0
                                • Opcode ID: 5f6b837b668342f14383ae51fd91668b70538482f7bfd9fa9a0a3a73bdacd5de
                                • Instruction ID: dd0bd8b55a61ea73d2b7127f05d9e0711a1dcb6ff7ac0092839a869b4ea9c92d
                                • Opcode Fuzzy Hash: 5f6b837b668342f14383ae51fd91668b70538482f7bfd9fa9a0a3a73bdacd5de
                                • Instruction Fuzzy Hash: 25213DB59003099FDB10DFA9C4847EEFBF4EF88224F54842AD559A7340D7789945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07417E50, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07417ED8
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 4c2e96de9eb5fbeed4c576bb9bcb13c479ef7cca1dd77ce1fac737fdcbc280d8
                                • Instruction ID: d90cea54eb1f0cc3bb6838568ea4072e94b13d61e55384382531c7da9a55b971
                                • Opcode Fuzzy Hash: 4c2e96de9eb5fbeed4c576bb9bcb13c479ef7cca1dd77ce1fac737fdcbc280d8
                                • Instruction Fuzzy Hash: 352148B1900359DFCF10DFA9C8806EEBBF5FF48314F50882AE519A7240C7789945CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07417BD0, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                Download Yara Rule
                                APIs
                                • SetThreadContext.KERNELBASE(?,00000000), ref: 07417C4E
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID: ContextThread
                                • String ID:
                                • API String ID: 1591575202-0
                                • Opcode ID: 914bf3fe8e8795f205785c3160a3b2145b8732ec2b99bd4118a5e20123a8ad2f
                                • Instruction ID: e0183b82deb09c1b1641e67ff2925add65e2d19cab53b3213978e6c98ffaa8b4
                                • Opcode Fuzzy Hash: 914bf3fe8e8795f205785c3160a3b2145b8732ec2b99bd4118a5e20123a8ad2f
                                • Instruction Fuzzy Hash: 29214CB19003098FDB10DFA9C4847EEFBF4EF48224F54842AD559A7340D778A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07417E58, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07417ED8
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: c9b7efa2fb128ade5ba722764eb79dc8fb00d33a974795c9ab2d45f1cb921e23
                                • Instruction ID: 21264f5bb093c0bf0350bc85f388d6fad6170938c351f4cd3963cf539e7d8762
                                • Opcode Fuzzy Hash: c9b7efa2fb128ade5ba722764eb79dc8fb00d33a974795c9ab2d45f1cb921e23
                                • Instruction Fuzzy Hash: B22159B1900309DFCB00DFA9C880AEEFBF5FF48310F50882AE519A7240C778A905CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0136D8C0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0136D947
                                Memory Dump Source
                                • Source File: 00000001.00000002.297825953.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 7d36f8e40ee7d5211979006a1dd3c663bfba4f3b9ea4db4af3bc9056a6bb3d7c
                                • Instruction ID: c7d8e635d8f1d2c61cd419c15a854a883c09e48fdb5b1dc8aad5de011d826662
                                • Opcode Fuzzy Hash: 7d36f8e40ee7d5211979006a1dd3c663bfba4f3b9ea4db4af3bc9056a6bb3d7c
                                • Instruction Fuzzy Hash: 6821E4B5900208EFDB10CF9AD984ADEBBF8EB48324F14841AE954B3310C374A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0136D8B9, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0136D947
                                Memory Dump Source
                                • Source File: 00000001.00000002.297825953.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 59ab73b1a3c03579224983ddd348b059a505b7cfc8a447d3e90d1ecc1d56664b
                                • Instruction ID: cd9010d761a2c49d9b8f79e3cf12a2c3085568607e619cdf94938387de4bce40
                                • Opcode Fuzzy Hash: 59ab73b1a3c03579224983ddd348b059a505b7cfc8a447d3e90d1ecc1d56664b
                                • Instruction Fuzzy Hash: 3221E2B5900209DFDB10CFA9D584AEEBBF9FB48324F14842AE954B7310D378A945CF61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07417CA0, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07417D16
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: ec73f38a97f690f693cde2e5ce668475c8e4af2777f3b74d4173be011b4e4385
                                • Instruction ID: 38e4c024f08f79bf74f8ca16ed4ddac83624792a6edeecc6aa31c4fe9d9118af
                                • Opcode Fuzzy Hash: ec73f38a97f690f693cde2e5ce668475c8e4af2777f3b74d4173be011b4e4385
                                • Instruction Fuzzy Hash: 381189758002089BCF10DFA9C8446EFBBF9AF88324F14881AE525A7200C779A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0136A340, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0136B259,00000800,00000000,00000000), ref: 0136B46A
                                Memory Dump Source
                                • Source File: 00000001.00000002.297825953.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: c2c1b46c8551546070c4decfc901b96263a1d5c2ae9a4266b2826fb7ff2eecf1
                                • Instruction ID: f477a597877cfb025cffa8b10de90fd08f5396f56ddb778fa4ead733e9cbafb6
                                • Opcode Fuzzy Hash: c2c1b46c8551546070c4decfc901b96263a1d5c2ae9a4266b2826fb7ff2eecf1
                                • Instruction Fuzzy Hash: D11117B69002089FDB10CF9AC484BDEFBF8EB48314F14842AD515B7204C374A549CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07417CA8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07417D16
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 4e744f59d035ebd6c365be8a52652113bc8831356b6d789a94cff317c685a339
                                • Instruction ID: e6a4fb0193c1233843f8ac979d865426426cb9cacb5c6941fa75f4b1fee2f496
                                • Opcode Fuzzy Hash: 4e744f59d035ebd6c365be8a52652113bc8831356b6d789a94cff317c685a339
                                • Instruction Fuzzy Hash: 23116771900209DFDB10DFA9C844BEFBBF9EF88324F14882AE525A7240C775A954CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0136B3FB, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0136B259,00000800,00000000,00000000), ref: 0136B46A
                                Memory Dump Source
                                • Source File: 00000001.00000002.297825953.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 70b273f89d09798d463c00eb2eb1f955e1c052019da4dc8100a73b31ec0b44d6
                                • Instruction ID: 7a06e9d61221091b68e49d7a6834f0740bcc26b1832140433cf1a96d60c1ee84
                                • Opcode Fuzzy Hash: 70b273f89d09798d463c00eb2eb1f955e1c052019da4dc8100a73b31ec0b44d6
                                • Instruction Fuzzy Hash: B811F6B69002498FDB11CFA9C484BDEFBF8AF48314F15842AD555B7600C375A54ACFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07417B19, Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: d4918d8a549684d34188b76e6899e9abff7689c92eecd8c13588da92377aeb7e
                                • Instruction ID: bdc0c867137e75a3dcea0e1d32a01c3b8ca5eb4c08865b1568883dfa78420cdf
                                • Opcode Fuzzy Hash: d4918d8a549684d34188b76e6899e9abff7689c92eecd8c13588da92377aeb7e
                                • Instruction Fuzzy Hash: F3116DB5900348CBDB10DFA9C4447EFFBF8AF88224F14882AD515B7240C778A944CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07417B20, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: a35b24f7a8801c8cc97a7864457dbe4ba317130c4af6649ec16623728aa13bc4
                                • Instruction ID: 7b7176f2528208f3577d985e2c0b28668fe8822efa7e03fb09f4b73114156e00
                                • Opcode Fuzzy Hash: a35b24f7a8801c8cc97a7864457dbe4ba317130c4af6649ec16623728aa13bc4
                                • Instruction Fuzzy Hash: 1F110AB5900749CBDB10DFAAC4447EFFBF9AF88228F14882AD519B7240C779A945CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0136B178, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0136B1DE
                                Memory Dump Source
                                • Source File: 00000001.00000002.297825953.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 9ff28f97f002bac06a4e7cbdd548cb187a68638c97e83166217c5494e4fda4c9
                                • Instruction ID: ec0b5b64b83074088c324efad81bea9165db63fc2e017263907fb464ede8b480
                                • Opcode Fuzzy Hash: 9ff28f97f002bac06a4e7cbdd548cb187a68638c97e83166217c5494e4fda4c9
                                • Instruction Fuzzy Hash: 0111E3B5D00649DFDB10CF9AC444BDEFBF8AF88224F14842AD429B7604C379A546CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0741CAE0, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 0741CB45
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 46c77c4538de2cb3e730a5fa0b5973dcab700c6a751a24bffb0321353f78a961
                                • Instruction ID: 5893ef9325aedc37fc4b93680811083db542bb27e31fa23d0c92c017793ee710
                                • Opcode Fuzzy Hash: 46c77c4538de2cb3e730a5fa0b5973dcab700c6a751a24bffb0321353f78a961
                                • Instruction Fuzzy Hash: 5B1103B5800649DFDB10DF99D884BEEBBF8EB48324F14881AE519B7600C374A985CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0741CAE8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 0741CB45
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 30319b0d910c749081b51b0d327d9b209ca01753b8e86c4c5464af9f4385665d
                                • Instruction ID: 1771efa1c85dc11a99a6d379bfa6f6e2e9f8284d4b421246c0b565b1a1e28106
                                • Opcode Fuzzy Hash: 30319b0d910c749081b51b0d327d9b209ca01753b8e86c4c5464af9f4385665d
                                • Instruction Fuzzy Hash: B411CEB58006499FDB10DF9AD884BEEBBF8EB48324F14881AE955A7600C375A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 012FD3D8, Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.297625798.00000000012FD000.00000040.00000001.sdmp, Offset: 012FD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 51280000f1c30cf3f8401defbc3db25e87b0de5907fee08b54c44950d21d3f78
                                • Instruction ID: 81ffe85773dc9e4b5e0683d14d992c7e52f40d363e1817c9cb471695e3bf40c3
                                • Opcode Fuzzy Hash: 51280000f1c30cf3f8401defbc3db25e87b0de5907fee08b54c44950d21d3f78
                                • Instruction Fuzzy Hash: 51212875510248DFDB05DF94D9C0B66FBA5FB84724F24C57DDA090B206C33AE856CBA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0130D1D4, Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.297683942.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 10fd5cef71208d30037467c8a17400c9f960c13bb69ef95a0983bbd51669056e
                                • Instruction ID: 23b15623669ad75c07c2d4cd6566e3449e36a4433f8b55e4d02dddbff2bd9471
                                • Opcode Fuzzy Hash: 10fd5cef71208d30037467c8a17400c9f960c13bb69ef95a0983bbd51669056e
                                • Instruction Fuzzy Hash: C6212571504304EFDB06DFD4D9D0B26BBE9FB84328F20C96DE8094B282C336D816CA61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0130D01C, Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.297683942.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5f6d54683befe3d04e1c579ff9da06b964ab3d87f2d0be4d1eac81f70ab4b1aa
                                • Instruction ID: 6e244d0c65f23c14413898cb482e13642590dc45e1dfad1fc743ff62c47a9815
                                • Opcode Fuzzy Hash: 5f6d54683befe3d04e1c579ff9da06b964ab3d87f2d0be4d1eac81f70ab4b1aa
                                • Instruction Fuzzy Hash: 71210375604204DFDB16CF94D8D0B26BBE9FB84358F20C969D84D4B686C33AD807CA62
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 012FD3D3, Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.297625798.00000000012FD000.00000040.00000001.sdmp, Offset: 012FD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 11772b62ccc9d22d83b62afd0a891c4d6e4a6fe74df51c0b93359674bc6ca424
                                • Instruction ID: 0ca648a2252bf0b893d45422b9a3cc2acc90a26c328a504d7888000a4de67b9e
                                • Opcode Fuzzy Hash: 11772b62ccc9d22d83b62afd0a891c4d6e4a6fe74df51c0b93359674bc6ca424
                                • Instruction Fuzzy Hash: D311CA76404284CFCB12CF44D9C0B56BF71FB84220F2882A9DA090A616C33AE45ACBA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0130D017, Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.297683942.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b6721c5f398c8097140773d73ad99daa96817053c3c178d2b1fa34033079f905
                                • Instruction ID: cf679dd3d28107a2bcbdecee4fc024af92a85040e617d8424c7cc4dff7d5174f
                                • Opcode Fuzzy Hash: b6721c5f398c8097140773d73ad99daa96817053c3c178d2b1fa34033079f905
                                • Instruction Fuzzy Hash: F811BE75504280CFCB12CF54D5D4B15BFA1FB84328F24C6A9D8094B696C33AD45ACBA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0130D1CF, Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.297683942.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b6721c5f398c8097140773d73ad99daa96817053c3c178d2b1fa34033079f905
                                • Instruction ID: dad8b7f007fad0ca6490eae7f281f8b559e783766bf1ff658b1901f717dc94cc
                                • Opcode Fuzzy Hash: b6721c5f398c8097140773d73ad99daa96817053c3c178d2b1fa34033079f905
                                • Instruction Fuzzy Hash: 0811BB75504280DFCB12CF98D5D0B15BFB1FB84228F28C6A9D8494B696C33AD45ACB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 012FD745, Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.297625798.00000000012FD000.00000040.00000001.sdmp, Offset: 012FD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d73619d339f8d08f2ee966f4febf4ec9aa80ac352772117aed4341c6e6c4dd0a
                                • Instruction ID: 75db8db95d50580170074c3919bbe256b282921379ed544073fd1bf2bdf4990d
                                • Opcode Fuzzy Hash: d73619d339f8d08f2ee966f4febf4ec9aa80ac352772117aed4341c6e6c4dd0a
                                • Instruction Fuzzy Hash: A201F7310283C89AE7155AA5CCC4BA6FBDCDF41224F08856EEF041F286D379D844CAB1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 012FD744, Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.297625798.00000000012FD000.00000040.00000001.sdmp, Offset: 012FD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bab873dd8710da968a13843c12798a533f68b4dfb2c31bbc1eb99fa46d459723
                                • Instruction ID: 04607ccbf36a0195b08b2703319eb3d524b5ec5f10acde5b2effa6abe02c01ed
                                • Opcode Fuzzy Hash: bab873dd8710da968a13843c12798a533f68b4dfb2c31bbc1eb99fa46d459723
                                • Instruction Fuzzy Hash: 90F06271414394AAE7159E59CCC4B62FFD8EB81634F18C46AEE085F287C3799844CAB1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 07413A2F, Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID: UUUU
                                • API String ID: 0-1798160573
                                • Opcode ID: 64b920bcc45f79f45a6c2f7c4f32379e50cfcd076de82df6182f3f5006955b10
                                • Instruction ID: 7f16f42c0ebb87761b9bf418beb715d3c55daa57d1306b41de337b996b36a85a
                                • Opcode Fuzzy Hash: 64b920bcc45f79f45a6c2f7c4f32379e50cfcd076de82df6182f3f5006955b10
                                • Instruction Fuzzy Hash: 19516A70E116688FDB64CB6DC984B8DBBF2BB48204F4486E6D55CEB206D734AA85CF05
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0136D774, Relevance: .3, Instructions: 265COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.297825953.0000000001360000.00000040.00000001.sdmp, Offset: 01360000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 63188f4aee709fffa7975728be75371dcd9f8ee4276d6d13bb837a16c6352628
                                • Instruction ID: 31514990adafaa6148fb752e1fe14be7ffde42cccdb1e1f7a9575f46bfdb8c50
                                • Opcode Fuzzy Hash: 63188f4aee709fffa7975728be75371dcd9f8ee4276d6d13bb837a16c6352628
                                • Instruction Fuzzy Hash: 69A17F32E0061A8FCF05DFA9D8545DEBBBAFF84304B15C56AE905AB225DB31E915CF80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 074109B0, Relevance: .2, Instructions: 164COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0f0a16bc1c3de5ce770aa6d8f8938d7d1e38760bd69f921e3be0b16a46c99489
                                • Instruction ID: 29d175747048f71eb1a1b148a66baa99ccf9cad386ae780b1b41d1dd433d4b8a
                                • Opcode Fuzzy Hash: 0f0a16bc1c3de5ce770aa6d8f8938d7d1e38760bd69f921e3be0b16a46c99489
                                • Instruction Fuzzy Hash: 866134B1A252198FDB88DFB5E4916EEBFF6AB85204F04C839E0449B368DF705C45CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 074109C0, Relevance: .1, Instructions: 144COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3f87b6843acddd9ed636bc38d5dc9895994c40ad83c55488e7d1e4e0df8fbc30
                                • Instruction ID: 9db509ed8c7c971b1f271600425311ab8854770c01a923fd6f7ce5abf9d09774
                                • Opcode Fuzzy Hash: 3f87b6843acddd9ed636bc38d5dc9895994c40ad83c55488e7d1e4e0df8fbc30
                                • Instruction Fuzzy Hash: DE5102B1A212199FDB88DFB5D4916EEBFF6AB85204F04C829E1449B3A8DF705C05CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07410C10, Relevance: .1, Instructions: 101COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.304036400.0000000007410000.00000040.00000001.sdmp, Offset: 07410000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c2e1426e95b807f0493697a33b6850721f2eb9d9a2e3e40d5b213e619f707695
                                • Instruction ID: d50cdb66cb070dadd7ed383544f6dc5e74c8dd5a13d367aab4857ac5896cfbf2
                                • Opcode Fuzzy Hash: c2e1426e95b807f0493697a33b6850721f2eb9d9a2e3e40d5b213e619f707695
                                • Instruction Fuzzy Hash: BC4122B1E116598BEB1CCF6BCD5079EFAF7BFC9200F04C5BA851CAA254EB7005828E11
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: TR0398734893 50601251.exe PID: 4260 Parent PID: 6612 TR0398734893 50601251.exeCOMMON

                                Executed Functions

                                Function 06B03558, Relevance: 1.7, APIs: 1, Instructions: 211COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.529228773.0000000006B00000.00000040.00000001.sdmp, Offset: 06B00000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9d4e55600af1b883dc6655ae86b4c990903a9b7d2944a3fa681cf473dfcecc0b
                                • Instruction ID: c90100ee5768d6c359378569f97ed04ff21f5db8f8c785f4d76ef5dcbf979ad0
                                • Opcode Fuzzy Hash: 9d4e55600af1b883dc6655ae86b4c990903a9b7d2944a3fa681cf473dfcecc0b
                                • Instruction Fuzzy Hash: 5B8147B1D0420ADFEB50CFA9C884AEEBFF5FF88304F24856AD415AB250DB749945CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 055D93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 055D962E
                                Memory Dump Source
                                • Source File: 00000009.00000002.527425340.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 7045fff1a4c3b41f96290a748246bec5fde70242004356319b97ed43e064a1a7
                                • Instruction ID: 9e1e204123d22442fde7853196cc72b45799fea01b712acacdcf4c5bcf962d03
                                • Opcode Fuzzy Hash: 7045fff1a4c3b41f96290a748246bec5fde70242004356319b97ed43e064a1a7
                                • Instruction Fuzzy Hash: C97125B1A00B058FD764DF6AC0457AABBF5BF88214F00892ED48AD7A50DB75E845CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 055DFB20, Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                Download Yara Rule
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 055DFD0A
                                Memory Dump Source
                                • Source File: 00000009.00000002.527425340.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: d8291c84e988bb85048d984fd424efabbb93cad4aa4f75e4942756e6d2b2f9d8
                                • Instruction ID: abb34606733c613fdfc82630252da11fb6c4d04e03fc3a457cd149840a58b59b
                                • Opcode Fuzzy Hash: d8291c84e988bb85048d984fd424efabbb93cad4aa4f75e4942756e6d2b2f9d8
                                • Instruction Fuzzy Hash: AD617A72D083489FCB11CFA9C880ACDBFB1BF49314F28816AE415AB252D7359846CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 055DFB98, Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                Download Yara Rule
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 055DFD0A
                                Memory Dump Source
                                • Source File: 00000009.00000002.527425340.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: fd1020dfbe6d2b11dee82eae173dba2cb41e6a5b264765effbee07e4326adfbf
                                • Instruction ID: 562db994ae99d71d1e892e01d06affaa43c62b7c4ec577033003610008119e1a
                                • Opcode Fuzzy Hash: fd1020dfbe6d2b11dee82eae173dba2cb41e6a5b264765effbee07e4326adfbf
                                • Instruction Fuzzy Hash: 63510472C04249AFDF11CFA9C880ADEBFB5FF48314F15816AE819AB221D7759855CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 06B01905, Relevance: 1.6, APIs: 1, Instructions: 144networkCOMMON
                                Download Yara Rule
                                APIs
                                • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06B03738
                                Memory Dump Source
                                • Source File: 00000009.00000002.529228773.0000000006B00000.00000040.00000001.sdmp, Offset: 06B00000, based on PE: false
                                Similarity
                                • API ID: Query_
                                • String ID:
                                • API String ID: 428220571-0
                                • Opcode ID: 4cd4db9180edd1f8baa25d23e6ecbe84e34fa44db1e1697b50046ca35f8a7458
                                • Instruction ID: 5c648a7d857fdc1c50b2acceb89902236ad8620314cd5dd389d54cfede30318d
                                • Opcode Fuzzy Hash: 4cd4db9180edd1f8baa25d23e6ecbe84e34fa44db1e1697b50046ca35f8a7458
                                • Instruction Fuzzy Hash: 425124B1D042099FEB50CFA9C884ADDBFF5FF88304F24856AE814A7290DB749946CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 06B03604, Relevance: 1.6, APIs: 1, Instructions: 143networkCOMMON
                                Download Yara Rule
                                APIs
                                • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06B03738
                                Memory Dump Source
                                • Source File: 00000009.00000002.529228773.0000000006B00000.00000040.00000001.sdmp, Offset: 06B00000, based on PE: false
                                Similarity
                                • API ID: Query_
                                • String ID:
                                • API String ID: 428220571-0
                                • Opcode ID: fb78965d3bc22a4c6b31588d1f819329581f4da5045fcd763166e212d2d7a45d
                                • Instruction ID: 611a7bbc6e1385a14fbf7f245899dfbcaae1d2f6036ebee342c3e985e10a34fc
                                • Opcode Fuzzy Hash: fb78965d3bc22a4c6b31588d1f819329581f4da5045fcd763166e212d2d7a45d
                                • Instruction Fuzzy Hash: 995103B1D042199FEB50CFA9C884ADDBFB5FF88304F24856AE814A7290DB749946CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 06B0190C, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                Download Yara Rule
                                APIs
                                • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06B03738
                                Memory Dump Source
                                • Source File: 00000009.00000002.529228773.0000000006B00000.00000040.00000001.sdmp, Offset: 06B00000, based on PE: false
                                Similarity
                                • API ID: Query_
                                • String ID:
                                • API String ID: 428220571-0
                                • Opcode ID: 4ca6e1687b5e7ec9e1fb058b02be68cbf720e931a5ec50a4b1b0cb8ca9443715
                                • Instruction ID: 78549362ab8a88a48e8a54eb97e80704e98b30e9c00ed2b8d51daeefb63e6186
                                • Opcode Fuzzy Hash: 4ca6e1687b5e7ec9e1fb058b02be68cbf720e931a5ec50a4b1b0cb8ca9443715
                                • Instruction Fuzzy Hash: E05123B1D042099FEB10CFA9C884ADDBFF5FF88304F24856AE814A7250DB749845CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 055DDA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 055DFD0A
                                Memory Dump Source
                                • Source File: 00000009.00000002.527425340.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: 634f526313e73a26b6dac2d77301e8d73eff6773536b39d94ceadb949f46a4af
                                • Instruction ID: 2a5d97c984d802e4f17fa6d96789f6d8f2f35b91b9789277e2a3f3938e3a99da
                                • Opcode Fuzzy Hash: 634f526313e73a26b6dac2d77301e8d73eff6773536b39d94ceadb949f46a4af
                                • Instruction Fuzzy Hash: 7B51AFB1D04309EFDB14CF99C884ADEFBB5BF48314F25852AE819AB210D7759945CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 056845F4, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 056846B1
                                Memory Dump Source
                                • Source File: 00000009.00000002.527853343.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 9a04b3fcbb437644afdbcc001717e8a182ff5ffabea6aa5fc181ad41f0403666
                                • Instruction ID: f763f53c3cc5c26b5493b3704ddf33b526afcb71a00a6861480a48ef7fbec6ef
                                • Opcode Fuzzy Hash: 9a04b3fcbb437644afdbcc001717e8a182ff5ffabea6aa5fc181ad41f0403666
                                • Instruction Fuzzy Hash: D5411471C0061DCBDB20DFA5C884BDEBBF5BF89309F10856AD408AB251DB716946CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05683474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 056846B1
                                Memory Dump Source
                                • Source File: 00000009.00000002.527853343.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 804f54ab922fb8e0bb3f23003caa8f1c6631258832569387a2d693ddefe01a3f
                                • Instruction ID: 68fc208da7e1408d7143360a64de26c09bbaa2d74d8ded41c781d5bd197a45da
                                • Opcode Fuzzy Hash: 804f54ab922fb8e0bb3f23003caa8f1c6631258832569387a2d693ddefe01a3f
                                • Instruction Fuzzy Hash: DA410270D00619CBDB20DFA9C884BDDBBF5BF49309F20856AD408AB250DB71A946CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05682470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                Download Yara Rule
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 05682531
                                Memory Dump Source
                                • Source File: 00000009.00000002.527853343.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: 45342754c2f724f78a9ec326889dabd6e6ce7885ab4fdbcd899781e2c55fa66a
                                • Instruction ID: 673ca7fe09ce61c1ab3710f46edfddcdda47068c0de176cd893ed566caf26cc2
                                • Opcode Fuzzy Hash: 45342754c2f724f78a9ec326889dabd6e6ce7885ab4fdbcd899781e2c55fa66a
                                • Instruction Fuzzy Hash: 9E4146B8A00305CFCB10DF99C498AAABBF6FB88314F25C559D519AB321D774A845CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0568B898, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.527853343.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false
                                Similarity
                                • API ID: CreateFromIconResource
                                • String ID:
                                • API String ID: 3668623891-0
                                • Opcode ID: 0dd82ba6460fdac643a0d1c0af03efc9ac2d4ba98d964ec5c77dc8b6eb258218
                                • Instruction ID: 790ea1af3976e6130c8a9298025a3012dca64051550cb6d24ca42b83e155ce97
                                • Opcode Fuzzy Hash: 0dd82ba6460fdac643a0d1c0af03efc9ac2d4ba98d964ec5c77dc8b6eb258218
                                • Instruction Fuzzy Hash: 0C318D71904349EFCB11DFA9D844AEEBFF8EF49310F14845AE954A7221C3359854DFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0568E6B0, Relevance: 1.6, APIs: 1, Instructions: 66windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,017853E8,00000000,?), ref: 0568E73D
                                Memory Dump Source
                                • Source File: 00000009.00000002.527853343.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: a49e4afea7991c7357f439e17c68e7ff65eb634a5920207d0f1c9a9f41d8dd29
                                • Instruction ID: 4007eab3d8ebf6b33eccc135acc87c129ec14d47fc2b7ee0face1b99155d0891
                                • Opcode Fuzzy Hash: a49e4afea7991c7357f439e17c68e7ff65eb634a5920207d0f1c9a9f41d8dd29
                                • Instruction Fuzzy Hash: 86216AB58043499FDB10DFA9D844BEEBFF8EB48324F14856AD464A7641C338A949CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 055DA14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,055DBCC6,?,?,?,?,?), ref: 055DBD87
                                Memory Dump Source
                                • Source File: 00000009.00000002.527425340.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: e0587fd2e94cd9c5733465810a4e0e624241e394a39c015d2ed4b9d1ef3c301e
                                • Instruction ID: 6cc96e5be8fa653921e734f1baa2a916452868ef44f8e21a5f751a59b545b8e8
                                • Opcode Fuzzy Hash: e0587fd2e94cd9c5733465810a4e0e624241e394a39c015d2ed4b9d1ef3c301e
                                • Instruction Fuzzy Hash: 0C21C5B59002089FDB10DF99D884ADEBBF9FB48324F15841AE955A7210D378A954CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 055DBCF9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,055DBCC6,?,?,?,?,?), ref: 055DBD87
                                Memory Dump Source
                                • Source File: 00000009.00000002.527425340.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: e9bb5ba1a48ac9f3d6e8d8ececcd310d1c2966d83341bd97f61206f71d6ee837
                                • Instruction ID: 2762314f97552e9745c255a023a706a778bf80317c0d76c827a9227c30b47da2
                                • Opcode Fuzzy Hash: e9bb5ba1a48ac9f3d6e8d8ececcd310d1c2966d83341bd97f61206f71d6ee837
                                • Instruction Fuzzy Hash: CB21E5B5900248DFDB10CFA9D584BEEFBF4FB48324F15841AE855A7210C379A955CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0568A504, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                Download Yara Rule
                                APIs
                                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0568B8B2,?,?,?,?,?), ref: 0568B957
                                Memory Dump Source
                                • Source File: 00000009.00000002.527853343.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false
                                Similarity
                                • API ID: CreateFromIconResource
                                • String ID:
                                • API String ID: 3668623891-0
                                • Opcode ID: 48ef86441396a42fa299f151efb5cda0b005188c32a0b32fb4455aa0069b93ee
                                • Instruction ID: 12353c67dbd5c0f5c295099ba05fd4f62bbf403ac8932e5a797e3a3f836c4c94
                                • Opcode Fuzzy Hash: 48ef86441396a42fa299f151efb5cda0b005188c32a0b32fb4455aa0069b93ee
                                • Instruction Fuzzy Hash: 381159B1800209DFDB10DF99C844BEEBBF8EB49320F14841AE564B7210C375A954DFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 055D8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,055D96A9,00000800,00000000,00000000), ref: 055D98BA
                                Memory Dump Source
                                • Source File: 00000009.00000002.527425340.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: e3516a8fb658eaa9d9258e89af23254a2563d225dc8d86814897c44c0fadb7f7
                                • Instruction ID: 3419250704fc2e146bc27197f485af912ab75378481c0963ef17fe9fdad1c06b
                                • Opcode Fuzzy Hash: e3516a8fb658eaa9d9258e89af23254a2563d225dc8d86814897c44c0fadb7f7
                                • Instruction Fuzzy Hash: 161103B6D042499FDB20CF9AC444BDEFBF8FB88714F14842AD515A7600C375A949CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 055D9849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,055D96A9,00000800,00000000,00000000), ref: 055D98BA
                                Memory Dump Source
                                • Source File: 00000009.00000002.527425340.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: f0e8553c12f0e69e4e2d892ae3b70b8fbc702f86d4e4cd1b914bcde15cfd5d4e
                                • Instruction ID: fb4080b64b2bbf7ed6493be07e96fe5e506f0d3cd2281cea503e83339f6bfe6e
                                • Opcode Fuzzy Hash: f0e8553c12f0e69e4e2d892ae3b70b8fbc702f86d4e4cd1b914bcde15cfd5d4e
                                • Instruction Fuzzy Hash: FA11D3B6D002099FDB10CF9AC844BDEFBF8FB88724F14842AD415A7600C375A549CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 056832D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,017853E8,00000000,?), ref: 0568E73D
                                Memory Dump Source
                                • Source File: 00000009.00000002.527853343.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 4d671336cc3e2cda13144fa31de95141e722d091852710c0f5aedd6c850a10af
                                • Instruction ID: 489fc120448dc75500bba00f29b3b6c07e0051f3df32b20f6156e21d08498e07
                                • Opcode Fuzzy Hash: 4d671336cc3e2cda13144fa31de95141e722d091852710c0f5aedd6c850a10af
                                • Instruction Fuzzy Hash: 381128B5900709DFDB10DF99C885BEEBBF8FB48324F148419E554A3640D379A985CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0568D238, Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00000018,00000001,?), ref: 0568D29D
                                Memory Dump Source
                                • Source File: 00000009.00000002.527853343.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: 8f0804b43209bb71a7a129847dcfdd1b2fd5e63714667c62940bc65bdbb611aa
                                • Instruction ID: efe3fb125b95b67246dc8659bc7f3460b649466fa4c736e1c3ef9f820a6cce5b
                                • Opcode Fuzzy Hash: 8f0804b43209bb71a7a129847dcfdd1b2fd5e63714667c62940bc65bdbb611aa
                                • Instruction Fuzzy Hash: 4311E0B59002499FDB20DF9AC884BEEBBF8FB48724F148819E914A7640C375A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0568C3D0, Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,0568226A,?,00000000,?), ref: 0568C435
                                Memory Dump Source
                                • Source File: 00000009.00000002.527853343.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: 83fb88c4918dda09e966912606906444a2e1631430b171a5136ecd1ddeac0d99
                                • Instruction ID: 915034c5e2442dc74dbd910837ad55d79872703d23a3953e5a0b3b44d791138f
                                • Opcode Fuzzy Hash: 83fb88c4918dda09e966912606906444a2e1631430b171a5136ecd1ddeac0d99
                                • Instruction Fuzzy Hash: 421122B58003489FEB10DF99C485BEEBBF8FB48324F20891AD854A7700C374A985CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 055D95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 055D962E
                                Memory Dump Source
                                • Source File: 00000009.00000002.527425340.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: ab20e4b1c44048c6285fdee11de0ab4a337fe2a24d4c2e2e34f133d2e7ea0005
                                • Instruction ID: c2c847f55b5ae24debd5d1b1be8fadc138d736bcb99903507e8c4129ee2a9618
                                • Opcode Fuzzy Hash: ab20e4b1c44048c6285fdee11de0ab4a337fe2a24d4c2e2e34f133d2e7ea0005
                                • Instruction Fuzzy Hash: 2311E3B6D046498FDB20CF9AC444BDEFBF4FB88224F15842AD429B7600C375A545CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 055DFE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,055DFE28,?,?,?,?), ref: 055DFE9D
                                Memory Dump Source
                                • Source File: 00000009.00000002.527425340.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
                                Similarity
                                • API ID: LongWindow
                                • String ID:
                                • API String ID: 1378638983-0
                                • Opcode ID: a8e33956a34b9aee7db61474b6120c5fb8e49333ec54efbbcffd62927115af8d
                                • Instruction ID: 815a258392c78ab4ec82b00ffad3156109c0a99e055256141563b6cf904ba42c
                                • Opcode Fuzzy Hash: a8e33956a34b9aee7db61474b6120c5fb8e49333ec54efbbcffd62927115af8d
                                • Instruction Fuzzy Hash: E51122B6800209DFDB10CF99C485BDEFBF8EB48324F20841AD815A7301C374A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 055DDA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,055DFE28,?,?,?,?), ref: 055DFE9D
                                Memory Dump Source
                                • Source File: 00000009.00000002.527425340.00000000055D0000.00000040.00000001.sdmp, Offset: 055D0000, based on PE: false
                                Similarity
                                • API ID: LongWindow
                                • String ID:
                                • API String ID: 1378638983-0
                                • Opcode ID: 83e57d537c69be353433cfe9baf6bf1fb6754830460223d321a818823ee69390
                                • Instruction ID: ee5e0bf4315c5821df71187f2e1b9b5ab18c2b5bdfe7201dfedd4f68eb83efd1
                                • Opcode Fuzzy Hash: 83e57d537c69be353433cfe9baf6bf1fb6754830460223d321a818823ee69390
                                • Instruction Fuzzy Hash: DF11E0B5900249DFDB20DF9AD484BEAFBF8FB88324F14841AE915A7201C374A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0568A548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0568BCBD
                                Memory Dump Source
                                • Source File: 00000009.00000002.527853343.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: 9347ac0644c8d07cdb5ecaeba3c6c9f9b126064cacae99ebe7752857b27042bc
                                • Instruction ID: 71cb8b4f12531949bbe3bb4bed84bd11c85fb867912eb383b03297a5cda133e0
                                • Opcode Fuzzy Hash: 9347ac0644c8d07cdb5ecaeba3c6c9f9b126064cacae99ebe7752857b27042bc
                                • Instruction Fuzzy Hash: 7C1110B5800308DFDB10DF99C484BEEBBF8EB48324F108419E954A7610C375A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 05681540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,0000020A,?,?,?,?,?,?,0568226A,?,00000000,?), ref: 0568C435
                                Memory Dump Source
                                • Source File: 00000009.00000002.527853343.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: 1168a4f55ddc6f10b905bae3c17cce51e523fc928d80f64036ef5f926ba11959
                                • Instruction ID: 7718e133ad970f2b652d31678b4a0f7d9252802421c0d1800031f2576e34b9c7
                                • Opcode Fuzzy Hash: 1168a4f55ddc6f10b905bae3c17cce51e523fc928d80f64036ef5f926ba11959
                                • Instruction Fuzzy Hash: F711F2B5800749DFDB10DF99C884BEEBBF8EB48324F208919E955A7700C375A985CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 056850D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00000018,00000001,?), ref: 0568D29D
                                Memory Dump Source
                                • Source File: 00000009.00000002.527853343.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: 6f94229abc2a4b8e594661dbdcf617cb006c60dfa0cf089ba0ba5016cea6de5a
                                • Instruction ID: 27dbfa8ac4fe78485afd2fd1d69e31fa5062968ccc7a11d0f873853d5553b905
                                • Opcode Fuzzy Hash: 6f94229abc2a4b8e594661dbdcf617cb006c60dfa0cf089ba0ba5016cea6de5a
                                • Instruction Fuzzy Hash: 2B11F2B5800309DFDB20DF9AC484BEEBBF8EB48324F108819E915A7740C375A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0568DC60, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 0568F435
                                Memory Dump Source
                                • Source File: 00000009.00000002.527853343.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: d914752f168331835a0aece90aa9d235c5e76c736fadb8ae77efd637ec2fcd49
                                • Instruction ID: 97773eadc16107e6e7a7692813d722e710466911ce14926f37d772bcedb00ecd
                                • Opcode Fuzzy Hash: d914752f168331835a0aece90aa9d235c5e76c736fadb8ae77efd637ec2fcd49
                                • Instruction Fuzzy Hash: 321103B59046488FCB10DF99C484BEEFBF8EB48324F24851AD559A7700C374A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0568F3D8, Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 0568F435
                                Memory Dump Source
                                • Source File: 00000009.00000002.527853343.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: 5ec3cb51a8d67e303b7cd30ef5757752da71f19a360036001c606eacefdc6ca7
                                • Instruction ID: 7d41aac8673ae5dae6fbdb95edf347934d3d2b334af90a109d5ef42d29e17afb
                                • Opcode Fuzzy Hash: 5ec3cb51a8d67e303b7cd30ef5757752da71f19a360036001c606eacefdc6ca7
                                • Instruction Fuzzy Hash: D91103B5900649CFCB10DFA9D544BDEFBF4EB48324F24892AD459B7600C378A949CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0568BC59, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0568BCBD
                                Memory Dump Source
                                • Source File: 00000009.00000002.527853343.0000000005680000.00000040.00000001.sdmp, Offset: 05680000, based on PE: false
                                Similarity
                                • API ID: MessageSend
                                • String ID:
                                • API String ID: 3850602802-0
                                • Opcode ID: dba275ff2fa9a01e1042fa0fa78113c66f4babd404766db2c9c097eb31bb575e
                                • Instruction ID: 72ceaf18e2875bc6239d97015f58a0098aee6ea33ffc518c3f23a89448bfe0be
                                • Opcode Fuzzy Hash: dba275ff2fa9a01e1042fa0fa78113c66f4babd404766db2c9c097eb31bb575e
                                • Instruction Fuzzy Hash: F41103B9800749DFDB10DF99D585BEEBBF8FB48324F24881AD854A7600C374A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 014DD4A0, Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.523432402.00000000014DD000.00000040.00000001.sdmp, Offset: 014DD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: adadf2d50c3574ecc267ec165961e130b76c46eed08d57380b74110b94555319
                                • Instruction ID: 526f085cd73504b775df4168c5ae4bf7dded2a574fdabb2c22f9d4d149c84b4a
                                • Opcode Fuzzy Hash: adadf2d50c3574ecc267ec165961e130b76c46eed08d57380b74110b94555319
                                • Instruction Fuzzy Hash: D6210671904240DFDF15DF94D9E0B67BFA5FB84328F24856AD8090A2A6C336E856C7A2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 014ED01C, Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.523514593.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ddbb4998de7c1564c187d860c3eb473e4ed9f82f3996c576d3b2debd2b8ac997
                                • Instruction ID: ed5a43d545384be9f2c554a604f7e90bd1731368023c9702111988a70499c358
                                • Opcode Fuzzy Hash: ddbb4998de7c1564c187d860c3eb473e4ed9f82f3996c576d3b2debd2b8ac997
                                • Instruction Fuzzy Hash: E02103B5904200DFCB15CF94D8C8B26BFE5FB84359F28C96AD8490B356C33AD807CA62
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 014ED006, Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.523514593.00000000014ED000.00000040.00000001.sdmp, Offset: 014ED000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e8e67985d9ca692ac9f69e4b6fdb7880ee792cc61ec988140bdb8f9054dd5c1a
                                • Instruction ID: 49d0a3a30bd444b2f33edccae1d51311e3785ba7fbf44c37893715ad5ee6d0fc
                                • Opcode Fuzzy Hash: e8e67985d9ca692ac9f69e4b6fdb7880ee792cc61ec988140bdb8f9054dd5c1a
                                • Instruction Fuzzy Hash: 372180755093808FCB13CF24D994716BFB1EB46214F28C5DBD8498F667C33A980ACB62
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 014DD49B, Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000009.00000002.523432402.00000000014DD000.00000040.00000001.sdmp, Offset: 014DD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 11772b62ccc9d22d83b62afd0a891c4d6e4a6fe74df51c0b93359674bc6ca424
                                • Instruction ID: 13c7097d375c341d6462f76c60316bed1323f1d844f887bc281f56c2e0278787
                                • Opcode Fuzzy Hash: 11772b62ccc9d22d83b62afd0a891c4d6e4a6fe74df51c0b93359674bc6ca424
                                • Instruction Fuzzy Hash: 6311AF76904280DFDF12CF54D9D4B16BF61FB84324F2486AAD9050B667C336D45ACBA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Analysis Process: TR0398734893 50601251.exe PID: 6488 Parent PID: 1104 TR0398734893 50601251.exeCOMMON

                                Executed Functions

                                Function 07057FE5, Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07058226
                                Memory Dump Source
                                • Source File: 00000013.00000002.386678889.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: e0ebae0d65163d31ec0f27cb9b8bf8ad04ece6bc5b8c3b96ece5e66ff672968c
                                • Instruction ID: acfd8970c514345da2fc1352216c6c6ad59dd66ebe23573ebf98f09699049476
                                • Opcode Fuzzy Hash: e0ebae0d65163d31ec0f27cb9b8bf8ad04ece6bc5b8c3b96ece5e66ff672968c
                                • Instruction Fuzzy Hash: 26A15CB1D00219DFDB50CFA8C8417EEBBF6BB44314F148669EC49A7290DB749985CF92
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07057FF0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07058226
                                Memory Dump Source
                                • Source File: 00000013.00000002.386678889.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 71acf24f38326c34ea94a5725e329a30363ffc79fa3874c6638d8fd33a0729cf
                                • Instruction ID: b1199521663f350b59d2c005e8f9ccfbf17d2425044c6ce035fbb9a05215b6f5
                                • Opcode Fuzzy Hash: 71acf24f38326c34ea94a5725e329a30363ffc79fa3874c6638d8fd33a0729cf
                                • Instruction Fuzzy Hash: 20914BB1D00619CFDB50CFA8C8417EEBBF6BB48314F148669DC49A7290DB749985CF92
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00FAAF8A, Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00FAB1DE
                                Memory Dump Source
                                • Source File: 00000013.00000002.380843073.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: cdfa790b259fda76435c5139bda40243676eefcffabf6b0dbe48cae6155dd7bb
                                • Instruction ID: a3b53141ef7440decadf86ab3adb645e3be10a29c657b4e9724f0da6bf846b06
                                • Opcode Fuzzy Hash: cdfa790b259fda76435c5139bda40243676eefcffabf6b0dbe48cae6155dd7bb
                                • Instruction Fuzzy Hash: 177133B0A00B058FDB24DF29C0457AABBF1BF89314F108A2ED49AD7A41D775E849CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00FA5364, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                Download Yara Rule
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 00FA5421
                                Memory Dump Source
                                • Source File: 00000013.00000002.380843073.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 290b2da40d49023a9ff153f30b5bf4a5858df130a17f120f10a56dd1aced18d4
                                • Instruction ID: d8c8ec519481c4a57cb9e57a547a029e0855ec78b514a7fa3e2088c597e83214
                                • Opcode Fuzzy Hash: 290b2da40d49023a9ff153f30b5bf4a5858df130a17f120f10a56dd1aced18d4
                                • Instruction Fuzzy Hash: DA4125B1D00618CFDB24CFA9D884BDEFBB5BF89304F24846AD408AB251DB756946CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00FA3CAC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 00FA5421
                                Memory Dump Source
                                • Source File: 00000013.00000002.380843073.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: b3e91f878bc84650b62fe10f058225837cb817ddb41e43f7ca317fd5671f395b
                                • Instruction ID: 88ea59fd70c6f4f6ad638a30b9d4bc7b827b2572fe24169c80d523efff9eb101
                                • Opcode Fuzzy Hash: b3e91f878bc84650b62fe10f058225837cb817ddb41e43f7ca317fd5671f395b
                                • Instruction Fuzzy Hash: 454114B1D00718CFDB20CFA9C844BDEBBB5BF49704F608469D408AB251DB716986CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07057D60, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                Download Yara Rule
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07057DF8
                                Memory Dump Source
                                • Source File: 00000013.00000002.386678889.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 179f8b94348c73bcbb21ce51b8fcb6858db01facf18e587f643795f03c09a29b
                                • Instruction ID: 5c4323c0938fbbb35908c220f5a1ca67379c140a563e7646daa19a3aba07658f
                                • Opcode Fuzzy Hash: 179f8b94348c73bcbb21ce51b8fcb6858db01facf18e587f643795f03c09a29b
                                • Instruction Fuzzy Hash: EA215CB59003499FCF10CFA9C844BEEBBF5FF48314F14892AE919A7240D7789954CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07057D68, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07057DF8
                                Memory Dump Source
                                • Source File: 00000013.00000002.386678889.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 440b78ed71f6dd6478622ce64b5d9bdd02b7ffa6a160587d83b7a05185402719
                                • Instruction ID: f8e423c3b1d52b7ce25321893d897076b0c2b954e0a8a6687f7913de8eb023a8
                                • Opcode Fuzzy Hash: 440b78ed71f6dd6478622ce64b5d9bdd02b7ffa6a160587d83b7a05185402719
                                • Instruction Fuzzy Hash: B6212AB59003499FCB00CFA9C8847EEBBF5FF48314F10882AE919A7240D7789954CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07057E50, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07057ED8
                                Memory Dump Source
                                • Source File: 00000013.00000002.386678889.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: a3c46340feef5cf5b021cb8590fa2eb0362221ec3b1a31e59bd3e2838c8bc696
                                • Instruction ID: 40f4fe15b4aa8ecda999c0a5ac13ce20006e402ef4bd73b5a920be168a5e16ce
                                • Opcode Fuzzy Hash: a3c46340feef5cf5b021cb8590fa2eb0362221ec3b1a31e59bd3e2838c8bc696
                                • Instruction Fuzzy Hash: 712139B1C003199FCB10CFA9C8806EEBBF9FF48314F50882AE919A7240C7759905CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07057BC8, Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetThreadContext.KERNELBASE(?,00000000), ref: 07057C4E
                                Memory Dump Source
                                • Source File: 00000013.00000002.386678889.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                Similarity
                                • API ID: ContextThread
                                • String ID:
                                • API String ID: 1591575202-0
                                • Opcode ID: 2f42225fad923f2891a172f7375e7ad4462cf0968a38d78923b470a112617189
                                • Instruction ID: 55432a0e1ee17099c28bc13b7c306a5f4648dd16a76832a35d7d3f4496b34ed2
                                • Opcode Fuzzy Hash: 2f42225fad923f2891a172f7375e7ad4462cf0968a38d78923b470a112617189
                                • Instruction Fuzzy Hash: BE213AB1D003099FDB50DFA9C4847EEBBF4EF88224F14842ED959A7241D778A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00FABCFC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FAD886,?,?,?,?,?), ref: 00FAD947
                                Memory Dump Source
                                • Source File: 00000013.00000002.380843073.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 1aa6ce491067eca1b9407dbadcb88833efd7293ca9cb5f6ee336e65d616d0248
                                • Instruction ID: 9cf5ea99243b9a29a3729831ea48509abe957b689a3d74d20bf10ec10ffd8188
                                • Opcode Fuzzy Hash: 1aa6ce491067eca1b9407dbadcb88833efd7293ca9cb5f6ee336e65d616d0248
                                • Instruction Fuzzy Hash: 0421E5B5D00208DFDB10CFAAD484AEEBBF8EB49320F14841AE955A7310D378A954DFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00FAD8B9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00FAD886,?,?,?,?,?), ref: 00FAD947
                                Memory Dump Source
                                • Source File: 00000013.00000002.380843073.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: f162fc32c001255aaa2cc99284ace90d2d73b93d8f493ecff4a666cc8b5d792d
                                • Instruction ID: 7374d9c43acd1fcd3299512e100ab24e01bb8675e079662971e769609dd303f0
                                • Opcode Fuzzy Hash: f162fc32c001255aaa2cc99284ace90d2d73b93d8f493ecff4a666cc8b5d792d
                                • Instruction Fuzzy Hash: AA21E3B5D00248DFDB10CFAAD584AEEBBF9EB48324F14841AE955B7210C375A945CF61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07057BD0, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetThreadContext.KERNELBASE(?,00000000), ref: 07057C4E
                                Memory Dump Source
                                • Source File: 00000013.00000002.386678889.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                Similarity
                                • API ID: ContextThread
                                • String ID:
                                • API String ID: 1591575202-0
                                • Opcode ID: aaadc0d8108384c30e8233b955cb4cde8e59d9ca4cd3bb50ffcbf9113fc47b3c
                                • Instruction ID: 2dd9567c8b5a18058a849a132eb81bf0b220b994d314f9e742b9ae9fb10dad96
                                • Opcode Fuzzy Hash: aaadc0d8108384c30e8233b955cb4cde8e59d9ca4cd3bb50ffcbf9113fc47b3c
                                • Instruction Fuzzy Hash: 02211AB1D003098FDB50DFA9C4847EEBBF4AF48224F54842ED959A7240D778A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07057E58, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07057ED8
                                Memory Dump Source
                                • Source File: 00000013.00000002.386678889.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 576af1ac55d0258cd756a3f21ba1a3a117b8df3f02095a78c33c35f96eca9489
                                • Instruction ID: ec70c081826292ee368b625fdafafdba53972c27b155795d0d0444310c43ca13
                                • Opcode Fuzzy Hash: 576af1ac55d0258cd756a3f21ba1a3a117b8df3f02095a78c33c35f96eca9489
                                • Instruction Fuzzy Hash: 142128B1D003499FCB10CFA9C8846EEFBF5FF48314F54882AE918A7240D779A955CBA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07057CA0, Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07057D16
                                Memory Dump Source
                                • Source File: 00000013.00000002.386678889.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 206949fc474a13fd63cfd5688aabfe576ab23fa90d13f2fca9bece6cd1abd4ff
                                • Instruction ID: 1f0d1a7dab1175e55958f036f2301e1aee19bbf4f38d14b210c88951918ddbcd
                                • Opcode Fuzzy Hash: 206949fc474a13fd63cfd5688aabfe576ab23fa90d13f2fca9bece6cd1abd4ff
                                • Instruction Fuzzy Hash: 6D216A718043099FCB14CFA9C8447EFBBF5AF88314F14881AD515A7210C7759904CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00FAA340, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FAB259,00000800,00000000,00000000), ref: 00FAB46A
                                Memory Dump Source
                                • Source File: 00000013.00000002.380843073.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: d03698c266c807a77b7fff36a94433e4e6b8d9e8d08e8506b7438a5febe94973
                                • Instruction ID: 6850f431b256d5441d8154db046d2f5b79be0d165b5440142368928aed708c3d
                                • Opcode Fuzzy Hash: d03698c266c807a77b7fff36a94433e4e6b8d9e8d08e8506b7438a5febe94973
                                • Instruction Fuzzy Hash: C511E4B6D042099FDB10CF9AC444BDEFBF8EB49324F14842AD969B7201C375A945CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07057CA8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07057D16
                                Memory Dump Source
                                • Source File: 00000013.00000002.386678889.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 7f1fd3dda533277a08bd7e43634c7a4abf1907cdf66d6433a5216bae32a8b509
                                • Instruction ID: 8a11301d4f66fe73f90a7758d44fd626c25c86c0433b8577f759beebcc24f28c
                                • Opcode Fuzzy Hash: 7f1fd3dda533277a08bd7e43634c7a4abf1907cdf66d6433a5216bae32a8b509
                                • Instruction Fuzzy Hash: 931137759002499FCB10DFA9C8447EFBBF9EF88324F14881AE929A7250C775A954CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00FAB3FA, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FAB259,00000800,00000000,00000000), ref: 00FAB46A
                                Memory Dump Source
                                • Source File: 00000013.00000002.380843073.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: c88d3a9772a2ec3fdce8abeb8331b6c2963ffa423d4049e2aaf6c80f10dad3a7
                                • Instruction ID: 9191578182e1da6ac2f5f552cc2f205fb2d51b8aefb4393fd22e1688aaf31329
                                • Opcode Fuzzy Hash: c88d3a9772a2ec3fdce8abeb8331b6c2963ffa423d4049e2aaf6c80f10dad3a7
                                • Instruction Fuzzy Hash: 4911F9B6D002498FDB10CFAAD484BEEFBF4EB59324F14852AD855B7201C375A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07057B19, Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000013.00000002.386678889.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 80e96c15b80d1b3b2c86d5a1d1fa9bd231e12675ba7928840912fc41fb7441f2
                                • Instruction ID: 16c8325fe0a846f85aea2bae67514813eff356d334323b46db4cd4e0dbd40f45
                                • Opcode Fuzzy Hash: 80e96c15b80d1b3b2c86d5a1d1fa9bd231e12675ba7928840912fc41fb7441f2
                                • Instruction Fuzzy Hash: B1112BB1D003498BDB10DFA9C4447EFFBF9AB88224F14882AD519A7240D775A945CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 07057B20, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000013.00000002.386678889.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 8261894fccfa3d475b0150864adadd455c788eaca5405c15b0b560eb7c63f2b6
                                • Instruction ID: 55ae888dcb86e9713af70fc452a06b8e1ff823526ae91fae585b91ee25b15af3
                                • Opcode Fuzzy Hash: 8261894fccfa3d475b0150864adadd455c788eaca5405c15b0b560eb7c63f2b6
                                • Instruction Fuzzy Hash: 94110AB1D007498FDB10DFAAC4447EFFBF9AB88224F14882AD529A7240C775A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00FAB178, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00FAB1DE
                                Memory Dump Source
                                • Source File: 00000013.00000002.380843073.0000000000FA0000.00000040.00000001.sdmp, Offset: 00FA0000, based on PE: false
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: bf84042fa6114ca73264b15d46592ee5f1abf54bf72ee36fff9a7631263985c4
                                • Instruction ID: 34206a1f7e2ec478a2df1ae15123eed35077b0a1d9eacbac0c125dd7418cf2b4
                                • Opcode Fuzzy Hash: bf84042fa6114ca73264b15d46592ee5f1abf54bf72ee36fff9a7631263985c4
                                • Instruction Fuzzy Hash: EB11E3B5D006498FDB10CF9AC448BDEFBF4AF89324F14841AD429B7601C375A545CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0705C058, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 0705C0BD
                                Memory Dump Source
                                • Source File: 00000013.00000002.386678889.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 9c7c59127c0c2100838d6590707bd5e240a905c03e8ffaa7b22450bce3a5d29b
                                • Instruction ID: c1e6c1dfa3f5b6ef0c586fcefbe7c6fa43f10382b2576f7bb47fc1b0c79c3b77
                                • Opcode Fuzzy Hash: 9c7c59127c0c2100838d6590707bd5e240a905c03e8ffaa7b22450bce3a5d29b
                                • Instruction Fuzzy Hash: D711D3B5800349DFDB20DF9AD884BDFBBF8EB48324F14841AE955A7600C375A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0705C060, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 0705C0BD
                                Memory Dump Source
                                • Source File: 00000013.00000002.386678889.0000000007050000.00000040.00000001.sdmp, Offset: 07050000, based on PE: false
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: cea53545639e1bf02d65293b0b80ce85b9d34c563edf15b3ebd1afd7017967b3
                                • Instruction ID: 619635fbfbb558fab3337fb2308557d702787fdb5d9f8824ec55d79d7661aef9
                                • Opcode Fuzzy Hash: cea53545639e1bf02d65293b0b80ce85b9d34c563edf15b3ebd1afd7017967b3
                                • Instruction Fuzzy Hash: 3111D3B58003499FDB10DF99D484BDFBBF8EB48324F14841AD955A7600C375A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Analysis Process: dhcpmon.exe PID: 6812 Parent PID: 1104 dhcpmon.exeCOMMON

                                Executed Functions

                                Function 0104D280, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0104D2F0
                                • GetCurrentThread.KERNEL32 ref: 0104D32D
                                • GetCurrentProcess.KERNEL32 ref: 0104D36A
                                • GetCurrentThreadId.KERNEL32 ref: 0104D3C3
                                Memory Dump Source
                                • Source File: 00000016.00000002.328906661.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 752d72c9f4caf8180cb00bc03a1d99498941032e1efee106f10d285fe5fbcd4a
                                • Instruction ID: 29f2aaaa38d9e96cebaca4e25d6e55bd87dc2ba29fed70e83a93156d9a439287
                                • Opcode Fuzzy Hash: 752d72c9f4caf8180cb00bc03a1d99498941032e1efee106f10d285fe5fbcd4a
                                • Instruction Fuzzy Hash: C75175B09003488FDB14CFA9D5887EEBFF0EF58304F248469E459A7291CB74A844CF65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0104D290, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0104D2F0
                                • GetCurrentThread.KERNEL32 ref: 0104D32D
                                • GetCurrentProcess.KERNEL32 ref: 0104D36A
                                • GetCurrentThreadId.KERNEL32 ref: 0104D3C3
                                Memory Dump Source
                                • Source File: 00000016.00000002.328906661.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 7a6a3a9df5d625d5e226ade8a0101ac6174fbab5c4c33f5fb9964746040076a1
                                • Instruction ID: e0981f2979a4fd2a7a8d7ff091764c2215560eb98aa6b1c2d70445166ab59993
                                • Opcode Fuzzy Hash: 7a6a3a9df5d625d5e226ade8a0101ac6174fbab5c4c33f5fb9964746040076a1
                                • Instruction Fuzzy Hash: FF5154B4900749CFDB14CFAAD588BEEBBF0EF98314F248469E459A7250CB74A844CF65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0104AF8B, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0104B1DE
                                Memory Dump Source
                                • Source File: 00000016.00000002.328906661.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 600ce43857eae1db48c8624ff2922da193af499754b0ab25e0fa5e9d6a76734d
                                • Instruction ID: 9ec859779dc0fc10a3d6eb419af2e4bf249c4a45de63a43bca5768cf5170fc37
                                • Opcode Fuzzy Hash: 600ce43857eae1db48c8624ff2922da193af499754b0ab25e0fa5e9d6a76734d
                                • Instruction Fuzzy Hash: 637159B0A00B058FD764DF69D08479ABBF1FF88204F008A2DE59AD7A40DB75E855CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01045364, Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 01045421
                                Memory Dump Source
                                • Source File: 00000016.00000002.328906661.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 4a3cb7bd774000b0389c4b7545eda3d68b00c26a5a3efef53ec6efce6ce45693
                                • Instruction ID: aec582c7721cecf7a5b4dab70461e2a0b9c821052bf155830618b3601a3d0cdd
                                • Opcode Fuzzy Hash: 4a3cb7bd774000b0389c4b7545eda3d68b00c26a5a3efef53ec6efce6ce45693
                                • Instruction Fuzzy Hash: 285126B1D00618CFDB10CFA9C8847DEBBF5BF48309F2084AAD448AB251DB756949CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01043CAC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 01045421
                                Memory Dump Source
                                • Source File: 00000016.00000002.328906661.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 1658e8fd16677e9868458c916849ea2a7ebee2ca8d6d5973bb622e2783d3c86e
                                • Instruction ID: f8952a401b6a4b6793b70991b6222d184c1c943b3e3a10066323304cd26e81bc
                                • Opcode Fuzzy Hash: 1658e8fd16677e9868458c916849ea2a7ebee2ca8d6d5973bb622e2783d3c86e
                                • Instruction Fuzzy Hash: F541E4B1D00618CFDB24DFA9C884BDEBBF5BF88308F5084A9D448AB251DB756946CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0104D8C0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0104D947
                                Memory Dump Source
                                • Source File: 00000016.00000002.328906661.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: d6b8de6e80b948bfb27db4d745f7d4e7b6f4a704aeccb3d5d55eebc326f80bd7
                                • Instruction ID: c0330599ac610c94d36b8bb54628ae2c6723fa56fb5996a9be0ea7bead5f4d4a
                                • Opcode Fuzzy Hash: d6b8de6e80b948bfb27db4d745f7d4e7b6f4a704aeccb3d5d55eebc326f80bd7
                                • Instruction Fuzzy Hash: E721E4B5900208EFDB10CF9AD984ADEFBF8EB48320F14842AE954A7310D374A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0104D8B9, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0104D947
                                Memory Dump Source
                                • Source File: 00000016.00000002.328906661.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 3f5f05cd5bd083c7f15bffb9b0437319fed570b39f9bb3da879a181f59dc8d43
                                • Instruction ID: e2a2a3a449e662964d265e1b2624441cd55acf5dbaa68b0ee274ce26fd16a12a
                                • Opcode Fuzzy Hash: 3f5f05cd5bd083c7f15bffb9b0437319fed570b39f9bb3da879a181f59dc8d43
                                • Instruction Fuzzy Hash: ED21E4B5900248DFDB10CFAAD584AEEFBF5FB48320F14842AE954A7310D374A955CF61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0104A340, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0104B259,00000800,00000000,00000000), ref: 0104B46A
                                Memory Dump Source
                                • Source File: 00000016.00000002.328906661.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 7492cfb67e55a6d179b1d631ce4eace620512269aa9c4a79d901c4c2c2f473bf
                                • Instruction ID: 1a461840522c696a0cb49567d04ab0a519fbf4fddda4adebe4926b0316e4cfc6
                                • Opcode Fuzzy Hash: 7492cfb67e55a6d179b1d631ce4eace620512269aa9c4a79d901c4c2c2f473bf
                                • Instruction Fuzzy Hash: 8811E7B69002099FDB10DF9AC484BDEFBF4EB88314F14846AE555A7300C775A545CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0104B3FB, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0104B259,00000800,00000000,00000000), ref: 0104B46A
                                Memory Dump Source
                                • Source File: 00000016.00000002.328906661.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: e80d5c5e5ec989a91380b0b44d237f9903878b7fcee648510adba45116578d3f
                                • Instruction ID: 657e230f0f3513832b83e3da12b3e0cca0496663799519fcdabb4ec51a0d378b
                                • Opcode Fuzzy Hash: e80d5c5e5ec989a91380b0b44d237f9903878b7fcee648510adba45116578d3f
                                • Instruction Fuzzy Hash: 5711F6B69002099FDB10CF9AC484BDEFBF4EB88324F14842AE555B7300C775A549CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0104B178, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0104B1DE
                                Memory Dump Source
                                • Source File: 00000016.00000002.328906661.0000000001040000.00000040.00000001.sdmp, Offset: 01040000, based on PE: false
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 3cd6cd72dac2b19fc338c979deff1d9433b1d5ea5745c6d42d2c71f687908f0f
                                • Instruction ID: a53711a5d99cec2c80e469ef584d43b1c7d347d832c0a112edafcf149f381db1
                                • Opcode Fuzzy Hash: 3cd6cd72dac2b19fc338c979deff1d9433b1d5ea5745c6d42d2c71f687908f0f
                                • Instruction Fuzzy Hash: 4E1110B5C006498FDB10CF9AC884BDEFBF4AF88224F14842AD869A7610C374A545CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 06F68F20, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 06F68F85
                                Memory Dump Source
                                • Source File: 00000016.00000002.338825109.0000000006F60000.00000040.00000001.sdmp, Offset: 06F60000, based on PE: false
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: eaa2e8d8ca0877603fa6f89d0601ad87af3d007eaa04b692099bcc22d5c87bfe
                                • Instruction ID: e6da7349cbc27250aa892ca888ec782c9c796080bd0ac3cb166e54f6f1832ab6
                                • Opcode Fuzzy Hash: eaa2e8d8ca0877603fa6f89d0601ad87af3d007eaa04b692099bcc22d5c87bfe
                                • Instruction Fuzzy Hash: 6811E0B59003499FDB50DF9AC484BDEFBF8EB48324F148419E968A7600C375A949CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 06F68F28, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 06F68F85
                                Memory Dump Source
                                • Source File: 00000016.00000002.338825109.0000000006F60000.00000040.00000001.sdmp, Offset: 06F60000, based on PE: false
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: ef037d66020ade140c864963d5b698c4870bf59fdaa2f7b9ff98dfc33ade42ec
                                • Instruction ID: 1b087622ab2b71fe4b112806599368d4cca61e78303f69d9f1e47245b2607da8
                                • Opcode Fuzzy Hash: ef037d66020ade140c864963d5b698c4870bf59fdaa2f7b9ff98dfc33ade42ec
                                • Instruction Fuzzy Hash: 0411E5B5900349DFDB10CF9AC884BDEFBF8EB48324F148419E558A7600C375A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00FAD01C, Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.328705488.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a44f0f5a7714818a7ae6bfa59e5f502dd9f779e9ebd0969e67f4d6e0f4d011e7
                                • Instruction ID: b7edbd97c86210689270c794fc9ad16a1109cbca21aa03ef93a44ce6663106bf
                                • Opcode Fuzzy Hash: a44f0f5a7714818a7ae6bfa59e5f502dd9f779e9ebd0969e67f4d6e0f4d011e7
                                • Instruction Fuzzy Hash: E62107B5504340DFCB14DF20D9C4B26BBA5FB85724F24C969D84A4B64AC33AD847DA62
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00FAD1D4, Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.328705488.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 585db0b0eb867d3a10525e6dc1aaacbd4134c7fbf0105adee61b50235929dbae
                                • Instruction ID: cd29f17a5f899e195951d2a5bb4f81127afb6ac84396fd8aacf0a8a5af2e2cef
                                • Opcode Fuzzy Hash: 585db0b0eb867d3a10525e6dc1aaacbd4134c7fbf0105adee61b50235929dbae
                                • Instruction Fuzzy Hash: E52104B5904300EFDB05DF50D9C0B26BBE5FB85724F24C96DE84A4B642C33AE846DA62
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00FAD005, Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.328705488.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8d09260c19abab98dfcf09b587c4842dd31a7709e123882a503c09bf740a5bf5
                                • Instruction ID: 5d0d7f248a1fa43b5a1b322aa5d76ce999bdedb1632f46ce4822096809353749
                                • Opcode Fuzzy Hash: 8d09260c19abab98dfcf09b587c4842dd31a7709e123882a503c09bf740a5bf5
                                • Instruction Fuzzy Hash: B62192755093C08FCB12CF20D990715BF71EB46324F28C5EAD8498F697C33A980ACB62
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00FAD1CF, Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.328705488.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b6721c5f398c8097140773d73ad99daa96817053c3c178d2b1fa34033079f905
                                • Instruction ID: 419141f692eae7647f9892373629dcbb03cd41a4adeab2760c4b3a0b55639f66
                                • Opcode Fuzzy Hash: b6721c5f398c8097140773d73ad99daa96817053c3c178d2b1fa34033079f905
                                • Instruction Fuzzy Hash: 36118EB5904280DFCB15CF10D5C4B15BBB1FB85324F24C6A9D8494B656C33AD85ADB51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Analysis Process: dhcpmon.exe PID: 3516 Parent PID: 3292 dhcpmon.exeCOMMON

                                Executed Functions

                                Function 02A0AF8A, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02A0B1DE
                                Memory Dump Source
                                • Source File: 00000017.00000002.341633166.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: c17b250b7144235f82b69b6fddaf384905ca67ce65459509d1b2ff7bbcdfb200
                                • Instruction ID: a7a3b322cff43be21aa24a2919918fa4d97ffeff910b61ed66d677d845f72923
                                • Opcode Fuzzy Hash: c17b250b7144235f82b69b6fddaf384905ca67ce65459509d1b2ff7bbcdfb200
                                • Instruction Fuzzy Hash: 8D714770A00B058FD724DF6AD19579ABBF5BF88308F10892ED096D7A90DB35E845CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02A05364, Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 02A05421
                                Memory Dump Source
                                • Source File: 00000017.00000002.341633166.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: ce55d37e36c5e377aa7533f12e4afdb167b1ebf8cb7e4b97139ef193e826fffa
                                • Instruction ID: c812bb39787b9c96fa99e14f6fd7389399fa00dcdf7c5cef31917e8326fa7422
                                • Opcode Fuzzy Hash: ce55d37e36c5e377aa7533f12e4afdb167b1ebf8cb7e4b97139ef193e826fffa
                                • Instruction Fuzzy Hash: 90514571D00218CFDB10CFA5D8857DEBBF5BF49308F64846AD048AB291DB75A94ACF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02A03CAC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 02A05421
                                Memory Dump Source
                                • Source File: 00000017.00000002.341633166.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 315c03457d8a9d1d5fb8f986bb5800ec4a82cff1eceb932503c1d30dd4ea7793
                                • Instruction ID: 43d51f1263e71e2f651ae9b5528887b08e24d17bc4d2465d86c548ff9bf1bb29
                                • Opcode Fuzzy Hash: 315c03457d8a9d1d5fb8f986bb5800ec4a82cff1eceb932503c1d30dd4ea7793
                                • Instruction Fuzzy Hash: 2941F271D00618CBDB24CFA9D884BDEBBB5BF49308F60846AD408BB251DB75694ACF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 051B3F10, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                Download Yara Rule
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 051B3FD1
                                Memory Dump Source
                                • Source File: 00000017.00000002.348796693.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: 35aa0a9debafee8ef02ee99284bb84b7e470d4b90ac9bea3b659a40fba57026a
                                • Instruction ID: 095018fb332868e5b0e07021de2bb238751c78e732673b29e54b6b75da820408
                                • Opcode Fuzzy Hash: 35aa0a9debafee8ef02ee99284bb84b7e470d4b90ac9bea3b659a40fba57026a
                                • Instruction Fuzzy Hash: 634129B4A00305CFDB14CF99C488AAABBF5FB88314F25C459E519AB321D775A845CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 051BC698, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000017.00000002.348796693.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                                Similarity
                                • API ID: CreateFromIconResource
                                • String ID:
                                • API String ID: 3668623891-0
                                • Opcode ID: aca9066494ecef557faa87ce82d9a4a4c0a225d9aa65e6ea4852288483e3f031
                                • Instruction ID: 4e55d5f48ece6408c90a43cbb98fd12f5f0cf7cd2b8a87ab435e6f4a963a9d84
                                • Opcode Fuzzy Hash: aca9066494ecef557faa87ce82d9a4a4c0a225d9aa65e6ea4852288483e3f031
                                • Instruction Fuzzy Hash: 0D31C972900389DFCB01CFA9C844AEEBFF8EF08324F19845AE554A7221C3359955CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02A0BCFC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A0D886,?,?,?,?,?), ref: 02A0D947
                                Memory Dump Source
                                • Source File: 00000017.00000002.341633166.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 4607c4ef5d3bc9079d35b0f95d91c4445acc20b17c92f8049dc4ebed9162fad5
                                • Instruction ID: 25bb11c473c45d293a9d103a922a569a724769ff673fa6436ef3486a2f9f69d2
                                • Opcode Fuzzy Hash: 4607c4ef5d3bc9079d35b0f95d91c4445acc20b17c92f8049dc4ebed9162fad5
                                • Instruction Fuzzy Hash: BA2116B5D00209DFCB10CF9AD584AEEBBF8EB48324F14841AE954B3350D374A954CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02A0D8B9, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A0D886,?,?,?,?,?), ref: 02A0D947
                                Memory Dump Source
                                • Source File: 00000017.00000002.341633166.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 7673d5423742cd37adb2d1c045d8643f0b07dbac147a8ba872d9963abecbdff2
                                • Instruction ID: 3f9b538a2efa9f96d1498ee34af0e47b2c873411d71602daf5d39d9f18a23056
                                • Opcode Fuzzy Hash: 7673d5423742cd37adb2d1c045d8643f0b07dbac147a8ba872d9963abecbdff2
                                • Instruction Fuzzy Hash: 6B21E4B6D00249DFDB00CFEAD584AEEBBF4FB48324F14841AE954A3250D374A955CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 051BB224, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                Download Yara Rule
                                APIs
                                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,051BC6B2,?,?,?,?,?), ref: 051BC757
                                Memory Dump Source
                                • Source File: 00000017.00000002.348796693.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                                Similarity
                                • API ID: CreateFromIconResource
                                • String ID:
                                • API String ID: 3668623891-0
                                • Opcode ID: 6857eb6e163ac9b6988b2020800615588c34a7f11e67dde86ed3620d96191de6
                                • Instruction ID: dbdd38e2df01b18044b32ef501aeeba8dd6a8c48040d3620206833ee7fb90d48
                                • Opcode Fuzzy Hash: 6857eb6e163ac9b6988b2020800615588c34a7f11e67dde86ed3620d96191de6
                                • Instruction Fuzzy Hash: EB116A75900249DFDB10DF9AC844BEEBFF8EB58324F14841AE554B7210C378A954CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02A0A340, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02A0B259,00000800,00000000,00000000), ref: 02A0B46A
                                Memory Dump Source
                                • Source File: 00000017.00000002.341633166.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 26b6362e809848f6f764df158edef927b88a06af8629b11028d562db9f406af7
                                • Instruction ID: c3182300ab3a8a66c40540a03efdf99aa38a3cb80c46e3a40306dc31433846ce
                                • Opcode Fuzzy Hash: 26b6362e809848f6f764df158edef927b88a06af8629b11028d562db9f406af7
                                • Instruction Fuzzy Hash: 641144B69002098FCB10CF9AD584BDEFBF4EB58318F10842AD459B7200C775AA49CFA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02A0B3FA, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02A0B259,00000800,00000000,00000000), ref: 02A0B46A
                                Memory Dump Source
                                • Source File: 00000017.00000002.341633166.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 0de9a21c74465b17e366f8861efac15ca2841d1993df4eaae7cc9971b834dd3b
                                • Instruction ID: 4f152e839d9da666950a1727965573dbccfb3dc7c2c4df2d97223308508da59c
                                • Opcode Fuzzy Hash: 0de9a21c74465b17e366f8861efac15ca2841d1993df4eaae7cc9971b834dd3b
                                • Instruction Fuzzy Hash: 221156B6D002099FCB10CF9AD484ADEFBF4EB88324F14842AE455A7200C775A549CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 02A0B178, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02A0B1DE
                                Memory Dump Source
                                • Source File: 00000017.00000002.341633166.0000000002A00000.00000040.00000001.sdmp, Offset: 02A00000, based on PE: false
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 99923448ba8df4ec542c3d8b957a18b3c499d22c20608ebb112f3225f45551dc
                                • Instruction ID: 341ddff749b99a6ca377139f66fbf2ecd54a47cbdfe6fd4da0ca3cd76d4ee8de
                                • Opcode Fuzzy Hash: 99923448ba8df4ec542c3d8b957a18b3c499d22c20608ebb112f3225f45551dc
                                • Instruction Fuzzy Hash: 281113B5D006498FCB10CF9AD584BDEFBF4AF88328F15841AD429A7600C774A949CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 06E88F20, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 06E88F85
                                Memory Dump Source
                                • Source File: 00000017.00000002.350702781.0000000006E80000.00000040.00000001.sdmp, Offset: 06E80000, based on PE: false
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: fd88709155c597e4b06772b5bdc7be6e48e35947cc97e45e6570fb4452d3f102
                                • Instruction ID: 93b7d850178b43740b1387903c154dcabbc9c7c4453c95289f6228a9e8b2c05e
                                • Opcode Fuzzy Hash: fd88709155c597e4b06772b5bdc7be6e48e35947cc97e45e6570fb4452d3f102
                                • Instruction Fuzzy Hash: F811F2B5800349DFCB10DF9AC885BDEBBF8EB58324F258419E968A7600C375A945CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 06E88F28, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,?,?,?), ref: 06E88F85
                                Memory Dump Source
                                • Source File: 00000017.00000002.350702781.0000000006E80000.00000040.00000001.sdmp, Offset: 06E80000, based on PE: false
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: c9e7d8b8d2542cac0284c11a6f4da16df9104ee7bc864affb6c972daf8218c1c
                                • Instruction ID: 2617aba4754d3ad1b35d581bf57952ba47ca4c32722d209e013745367f791ed3
                                • Opcode Fuzzy Hash: c9e7d8b8d2542cac0284c11a6f4da16df9104ee7bc864affb6c972daf8218c1c
                                • Instruction Fuzzy Hash: BD11D0B58003499FDB10DF9AC885BDEBBF8EB58324F24841AE958A7600C375A944CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010BD3D8, Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000017.00000002.341186049.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e7ee09cb7681cd0d0f5e11d8c2c9c4fc7e14090de2c7270a2c833923e608798
                                • Instruction ID: 63d9a7c78f593ea01b3e9498056f6bf6d1df90cb495998600c4260384fec287a
                                • Opcode Fuzzy Hash: 1e7ee09cb7681cd0d0f5e11d8c2c9c4fc7e14090de2c7270a2c833923e608798
                                • Instruction Fuzzy Hash: 18212875500200DFDB05DF94D9C0BAAFBA5FB84728F24C5A9E8490B207C73AE856C7A2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010CD01C, Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000017.00000002.341237460.00000000010CD000.00000040.00000001.sdmp, Offset: 010CD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2d054fe6abd765b1984c956273081f26d851b4a981f9e1a7872a7d153e136c87
                                • Instruction ID: 2a632e79f5f26801e7b8aae4af28a66965ad48af2e233f015d533e0f8f42839d
                                • Opcode Fuzzy Hash: 2d054fe6abd765b1984c956273081f26d851b4a981f9e1a7872a7d153e136c87
                                • Instruction Fuzzy Hash: CA21F475504200DFCB15CF98D4C0B2ABBA5EB84A54F30C9BDE8890B246C336D807CBA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010CD1D4, Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000017.00000002.341237460.00000000010CD000.00000040.00000001.sdmp, Offset: 010CD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 62aa4b5a21b59b093502002a9e76304ea9b701497d6a9ea7f5a0a7c3c9b21fe2
                                • Instruction ID: cddd37c561d8d63ba398e69f8f8aadd8f68bf826aa5aa31676d785ede6b6907b
                                • Opcode Fuzzy Hash: 62aa4b5a21b59b093502002a9e76304ea9b701497d6a9ea7f5a0a7c3c9b21fe2
                                • Instruction Fuzzy Hash: CC21F875504200DFDB05DF94D9C0B2ABBA6FB94B24F24C9BDD8894B242C336D846CFA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010CD006, Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000017.00000002.341237460.00000000010CD000.00000040.00000001.sdmp, Offset: 010CD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3e8038fb525d40eb968fe25fcf14ca1dc70053e30681b28c2664af64ab2cccc8
                                • Instruction ID: 05c9c2d2c9c149c9a20c86e0231da5c6fcc089c49d731ea5846d38ac75e375a4
                                • Opcode Fuzzy Hash: 3e8038fb525d40eb968fe25fcf14ca1dc70053e30681b28c2664af64ab2cccc8
                                • Instruction Fuzzy Hash: 022195755083809FCB13CF58D994715BFB1EB46314F28C5EAD8858F257C33A9856CBA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010BD3D3, Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000017.00000002.341186049.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 11772b62ccc9d22d83b62afd0a891c4d6e4a6fe74df51c0b93359674bc6ca424
                                • Instruction ID: f8612794ef0617b0ceed272c06a8dbf9aea9691aac791c7eee595f062fa726bc
                                • Opcode Fuzzy Hash: 11772b62ccc9d22d83b62afd0a891c4d6e4a6fe74df51c0b93359674bc6ca424
                                • Instruction Fuzzy Hash: A3119D76504280DFDB12CF54D5C4B96BFA1FB84324F2486A9D8490A656C33AE45ACBA2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010CD1CF, Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000017.00000002.341237460.00000000010CD000.00000040.00000001.sdmp, Offset: 010CD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b6721c5f398c8097140773d73ad99daa96817053c3c178d2b1fa34033079f905
                                • Instruction ID: 702a38a8be2107f4c45ec7b9606f2119c3ad944b0fae4e149abf80a680b1847d
                                • Opcode Fuzzy Hash: b6721c5f398c8097140773d73ad99daa96817053c3c178d2b1fa34033079f905
                                • Instruction Fuzzy Hash: 5B11BE75504280DFCB52CF54D5C0B19BFA2FB84624F24C6ADD8494B696C33AD45ACF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010BD745, Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000017.00000002.341186049.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8af91a73955660d482bc9c6eb03ee50522e17aa5fc916ccb06caac94046c7f1b
                                • Instruction ID: e8a4ef6208f04e47cd2b89bef1eee97010c3176bf197d69a284dbaa75c768dc3
                                • Opcode Fuzzy Hash: 8af91a73955660d482bc9c6eb03ee50522e17aa5fc916ccb06caac94046c7f1b
                                • Instruction Fuzzy Hash: E501D4311483809AE7105AA5CCC4BEAFFDCEB41668F08855AED841A246E3799844CBB1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010BD744, Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000017.00000002.341186049.00000000010BD000.00000040.00000001.sdmp, Offset: 010BD000, based on PE: false
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 439f32f7be3f61efb33f1e0d35af5bd4db7102459697c61f674edd27583b7166
                                • Instruction ID: 5e42967983e76954ea2de130297236d815e1505c40fdbe14d3cc87788d7405ce
                                • Opcode Fuzzy Hash: 439f32f7be3f61efb33f1e0d35af5bd4db7102459697c61f674edd27583b7166
                                • Instruction Fuzzy Hash: 70F0C2714443849EEB118E59CCC4BA2FFD8EB81638F18C49AED481F286D3799844CBB0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions