Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report DOC.exe

Overview

General Information

Sample Name:DOC.exe
Analysis ID:319643
MD5:6ad10f04afb24c96187b76129225c00c
SHA1:561fed791a4a4a10ec9889e3e30f0c4e0db80fd0
SHA256:c8d2f56a87705f11451e14e6ed7fe90a5b995b3e7f668811fb2f43a8f4325579
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DOC.exe (PID: 6600 cmdline: 'C:\Users\user\Desktop\DOC.exe' MD5: 6AD10F04AFB24C96187B76129225C00C)
    • schtasks.exe (PID: 6696 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DOC.exe (PID: 6752 cmdline: {path} MD5: 6AD10F04AFB24C96187B76129225C00C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xfbbfd:$x1: NanoCore.ClientPluginHost
    • 0xfbc3a:$x2: IClientNetworkHost
    • 0xff76d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfb965:$a: NanoCore
      • 0xfb975:$a: NanoCore
      • 0xfbba9:$a: NanoCore
      • 0xfbbbd:$a: NanoCore
      • 0xfbbfd:$a: NanoCore
      • 0xfb9c4:$b: ClientPlugin
      • 0xfbbc6:$b: ClientPlugin
      • 0xfbc06:$b: ClientPlugin
      • 0xfbaeb:$c: ProjectData
      • 0xfc4f2:$d: DESCrypto
      • 0x103ebe:$e: KeepAlive
      • 0x101eac:$g: LogClientMessage
      • 0xfe0a7:$i: get_Connected
      • 0xfc828:$j: #=q
      • 0xfc858:$j: #=q
      • 0xfc874:$j: #=q
      • 0xfc8a4:$j: #=q
      • 0xfc8c0:$j: #=q
      • 0xfc8dc:$j: #=q
      • 0xfc90c:$j: #=q
      • 0xfc928:$j: #=q
      00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x250b1d:$x1: NanoCore.ClientPluginHost
      • 0x250b5a:$x2: IClientNetworkHost
      • 0x25468d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 8 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\DOC.exe, ProcessId: 6752, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\DOC.exe' , ParentImage: C:\Users\user\Desktop\DOC.exe, ParentProcessId: 6600, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp', ProcessId: 6696

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\CZOIAvjovs.exeReversingLabs: Detection: 18%
      Source: C:\Users\user\AppData\Roaming\CZOIAvjovs.exeReversingLabs: Detection: 18%
      Multi AV Scanner detection for submitted fileShow sources
      Source: DOC.exeReversingLabs: Detection: 18%
      Source: DOC.exeReversingLabs: Detection: 18%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: DOC.exe PID: 6600, type: MEMORY
      Source: C:\Users\user\Desktop\DOC.exeCode function: 4x nop then jmp 05C45F32h0_2_05C451D5
      Source: C:\Users\user\Desktop\DOC.exeCode function: 4x nop then jmp 05C45F32h0_2_05C451D5

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49723 -> 23.105.131.162:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49723 -> 23.105.131.162:4040
      Source: global trafficTCP traffic: 192.168.2.7:49723 -> 23.105.131.162:4040
      Source: global trafficTCP traffic: 192.168.2.7:49723 -> 23.105.131.162:4040
      Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
      Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.162
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmp, DOC.exe, 00000000.00000003.242124625.000000000541D000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: DOC.exe, 00000000.00000003.242614903.000000000541A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: DOC.exe, 00000000.00000003.242614903.000000000541A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comizey
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: DOC.exe, 00000000.00000003.242274345.000000000542D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.Z
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFJ
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/f
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com0
      Source: DOC.exe, 00000000.00000003.244081653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
      Source: DOC.exe, 00000000.00000002.257330031.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFm.
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
      Source: DOC.exe, 00000000.00000003.245481149.000000000542A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgretaJ
      Source: DOC.exe, 00000000.00000002.257330031.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita9
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicdS
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiefx
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: DOC.exe, 00000000.00000003.241955458.000000000542D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: DOC.exe, 00000000.00000003.244700687.000000000542A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: DOC.exe, 00000000.00000003.244700687.000000000542A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/A
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmp, DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Conn
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
      Source: DOC.exe, 00000000.00000003.243289341.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Regux
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Webd
      Source: DOC.exe, 00000000.00000003.243289341.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0so
      Source: DOC.exe, 00000000.00000003.242822237.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/anie
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/0
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/f
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: DOC.exe, 00000000.00000003.240828716.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comeuG
      Source: DOC.exe, 00000000.00000003.240828716.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comte?
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: DOC.exe, 00000000.00000003.242216750.000000000542C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnue
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmp, DOC.exe, 00000000.00000003.242124625.000000000541D000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: DOC.exe, 00000000.00000003.242614903.000000000541A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: DOC.exe, 00000000.00000003.242614903.000000000541A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comizey
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: DOC.exe, 00000000.00000003.242274345.000000000542D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.Z
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFJ
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/f
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com0
      Source: DOC.exe, 00000000.00000003.244081653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
      Source: DOC.exe, 00000000.00000002.257330031.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFm.
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
      Source: DOC.exe, 00000000.00000003.245481149.000000000542A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgretaJ
      Source: DOC.exe, 00000000.00000002.257330031.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita9
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicdS
      Source: DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiefx
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: DOC.exe, 00000000.00000003.241955458.000000000542D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: DOC.exe, 00000000.00000003.244700687.000000000542A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: DOC.exe, 00000000.00000003.244700687.000000000542A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/A
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmp, DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Conn
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
      Source: DOC.exe, 00000000.00000003.243289341.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Regux
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Webd
      Source: DOC.exe, 00000000.00000003.243289341.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0so
      Source: DOC.exe, 00000000.00000003.242822237.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/anie
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/0
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/f
      Source: DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: DOC.exe, 00000000.00000003.240828716.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comeuG
      Source: DOC.exe, 00000000.00000003.240828716.000000000542B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comte?
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: DOC.exe, 00000000.00000003.242216750.000000000542C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnue

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: DOC.exe PID: 6600, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: DOC.exe PID: 6752, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: DOC.exe PID: 6752, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD1756 NtQuerySystemInformation,0_2_05BD1756
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD1725 NtQuerySystemInformation,0_2_05BD1725
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD1756 NtQuerySystemInformation,0_2_05BD1756
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD1725 NtQuerySystemInformation,0_2_05BD1725
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051613290_2_05161329
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05160B800_2_05160B80
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0516E7C00_2_0516E7C0
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051689E80_2_051689E8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05161C480_2_05161C48
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051600980_2_05160098
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05168C800_2_05168C80
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05162AF00_2_05162AF0
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051683180_2_05168318
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051617310_2_05161731
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05160B390_2_05160B39
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051683280_2_05168328
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051617800_2_05161780
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0516A1A80_2_0516A1A8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051649D00_2_051649D0
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05164BDA0_2_05164BDA
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051689D90_2_051689D9
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051649C20_2_051649C2
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051629F80_2_051629F8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05164BE80_2_05164BE8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05168E110_2_05168E11
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051638180_2_05163818
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051638080_2_05163808
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051648310_2_05164831
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051648400_2_05164840
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05168C700_2_05168C70
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0516947A0_2_0516947A
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051694880_2_05169488
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05C451D50_2_05C451D5
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05C43B830_2_05C43B83
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05C43FE70_2_05C43FE7
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051613290_2_05161329
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05160B800_2_05160B80
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0516E7C00_2_0516E7C0
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051689E80_2_051689E8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05161C480_2_05161C48
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051600980_2_05160098
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05168C800_2_05168C80
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05162AF00_2_05162AF0
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051683180_2_05168318
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051617310_2_05161731
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05160B390_2_05160B39
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051683280_2_05168328
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051617800_2_05161780
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0516A1A80_2_0516A1A8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051649D00_2_051649D0
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05164BDA0_2_05164BDA
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051689D90_2_051689D9
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051649C20_2_051649C2
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051629F80_2_051629F8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05164BE80_2_05164BE8
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05168E110_2_05168E11
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051638180_2_05163818
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051638080_2_05163808
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051648310_2_05164831
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051648400_2_05164840
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05168C700_2_05168C70
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0516947A0_2_0516947A
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_051694880_2_05169488
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05C451D50_2_05C451D5
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05C43B830_2_05C43B83
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05C43FE70_2_05C43FE7
      Source: DOC.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: CZOIAvjovs.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: DOC.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: CZOIAvjovs.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs DOC.exe
      Source: DOC.exe, 00000000.00000002.257133468.0000000005380000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DOC.exe
      Source: DOC.exe, 00000000.00000002.258925636.00000000061B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs DOC.exe
      Source: DOC.exe, 00000000.00000000.239695576.00000000009A0000.00000002.00020000.sdmpBinary or memory string: OriginalFilename*Yd.exeR vs DOC.exe
      Source: DOC.exe, 00000000.00000002.259026086.00000000061E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DOC.exe
      Source: DOC.exe, 00000000.00000002.259026086.00000000061E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DOC.exe
      Source: DOC.exe, 00000000.00000002.260831523.00000000076B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DOC.exe
      Source: DOC.exe, 00000003.00000000.251653756.0000000000C00000.00000002.00020000.sdmpBinary or memory string: OriginalFilename*Yd.exeR vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs DOC.exe
      Source: DOC.exeBinary or memory string: OriginalFilename*Yd.exeR vs DOC.exe
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs DOC.exe
      Source: DOC.exe, 00000000.00000002.257133468.0000000005380000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DOC.exe
      Source: DOC.exe, 00000000.00000002.258925636.00000000061B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs DOC.exe
      Source: DOC.exe, 00000000.00000000.239695576.00000000009A0000.00000002.00020000.sdmpBinary or memory string: OriginalFilename*Yd.exeR vs DOC.exe
      Source: DOC.exe, 00000000.00000002.259026086.00000000061E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs DOC.exe
      Source: DOC.exe, 00000000.00000002.259026086.00000000061E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs DOC.exe
      Source: DOC.exe, 00000000.00000002.260831523.00000000076B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs DOC.exe
      Source: DOC.exe, 00000003.00000000.251653756.0000000000C00000.00000002.00020000.sdmpBinary or memory string: OriginalFilename*Yd.exeR vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs DOC.exe
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs DOC.exe
      Source: DOC.exeBinary or memory string: OriginalFilename*Yd.exeR vs DOC.exe
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: DOC.exe PID: 6752, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: DOC.exe PID: 6752, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: DOC.exe PID: 6600, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/7@0/1
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD15DA AdjustTokenPrivileges,0_2_05BD15DA
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD15A3 AdjustTokenPrivileges,0_2_05BD15A3
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD15DA AdjustTokenPrivileges,0_2_05BD15DA
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05BD15A3 AdjustTokenPrivileges,0_2_05BD15A3
      Source: C:\Users\user\Desktop\DOC.exeFile created: C:\Users\user\AppData\Roaming\CZOIAvjovs.exeJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile created: C:\Users\user\AppData\Roaming\CZOIAvjovs.exeJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{dcac4b5d-9a8e-4643-8c5a-3d27f5de9c1d}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_01
      Source: C:\Users\user\Desktop\DOC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Desktop\DOC.exeMutant created: \Sessions\1\BaseNamedObjects\JwXsFUTyQgmRAdZVtlXuPjQ
      Source: C:\Users\user\Desktop\DOC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{dcac4b5d-9a8e-4643-8c5a-3d27f5de9c1d}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_01
      Source: C:\Users\user\Desktop\DOC.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Desktop\DOC.exeMutant created: \Sessions\1\BaseNamedObjects\JwXsFUTyQgmRAdZVtlXuPjQ
      Source: C:\Users\user\Desktop\DOC.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3870.tmpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3870.tmpJump to behavior
      Source: DOC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: DOC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: DOC.exeReversingLabs: Detection: 18%
      Source: DOC.exeReversingLabs: Detection: 18%
      Source: DOC.exeString found in binary or memory: icons8-Add-16
      Source: DOC.exeString found in binary or memory: icons8-Add-16UW
      Source: DOC.exeString found in binary or memory: icons8-Add-16
      Source: DOC.exeString found in binary or memory: icons8-Add-16UW
      Source: C:\Users\user\Desktop\DOC.exeFile read: C:\Users\user\Desktop\DOC.exeJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile read: C:\Users\user\Desktop\DOC.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\DOC.exe 'C:\Users\user\Desktop\DOC.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\DOC.exe {path}
      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Users\user\Desktop\DOC.exe {path}Jump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\DOC.exe 'C:\Users\user\Desktop\DOC.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\DOC.exe {path}
      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Users\user\Desktop\DOC.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: DOC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: DOC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: DOC.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: DOC.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: DOC.exeStatic file information: File size 1119744 > 1048576
      Source: DOC.exeStatic file information: File size 1119744 > 1048576
      Source: C:\Users\user\Desktop\DOC.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: DOC.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10d000
      Source: DOC.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x10d000
      Source: DOC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: DOC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: mscorrc.pdb source: DOC.exe, 00000000.00000002.257133468.0000000005380000.00000002.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: Binary string: mscorrc.pdb source: DOC.exe, 00000000.00000002.257133468.0000000005380000.00000002.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_00892092 push eax; ret 0_2_00892091
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0089270D push 00000019h; ret 0_2_0089278C
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0089272E push 00000019h; ret 0_2_0089278C
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_00892050 push eax; ret 0_2_00892091
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05167053 push ss; ret 0_2_05167059
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_00892092 push eax; ret 0_2_00892091
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0089270D push 00000019h; ret 0_2_0089278C
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_0089272E push 00000019h; ret 0_2_0089278C
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_00892050 push eax; ret 0_2_00892091
      Source: C:\Users\user\Desktop\DOC.exeCode function: 0_2_05167053 push ss; ret 0_2_05167059
      Source: initial sampleStatic PE information: section name: .text entropy: 7.38686348526
      Source: initial sampleStatic PE information: section name: .text entropy: 7.38686348526
      Source: initial sampleStatic PE information: section name: .text entropy: 7.38686348526
      Source: initial sampleStatic PE information: section name: .text entropy: 7.38686348526
      Source: C:\Users\user\Desktop\DOC.exeFile created: C:\Users\user\AppData\Roaming\CZOIAvjovs.exeJump to dropped file
      Source: C:\Users\user\Desktop\DOC.exeFile created: C:\Users\user\AppData\Roaming\CZOIAvjovs.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\DOC.exeFile opened: C:\Users\user\Desktop\DOC.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile opened: C:\Users\user\Desktop\DOC.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: DOC.exe PID: 6600, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLX1
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX1
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLX1
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX1
      Source: C:\Users\user\Desktop\DOC.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeWindow / User API: threadDelayed 1245Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeWindow / User API: foregroundWindowGot 711Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeWindow / User API: foregroundWindowGot 699Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeWindow / User API: threadDelayed 1245Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeWindow / User API: foregroundWindowGot 711Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeWindow / User API: foregroundWindowGot 699Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exe TID: 6604Thread sleep time: -41500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\DOC.exe TID: 6624Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\DOC.exe TID: 6824Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\DOC.exe TID: 6820Thread sleep time: -400000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\DOC.exe TID: 6604Thread sleep time: -41500s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\DOC.exe TID: 6624Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\DOC.exe TID: 6824Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\DOC.exe TID: 6820Thread sleep time: -400000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: DOC.exe, 00000000.00000002.254062953.0000000003309000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: vmwareX1
      Source: DOC.exe, 00000000.00000002.254062953.0000000003309000.00000004.00000001.sdmpBinary or memory string: VMWARE|9
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: q#"SOFTWARE\VMware, Inc.\VMware ToolsX1
      Source: DOC.exe, 00000003.00000003.277447400.00000000012BD000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: q&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1
      Source: DOC.exe, 00000000.00000002.254062953.0000000003309000.00000004.00000001.sdmpBinary or memory string: VMware|9
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1
      Source: DOC.exe, 00000000.00000002.254062953.0000000003309000.00000004.00000001.sdmpBinary or memory string: VMware |9
      Source: DOC.exe, 00000000.00000002.254062953.0000000003309000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: VMWAREX1
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: DOC.exe, 00000000.00000002.254062953.0000000003309000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: QEMUX1
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: DOC.exe, 00000000.00000002.254062953.0000000003309000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: vmwareX1
      Source: DOC.exe, 00000000.00000002.254062953.0000000003309000.00000004.00000001.sdmpBinary or memory string: VMWARE|9
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: q#"SOFTWARE\VMware, Inc.\VMware ToolsX1
      Source: DOC.exe, 00000003.00000003.277447400.00000000012BD000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: q&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1
      Source: DOC.exe, 00000000.00000002.254062953.0000000003309000.00000004.00000001.sdmpBinary or memory string: VMware|9
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1
      Source: DOC.exe, 00000000.00000002.254062953.0000000003309000.00000004.00000001.sdmpBinary or memory string: VMware |9
      Source: DOC.exe, 00000000.00000002.254062953.0000000003309000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: VMWAREX1
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: DOC.exe, 00000000.00000002.254062953.0000000003309000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: DOC.exe, 00000000.00000002.253451433.0000000002F81000.00000004.00000001.sdmpBinary or memory string: QEMUX1
      Source: DOC.exe, 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: C:\Users\user\Desktop\DOC.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeMemory allocated: page read and write | page guardJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\DOC.exeMemory written: C:\Users\user\Desktop\DOC.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeMemory written: C:\Users\user\Desktop\DOC.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Users\user\Desktop\DOC.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\DOC.exeProcess created: C:\Users\user\Desktop\DOC.exe {path}Jump to behavior
      Source: DOC.exe, 00000003.00000003.355684648.00000000012B0000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: DOC.exe, 00000003.00000003.277447400.00000000012BD000.00000004.00000001.sdmpBinary or memory string: Program Manageresktop\
      Source: DOC.exe, 00000003.00000003.355684648.00000000012B0000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: DOC.exe, 00000003.00000003.277447400.00000000012BD000.00000004.00000001.sdmpBinary or memory string: Program Manageresktop\
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\DOC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\DOC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\DOC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\DOC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\DOC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\DOC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: DOC.exe PID: 6600, type: MEMORY

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: DOC.exe, 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: DOC.exe, 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: DOC.exe, 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: DOC.exe PID: 6600, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Access Token Manipulation1Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsProcess Injection112Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsScheduled Task/Job1Logon Script (Windows)Scheduled Task/Job1Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      DOC.exe19%ReversingLabs

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\CZOIAvjovs.exe19%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.zhongyicts.com.cnue0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Webd0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/jp/00%Avira URL Cloudsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/90%Avira URL Cloudsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/f0%Avira URL Cloudsafe
      http://www.fontbureau.comcom0%URL Reputationsafe
      http://www.fontbureau.comcom0%URL Reputationsafe
      http://www.fontbureau.comcom0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/00%Avira URL Cloudsafe
      http://www.fontbureau.com00%Avira URL Cloudsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Regux0%Avira URL Cloudsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.carterandcone.como.Z0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/0%URL Reputationsafe
      http://www.galapagosdesign.com/0%URL Reputationsafe
      http://www.galapagosdesign.com/0%URL Reputationsafe
      http://www.fontbureau.comF0%URL Reputationsafe
      http://www.fontbureau.comF0%URL Reputationsafe
      http://www.fontbureau.comF0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/S0%Avira URL Cloudsafe
      http://www.sajatypeworks.comeuG0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/J0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/A0%Avira URL Cloudsafe
      http://www.fontbureau.comsiefx0%Avira URL Cloudsafe
      http://www.fontbureau.comlicdS0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/Conn0%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.fontbureau.com.TTFJ0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/0%URL Reputationsafe
      http://www.founder.com.cn/cn/0%URL Reputationsafe
      http://www.founder.com.cn/cn/0%URL Reputationsafe
      http://www.carterandcone.comizey0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
      http://www.sajatypeworks.comte?0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/anie0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/Y0so0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.zhongyicts.com.cnueDOC.exe, 00000000.00000003.242216750.000000000542C000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://www.fontbureau.com/designersGDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
        		high
        http://www.fontbureau.com/designers/?DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
          		high
          http://www.founder.com.cn/cn/bTheDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers?DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
            		high
            http://www.jiyu-kobo.co.jp/WebdDOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.jiyu-kobo.co.jp/jp/0DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.tiro.comDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designersDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
              		high
              http://www.goodfont.co.krDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.carterandcone.comDOC.exe, 00000000.00000003.242614903.000000000541A000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.sajatypeworks.comDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.jiyu-kobo.co.jp/9DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.typography.netDDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.founder.com.cn/cn/cTheDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.galapagosdesign.com/staff/dennis.htmDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://fontfabrik.comDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.jiyu-kobo.co.jp/jp/fDOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.comcomDOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.jiyu-kobo.co.jp/0DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com0DOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.galapagosdesign.com/DPleaseDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.jiyu-kobo.co.jp/Y0DOC.exe, 00000000.00000003.243289341.0000000005426000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.fonts.comDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
                		high
                http://www.sandoll.co.krDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.urwpp.deDPleaseDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.zhongyicts.com.cnDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/ReguxDOC.exe, 00000000.00000003.243289341.0000000005426000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.sakkal.comDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.como.ZDOC.exe, 00000000.00000003.242274345.000000000542D000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmp, DOC.exe, 00000000.00000003.242124625.000000000541D000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
                    		high
                    http://www.galapagosdesign.com/DOC.exe, 00000000.00000003.244700687.000000000542A000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comFDOC.exe, 00000000.00000003.244081653.0000000005426000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/SDOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/fDOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpfalse
                      		high
                      http://www.sajatypeworks.comeuGDOC.exe, 00000000.00000003.240828716.000000000542B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/JDOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.galapagosdesign.com/ADOC.exe, 00000000.00000003.244700687.000000000542A000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comsiefxDOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comlicdSDOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/jp/DOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/ConnDOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.comlDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com.TTFJDOC.exe, 00000000.00000003.244365755.000000000542B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.founder.com.cn/cn/DOC.exe, 00000000.00000003.241955458.000000000542D000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comizeyDOC.exe, 00000000.00000003.242614903.000000000541A000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cnDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/xDOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlDOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
                          		high
                          http://www.sajatypeworks.comte?DOC.exe, 00000000.00000003.240828716.000000000542B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/anieDOC.exe, 00000000.00000003.242822237.0000000005426000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/Y0soDOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmp, DOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8DOC.exe, 00000000.00000002.257492311.0000000005622000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comgrita9DOC.exe, 00000000.00000002.257330031.0000000005426000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/hDOC.exe, 00000000.00000003.243551878.0000000005426000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comFm.DOC.exe, 00000000.00000002.257330031.0000000005426000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/fDOC.exe, 00000000.00000003.242988653.0000000005426000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.comgretaJDOC.exe, 00000000.00000003.245481149.000000000542A000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            23.105.131.162
                            		unknownUnited States
                            		396362LEASEWEB-USA-NYC-11UStrue

                            General Information

                            Joe Sandbox Version:31.0.0 Red Diamond
                            Analysis ID:319643
                            Start date:18.11.2020
                            Start time:14:12:30
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 6m 24s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:DOC.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:24
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@6/7@0/1
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 14.3% (good quality ratio 8.7%)
                            • Quality average: 38.1%
                            • Quality standard deviation: 36.2%
                            HCA Information:
                            • Successful, ratio: 79%
                            • Number of executed functions: 109
                            • Number of non-executed functions: 16
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            14:13:27API Interceptor1016x Sleep call for process: DOC.exe modified

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            No context

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            LEASEWEB-USA-NYC-11USShipping_Details.exeGet hashmaliciousBrowse
                            • 23.105.131.165
                            2AyWKsCvVF.exeGet hashmaliciousBrowse
                            • 192.253.246.143
                            tn9jVPvlMSqAUX5.exeGet hashmaliciousBrowse
                            • 23.105.131.229
                            HLiw2LPA8i.rtfGet hashmaliciousBrowse
                            • 192.253.246.143
                            TDToxqrclL.exeGet hashmaliciousBrowse
                            • 23.105.131.177
                            Ziiq5tI3CT.exeGet hashmaliciousBrowse
                            • 23.105.131.239
                            f3wo2FuLN6.exeGet hashmaliciousBrowse
                            • 192.253.246.143
                            ORDER INQUIRY.pdf.exeGet hashmaliciousBrowse
                            • 23.105.131.177
                            Purchase Order 4500033557.pdf.exeGet hashmaliciousBrowse
                            • 23.105.131.177
                            SecuriteInfo.com.Trojan.DownLoader35.34609.25775.exeGet hashmaliciousBrowse
                            • 192.253.246.138
                            Proof_of_payment.xlsmGet hashmaliciousBrowse
                            • 23.105.131.217
                            invoice tax.xlsmGet hashmaliciousBrowse
                            • 23.105.131.217
                            SHIPPING DOCUMENTS.pdf.exeGet hashmaliciousBrowse
                            • 23.105.131.177
                            Payment_Order_20201111.xlsxGet hashmaliciousBrowse
                            • 192.253.246.138
                            TLpMnhJmg7.exeGet hashmaliciousBrowse
                            • 192.253.246.143
                            HDyADDoI3I.exeGet hashmaliciousBrowse
                            • 192.253.246.143
                            11.exeGet hashmaliciousBrowse
                            • 173.234.155.145
                            53C29QAJnd.exeGet hashmaliciousBrowse
                            • 173.234.155.145
                            OMQZvmAmCj.exeGet hashmaliciousBrowse
                            • 173.234.155.145
                            gH4o5FCHAE.exeGet hashmaliciousBrowse
                            • 173.234.155.145

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\DOC.exe.log
                            Process:C:\Users\user\Desktop\DOC.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):641
                            Entropy (8bit):5.271473536084351
                            Encrypted:false
                            SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U2u7x5I6Hi0Ug+9Yz9tv:MLF20NaL329hJ5g522rW2I3rOz2T
                            MD5:C3EC08CD6BEA8576070D5A52B4B6D7D0
                            SHA1:40B95253F98B3CC5953100C0E71DAC7915094A5A
                            SHA-256:28B314C3E5651414FD36B2A65B644A2A55F007A34A536BE17514E12CEE5A091B
                            SHA-512:5B0E6398A092F08240DC6765425E16DB52F32542FF7250E87403C407E54B3660EF93E0EAD17BA2CEF6B666951ACF66FA0EAD61FB52E80867DDD398E8258DED22
                            Malicious:true
                            Reputation:moderate, very likely benign file
                            Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\d05d469d89b319a068f2123e7e6f8621\System.Web.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                            C:\Users\user\AppData\Local\Temp\tmp3870.tmp
                            Process:C:\Users\user\Desktop\DOC.exe
                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1659
                            Entropy (8bit):5.176378890983135
                            Encrypted:false
                            SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBAqPMtn:cbhH7MlNQ8/rydbz9I3YODOLNdq32
                            MD5:8D3271AEF7B24B0FBA2824A6FDCB3175
                            SHA1:BB1BE4542A6924BB767F5E2929ED3724E31F566B
                            SHA-256:481AD806BE0C55F5D357C2196FA5C451CC9529106116DA6D070BD5BCE626B072
                            SHA-512:45A249B869B041FBCA277F07722997D600028546953F80643137980FDDB268FFAC44E1AD65BB2FA07F6C32C2B7B4C9003DDD6FF701C4196158258C87337CD3E0
                            Malicious:true
                            Reputation:low
                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                            C:\Users\user\AppData\Roaming\CZOIAvjovs.exe
                            Process:C:\Users\user\Desktop\DOC.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):1119744
                            Entropy (8bit):7.3796673297276865
                            Encrypted:false
                            SSDEEP:12288:ZivDqJF9EWc+ylc3UognpsVjxonj4GdnfKM3yvt8LFOcc6WkFRJtsbUpmmEvx74F:cuJFHJipkj+nkGdnf73y18bWkbzswH
                            MD5:6AD10F04AFB24C96187B76129225C00C
                            SHA1:561FED791A4A4A10EC9889E3E30F0C4E0DB80FD0
                            SHA-256:C8D2F56A87705F11451E14E6ED7FE90A5B995B3E7F668811FB2F43A8F4325579
                            SHA-512:622A5C80012D121D765DC57436F06B321379AED457DB210ECAF68ABFD2E6462F2A20FF16ABE948014C6E3B060D4A62E087A3BF0AB6E7A83CE76C34B216678302
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 19%
                            Reputation:low
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._..............0......D......^.... ........@.. ....................................@.....................................W........A...................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc....A.......B..................@..@.reloc.......`......................@..B................@.......H....... 6................. ..............................................S.DMy.4.Y....g5'............jT.......=...!rXF.T.yI..XB..6P.EQ..;..e....m...:......gy..SP.g.[...C....#.6.......F..u,....Zk6...X.....sm.Y>.H.L...S..5.O..a>.-.<w.....w.#.....:.=.w.@.X....Vi..e5...'e....Pl7G....i.....p1lE...]..R....K..f..UqO...^..X3..n.t......%.v..\.b.-.....Xp..@.Hn...Lq...*..;."K.....#Q.H1...M.W.......>...i.\.#.._y...a.....l..6...AO.*G...\S.3m..J...<Hp.f........W
                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                            Process:C:\Users\user\Desktop\DOC.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):232
                            Entropy (8bit):7.024371743172393
                            Encrypted:false
                            SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                            MD5:32D0AAE13696FF7F8AF33B2D22451028
                            SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                            SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                            SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                            Process:C:\Users\user\Desktop\DOC.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):8
                            Entropy (8bit):3.0
                            Encrypted:false
                            SSDEEP:3:mqh:mC
                            MD5:FCDEA6ED59DF2E5154B0CF3F084BF8DF
                            SHA1:B8C1743A845038E38892E7CA8240FC2C68EF443E
                            SHA-256:07D3164F04628B1D3D1819E04C0C0AE83FD6DC72199976349A0956152091C478
                            SHA-512:FEB7ABF35FD28E282C7E76C1A68338A0DE2C8D8B9B13A771A16EDD6C1D1E811F14602A26C1D50624F6030AA9241E472E12B618386A6ADD90DB48930671D24423
                            Malicious:true
                            Reputation:low
                            Preview: .../...H
                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                            Process:C:\Users\user\Desktop\DOC.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):40
                            Entropy (8bit):5.221928094887364
                            Encrypted:false
                            SSDEEP:3:9bzY6oRDMjmPl:RzWDMCd
                            MD5:AE0F5E6CE7122AF264EC533C6B15A27B
                            SHA1:1265A495C42EED76CC043D50C60C23297E76CCE1
                            SHA-256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
                            SHA-512:DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview: 9iH...}Z.4..f..... 8.j....|.&X..e.F.*.
                            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                            Process:C:\Users\user\Desktop\DOC.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):426840
                            Entropy (8bit):7.999608491116724
                            Encrypted:true
                            SSDEEP:12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg
                            MD5:963D5E2C9C0008DFF05518B47C367A7F
                            SHA1:C183D601FABBC9AC8FBFA0A0937DECC677535E74
                            SHA-256:5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
                            SHA-512:0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview: ..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.3796673297276865
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            • Win32 Executable (generic) a (10002005/4) 49.75%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Windows Screen Saver (13104/52) 0.07%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:DOC.exe
                            File size:1119744
                            MD5:6ad10f04afb24c96187b76129225c00c
                            SHA1:561fed791a4a4a10ec9889e3e30f0c4e0db80fd0
                            SHA256:c8d2f56a87705f11451e14e6ed7fe90a5b995b3e7f668811fb2f43a8f4325579
                            SHA512:622a5c80012d121d765dc57436f06b321379aed457db210ecaf68abfd2e6462f2a20ff16abe948014c6e3b060d4a62e087a3bf0ab6e7a83ce76c34b216678302
                            SSDEEP:12288:ZivDqJF9EWc+ylc3UognpsVjxonj4GdnfKM3yvt8LFOcc6WkFRJtsbUpmmEvx74F:cuJFHJipkj+nkGdnf73y18bWkbzswH
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............0......D......^.... ........@.. ....................................@................................

                            File Icon

                            Icon Hash:f8c492aaaa92dcfe

                            Static PE Info

                            General

                            Entrypoint:0x50ee5e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Time Stamp:0x5FB4A4C5 [Wed Nov 18 04:36:21 2020 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:v2.0.50727
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x10ee040x57.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1100000x41a8.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1160000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x10ce640x10d000False0.694431234026data7.38686348526IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .rsrc0x1100000x41a80x4200False0.503432765152data5.45039345339IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x1160000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x1101900x468GLS_BINARY_LSB_FIRST
                            RT_ICON0x1105f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4275388049, next used block 4258479509
                            RT_ICON0x1116a00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 3771611807, next used block 3167566498
                            RT_GROUP_ICON0x113c480x30data
                            RT_VERSION0x113c780x344data
                            RT_MANIFEST0x113fbc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Version Infos

                            DescriptionData
                            Translation0x0000 0x04b0
                            LegalCopyrightCopyright 2017
                            Assembly Version1.0.0.0
                            InternalNamed.exe
                            FileVersion1.0.0.0
                            CompanyName
                            LegalTrademarks
                            Comments
                            ProductNameClinic Management System
                            ProductVersion1.0.0.0
                            FileDescriptionClinic Management System
                            OriginalFilenamed.exe

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            11/18/20-14:13:34.045618TCP2025019ET TROJAN Possible NanoCore C2 60B497234040192.168.2.723.105.131.162

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 18, 2020 14:13:33.600183010 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:34.005378008 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:34.005552053 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:34.045618057 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:34.496907949 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:34.525669098 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:34.974037886 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:35.205224037 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:35.245909929 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:35.658174992 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:35.685698986 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:36.186507940 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.497425079 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.499332905 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.499439001 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:36.508373976 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.508555889 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.508594036 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.508697033 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:36.508867025 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.508979082 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:36.515528917 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.518650055 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.518789053 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.518896103 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:36.519356012 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.520392895 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:36.922518015 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.924273014 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.924427032 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:36.925810099 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.927284956 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.927381039 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:36.941277981 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.950264931 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.950380087 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:36.952456951 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.952718019 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.952824116 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:36.956509113 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.969232082 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.969285011 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.969333887 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:36.969424963 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.969526052 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:36.969541073 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.975753069 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.978308916 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:36.978502035 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.980390072 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.980462074 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:36.980479956 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.982404947 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.982477903 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:36.985758066 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.988337040 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:36.988409996 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.379363060 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.381352901 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.381527901 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.383512020 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.392493010 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.392658949 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.392733097 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.396400928 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.396483898 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.398395061 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.402513027 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.402565002 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.402647972 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.411446095 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.411521912 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.411577940 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.411645889 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.411701918 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.415158033 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.418374062 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.418505907 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.421237946 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.439531088 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.439574957 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.439678907 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.439692020 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.439747095 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.439862013 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.439968109 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.440030098 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.440036058 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.442368984 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.442516088 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.452541113 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.456428051 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.456577063 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.458225965 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.462277889 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.462379932 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.468354940 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.468463898 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.468532085 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.475269079 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.481314898 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.481498003 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.485162973 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.486346960 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.486447096 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.500669956 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.555607080 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.807833910 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.808765888 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.808945894 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.812278986 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.817183018 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.817389011 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.818639994 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.824270010 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.824455023 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.824475050 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.834431887 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.834518909 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.836251020 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.839457035 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.839529037 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.839585066 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.842514992 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.842617035 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.846568108 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.856520891 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.856590986 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.859303951 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.868360043 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.868464947 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.869999886 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.870815039 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.870917082 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.871362925 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.882571936 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.882637978 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.882749081 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.886279106 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.886410952 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.886442900 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.889790058 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.889858961 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.894429922 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.897279024 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.897412062 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.900322914 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.903449059 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.903541088 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.906827927 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.909449100 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.909548044 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.913381100 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.915678978 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.915760040 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.919976950 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.922347069 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.922455072 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.932275057 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.935290098 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.935452938 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.935545921 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.937297106 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.937499046 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.938191891 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.941287994 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.941482067 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.950598955 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.950656891 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.950781107 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.950862885 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.952227116 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.952414036 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.954229116 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.957231998 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.957372904 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.969343901 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.969432116 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.969604969 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:37.970452070 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.972585917 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:37.972712040 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.031610966 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.086900949 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.232248068 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.265310049 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.265446901 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.279458046 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.284291983 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.284358025 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.285329103 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.285538912 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.285604954 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.285609961 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.285810947 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.285864115 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.288126945 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.298248053 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.298321009 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.300194025 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.302176952 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.302237034 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.302376986 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.312290907 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.312372923 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.314202070 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.317224979 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.317305088 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.320163012 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.331487894 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.331552029 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.331581116 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.337193966 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.337275028 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.337323904 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.343235970 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.343322992 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.347223043 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.353442907 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.353524923 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.359266996 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.364736080 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.364830971 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.365300894 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.368207932 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.368393898 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.380245924 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.383275032 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.383375883 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.387213945 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.398207903 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.398279905 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.402272940 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.405127048 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.405188084 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.414201975 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.420407057 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.420475960 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.423279047 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.425463915 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.425543070 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.434163094 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.434475899 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.434554100 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.436230898 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.447741985 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.447818041 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.451283932 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.451484919 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.451567888 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.460273981 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.462830067 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.462907076 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.472768068 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.472982883 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.473045111 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.481281996 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.481499910 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.481663942 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.509304047 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.551363945 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.746803045 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.755449057 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.755518913 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.760224104 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.761519909 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.761593103 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.771027088 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.771428108 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.771496058 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.774214983 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.783540010 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.783601046 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.792416096 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.794435978 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.794557095 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.799307108 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.803261042 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.803339958 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.806750059 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.818408966 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.818495035 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.819492102 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.819586992 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.819638968 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.821811914 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.831916094 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.832001925 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.836802959 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.840450048 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.840543985 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.843533039 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.843688011 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.843750954 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.846303940 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.857810020 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.857907057 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.857966900 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.862325907 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.862435102 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.867366076 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.871936083 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.872047901 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.872489929 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.881356001 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.881442070 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.881472111 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.881577015 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.881629944 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.890490055 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.892508030 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.892565012 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.892632961 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.897645950 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.897736073 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.907912970 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.907954931 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.908019066 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.913094044 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.913139105 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.913188934 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.914216042 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.918102980 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.918173075 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.926590919 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.932272911 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.932391882 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.936938047 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.938509941 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.938611984 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.947783947 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.948609114 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:38.948667049 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:38.957425117 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.004365921 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.004489899 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.230467081 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.231443882 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.231548071 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.235591888 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.241597891 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.241689920 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.242214918 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.251440048 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.251527071 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.251663923 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.261205912 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.261307001 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.266287088 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.271266937 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.271354914 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.276196957 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.276345968 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.276407957 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.287347078 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.289370060 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.289407969 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.289496899 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.292372942 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.292490959 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.303265095 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.306241989 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.306349993 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.306456089 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.317312956 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.317442894 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.320256948 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.326215982 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.326334000 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.326436043 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.337291956 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.337455988 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.341167927 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.348325968 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.348360062 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.348483086 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.352611065 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.352725029 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.355329037 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.366372108 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.366525888 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.369230986 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.373307943 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.373411894 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.377327919 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.380256891 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.380434036 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.392307043 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.392384052 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.393712997 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.397294998 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.402259111 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.402358055 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.406287909 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.412672043 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.412810087 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.413757086 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.419307947 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.419420958 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.424704075 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.424758911 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.424925089 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.428293943 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.432202101 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.433166027 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.435520887 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.446371078 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.446511030 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.446660995 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.446729898 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.447045088 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.455542088 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.460431099 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.461147070 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.464219093 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.465471029 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.465555906 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.469513893 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.470269918 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.470354080 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.473258972 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.477349043 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.477855921 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.487390041 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.489528894 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.489777088 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.494187117 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.494369030 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.494452953 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:39.701077938 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:39.758845091 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:40.559827089 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:41.065310001 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:41.069071054 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:41.539930105 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:42.386992931 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:42.430984020 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:42.856029987 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:42.899743080 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:43.040785074 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:43.531240940 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:43.531399965 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:44.243596077 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:44.463924885 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:44.464131117 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:44.653022051 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:44.888906002 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:44.993616104 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:45.421412945 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:45.421442032 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:45.428946018 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:45.852060080 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:45.853012085 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:46.509363890 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:46.601991892 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:46.602092028 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:46.915100098 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:47.212604046 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:47.626844883 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:47.933096886 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:47.978277922 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:49.424201012 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:49.478439093 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:51.963968992 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:52.437071085 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:54.446891069 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:54.494416952 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:56.011502981 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:56.057483912 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:57.152867079 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:13:57.621956110 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:59.448976040 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:13:59.494846106 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:02.158514977 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:02.677052021 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:04.083436966 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:04.135878086 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:04.542207003 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:04.589205027 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:05.174321890 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:05.175184965 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:07.231300116 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:07.701895952 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:09.458955050 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:09.637315989 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:10.094880104 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:10.097470999 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:12.138910055 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:12.277702093 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:12.805922031 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:14.463505983 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:14.592731953 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:17.372348070 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:17.837158918 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:19.505219936 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:19.546545982 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:20.221899033 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:20.262247086 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:22.408994913 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:22.867119074 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:24.483973026 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:24.559443951 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:28.284923077 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:28.328243017 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:28.405688047 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:28.856039047 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:29.494967937 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:29.544253111 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:30.142999887 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:30.143902063 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:33.405129910 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:33.877310991 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:34.489867926 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:34.544764996 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:36.315957069 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:36.357413054 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:39.405082941 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:39.501461983 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:39.545111895 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:39.868098021 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:44.378627062 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:44.420504093 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:44.857544899 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:44.904921055 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:45.406179905 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:45.435642004 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:45.435857058 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:45.887408018 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:49.516927958 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:49.686619043 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:50.103910923 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:50.104078054 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:51.406605959 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:51.853069067 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:52.431849003 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:52.483800888 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:54.521119118 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:54.561992884 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:56.406830072 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:14:56.881160021 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:59.521985054 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:14:59.562448978 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:00.465532064 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:00.515604973 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:02.063333035 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:02.594017982 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:03.156455994 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:03.614487886 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:04.544008017 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:04.594269037 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:08.063925982 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:08.517343044 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:08.522231102 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:08.563179016 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:09.549892902 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:09.594414949 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:14.064495087 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:14.534200907 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:14.544502020 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:14.594943047 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:16.572649002 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:16.626422882 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:19.543214083 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:19.595460892 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:20.064862967 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:20.514091969 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:24.567984104 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:24.611378908 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:25.010440111 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:25.064625025 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:26.065495968 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:26.524050951 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:29.575103045 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:29.627510071 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:31.299756050 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:31.680146933 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:32.720334053 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:32.768286943 CET497234040192.168.2.723.105.131.162
                            Nov 18, 2020 14:15:34.564986944 CET40404972323.105.131.162192.168.2.7
                            Nov 18, 2020 14:15:34.612165928 CET497234040192.168.2.723.105.131.162

                            Code Manipulations

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            Analysis Process: DOC.exe PID: 6600 Parent PID: 5724

                            General

                            Start time:14:13:24
                            Start date:18/11/2020
                            Path:C:\Users\user\Desktop\DOC.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\user\Desktop\DOC.exe'
                            Imagebase:0x890000
                            File size:1119744 bytes
                            MD5 hash:6AD10F04AFB24C96187B76129225C00C
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.253582659.0000000002FFC000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.254195888.0000000003FBD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.255252413.0000000004173000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            Reputation:low

                            Chronological Activities

                            Analysis Process: schtasks.exe PID: 6696 Parent PID: 6600

                            General

                            Start time:14:13:29
                            Start date:18/11/2020
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\CZOIAvjovs' /XML 'C:\Users\user\AppData\Local\Temp\tmp3870.tmp'
                            Imagebase:0xf00000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Chronological Activities

                            Analysis Process: conhost.exe PID: 6704 Parent PID: 6696

                            General

                            Start time:14:13:29
                            Start date:18/11/2020
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff774ee0000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Chronological Activities

                            Analysis Process: DOC.exe PID: 6752 Parent PID: 6600

                            General

                            Start time:14:13:30
                            Start date:18/11/2020
                            Path:C:\Users\user\Desktop\DOC.exe
                            Wow64 process (32bit):true
                            Commandline:{path}
                            Imagebase:0xaf0000
                            File size:1119744 bytes
                            MD5 hash:6AD10F04AFB24C96187B76129225C00C
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: NanoCore, Description: unknown, Source: 00000003.00000003.270319895.000000000477B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            Reputation:low

                            Chronological Activities

                            Disassembly

                            Code Analysis

                            Reset < >

                              Analysis Process: DOC.exe PID: 6600 Parent PID: 5724 DOC.exeCOMMON

                              Executed Functions

                              Function 05C451D5, Relevance: 5.8, Strings: 4, Instructions: 785COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.258073981.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: ($s$w$x
                              • API String ID: 0-2460560302
                              • Opcode ID: 9239a7bb5ca4a081e44b2578c364e8b760c88d6cb72655ba1929e2ff12f55b6f
                              • Instruction ID: fc96182422d8a5a8259cf4cbe48c82839dec6a8efe2595e161e9660915d769fe
                              • Opcode Fuzzy Hash: 9239a7bb5ca4a081e44b2578c364e8b760c88d6cb72655ba1929e2ff12f55b6f
                              • Instruction Fuzzy Hash: DC72DE70D46229CFDB64DF69C884BEDB7B2BB49304F1095EA800AA7291DB745EC5CF41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05C43B83, Relevance: 2.8, Strings: 2, Instructions: 330COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.258073981.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: v$z
                              • API String ID: 0-3993351284
                              • Opcode ID: d63ae54ea9fa9cf267cc953f05d1252910ec2e200554170929d2a28bdcc5426d
                              • Instruction ID: 7cd15b3d486d99478d1f312f20c36723effda3b48fcc8b27ec3dfd22d1539044
                              • Opcode Fuzzy Hash: d63ae54ea9fa9cf267cc953f05d1252910ec2e200554170929d2a28bdcc5426d
                              • Instruction Fuzzy Hash: E1C15E74C1A298CFEB24CF65D448BEDBBB6BB86705F109C99D00A67291CB784AC4CF05
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05C43FE7, Relevance: 2.8, Strings: 2, Instructions: 268COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.258073981.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: v$z
                              • API String ID: 0-3993351284
                              • Opcode ID: b6bfce8e124144252c536e894be5ecbe5ea130d61677399cba1e48da26fd963a
                              • Instruction ID: f4fe2638fb8e720b5167bde7c72937b5e6e4d4cb365c245c3c85903b50d06ccc
                              • Opcode Fuzzy Hash: b6bfce8e124144252c536e894be5ecbe5ea130d61677399cba1e48da26fd963a
                              • Instruction Fuzzy Hash: E7A16D74D1525CCFEB24DF65D444BBDBBB6BB8A705F1098A9D00AA7290DB784AC4CF04
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05160B39, Relevance: 2.7, Strings: 2, Instructions: 176COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: LaVZ$jR~
                              • API String ID: 0-3286283175
                              • Opcode ID: 3182c4a9d7619acd6a2d70144ec03f688525f07a5f2c934a0438790ad21a05f6
                              • Instruction ID: ccf8d32a0f59fece7c1e6a07413b5c32b34a9a5b8344d7084c2adf3d1328b5e6
                              • Opcode Fuzzy Hash: 3182c4a9d7619acd6a2d70144ec03f688525f07a5f2c934a0438790ad21a05f6
                              • Instruction Fuzzy Hash: CA711374E01209DFCB08CFA9C994AADBBF2FF89300F64816AD405AB354DB395A46CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05160B80, Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: LaVZ$jR~
                              • API String ID: 0-3286283175
                              • Opcode ID: 252a551d79f56ede24a1e02e8d4baf09baf21758e4a9a45e1f1f36c13eb00eb8
                              • Instruction ID: 9b601080dff678c01aee166e46ded8fa6f18b67f5bd0bf8e798c7b896db6d5cb
                              • Opcode Fuzzy Hash: 252a551d79f56ede24a1e02e8d4baf09baf21758e4a9a45e1f1f36c13eb00eb8
                              • Instruction Fuzzy Hash: F961CF74E01209DFCB08CFA9D994AAEBBF2BF88304F20816AD405AB354DB355A468F50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD15A3, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05BD1623
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: AdjustPrivilegesToken
                              • String ID:
                              • API String ID: 2874748243-0
                              • Opcode ID: f71da1b14ecf985bdb5504baf745a380a92634b22e45522c714560f92ab83e4d
                              • Instruction ID: 22eba3312eb459c8017eb4b29b7b023a8a6b451b984a0cf0cd94dab0cc98081e
                              • Opcode Fuzzy Hash: f71da1b14ecf985bdb5504baf745a380a92634b22e45522c714560f92ab83e4d
                              • Instruction Fuzzy Hash: 9821A1765097809FDB238F25DC44B52FFB4EF06210F0885EAE9858F163E275A908CB72
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD1725, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQuerySystemInformation.NTDLL ref: 05BD1791
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: InformationQuerySystem
                              • String ID:
                              • API String ID: 3562636166-0
                              • Opcode ID: eb0ece9930d8c6a0fb3abed68764f9c7ae89fa1d49a5384e1d5a7131b846e60a
                              • Instruction ID: b1269473f038189e0d53541f96b18a56663fa7d13b22cc7f182677157f960439
                              • Opcode Fuzzy Hash: eb0ece9930d8c6a0fb3abed68764f9c7ae89fa1d49a5384e1d5a7131b846e60a
                              • Instruction Fuzzy Hash: 1A118E724093C09FDB228B25DC45A62FFB4EF06314F09C4DAE9848F263D275A908CB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD15DA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                              Download Yara Rule
                              APIs
                              • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 05BD1623
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: AdjustPrivilegesToken
                              • String ID:
                              • API String ID: 2874748243-0
                              • Opcode ID: 4a1a1cf99988645cb6fe977427124e50e41779b239d4b5a8813ce5a1f20c80be
                              • Instruction ID: 318efc333e1cf89488c4dcecdf88b444ba06678c6be43b21b7a1b5071c574835
                              • Opcode Fuzzy Hash: 4a1a1cf99988645cb6fe977427124e50e41779b239d4b5a8813ce5a1f20c80be
                              • Instruction Fuzzy Hash: 591170755047009FDB21CF69E884B66FBE5EF04620F0884AAED458B651E376E418CF71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD1756, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQuerySystemInformation.NTDLL ref: 05BD1791
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: InformationQuerySystem
                              • String ID:
                              • API String ID: 3562636166-0
                              • Opcode ID: be1623e292de5d25d7b9b37331f1096594c859543611194a68529588f5b13066
                              • Instruction ID: 53cc7e73d403ff0d7929d7deec3f7b6ca0828d9d9f2a39177f0ff924dbad070d
                              • Opcode Fuzzy Hash: be1623e292de5d25d7b9b37331f1096594c859543611194a68529588f5b13066
                              • Instruction Fuzzy Hash: 2B018F755042409FDB61CF59E984B61FFA1FF08720F08C59ADE894B221D375A418CBB2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 051629F8, Relevance: .4, Instructions: 350COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e4df23a99b5c47ab8de8b5ccb96703ee6390661be88f5095b7bc1fe54c9a19e3
                              • Instruction ID: 1a7ed79c67abfad821e86eafd70346c8a72280bdb790292cff3c77d361bdb34c
                              • Opcode Fuzzy Hash: e4df23a99b5c47ab8de8b5ccb96703ee6390661be88f5095b7bc1fe54c9a19e3
                              • Instruction Fuzzy Hash: 85E1AE7890420ADFCB18CFA4C9859AEFBB2FF48350B548655D421BB215C734EB61CF62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0516E7C0, Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9f2d5181bd4a37c0bf52380dc0142ea6f95bf3ce84b9000c9901531b475173dc
                              • Instruction ID: ae3888a6ecc2fba165061283a8dcf8b393e2620e07c3ff927549927ed3d9599c
                              • Opcode Fuzzy Hash: 9f2d5181bd4a37c0bf52380dc0142ea6f95bf3ce84b9000c9901531b475173dc
                              • Instruction Fuzzy Hash: ECB1D378D08209CFDB14CF99C484AEEBBFABF49300F259229D819BB255D770A955CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05162AF0, Relevance: .3, Instructions: 259COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 123d89dc73baa4d29fbd4c12e2eb83ad6b6834d41293467f5d63825be134b22f
                              • Instruction ID: 71383d0b09d24350a31fda16d4b8451602e4c7af7ca71cea622b1cb469d92adf
                              • Opcode Fuzzy Hash: 123d89dc73baa4d29fbd4c12e2eb83ad6b6834d41293467f5d63825be134b22f
                              • Instruction Fuzzy Hash: 0EC16C78D0520ADFCB18CFA4D5848AEFBB2FF48311B659555C425BB214C730EA92CFA6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05161329, Relevance: .1, Instructions: 125COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 90700d4cff8f560080e9aa8c67b36f26743399a949aa028e9ad9e20cc34ccf24
                              • Instruction ID: 45795b6601d2263ae9c2b2225024174ca4e47b8c018ad609073bfcacb4d8127e
                              • Opcode Fuzzy Hash: 90700d4cff8f560080e9aa8c67b36f26743399a949aa028e9ad9e20cc34ccf24
                              • Instruction Fuzzy Hash: CB514570E042499FDB08CFAAD544AAEFBF2FB89311F14C06AD419BB254D7349A41CFA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 051689D9, Relevance: .1, Instructions: 104COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: db938095d51d2110f24bcdb9d2a310086ade3df11d6874e5bb90fa34a1ce7c24
                              • Instruction ID: 2beef87aead17d16b57cd0f4fd4410fda6935ec5451e159f49d063bb7932c2ed
                              • Opcode Fuzzy Hash: db938095d51d2110f24bcdb9d2a310086ade3df11d6874e5bb90fa34a1ce7c24
                              • Instruction Fuzzy Hash: C341E275D11209EFDB18CFA9E5889AEFBB2FF88300F14D16AD805A7254E7309A51CF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 051689E8, Relevance: .1, Instructions: 102COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c23d810333342c95b18836c37c19c491f9568ecb86ba05c7f663e5e9e40260e5
                              • Instruction ID: 9a1630fa11ca9b3581a1bc07a74fe2b2d79b14fd0f00d7423aff6601254fc700
                              • Opcode Fuzzy Hash: c23d810333342c95b18836c37c19c491f9568ecb86ba05c7f663e5e9e40260e5
                              • Instruction Fuzzy Hash: 4841C0B5D11209EFDB18CFA9E5888AEFBB2FF88300F14D16AD805A7254D7309A51CF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05168C70, Relevance: .1, Instructions: 98COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a56a9a30ef2012127b917a59f2d363f2feb7ef4f35e8a2a621b6a2d5eec81ba0
                              • Instruction ID: 3e07ae2cfe51dccb51f9bc1d52e901e28a5ef517a902e39e36d5ee0886f5882f
                              • Opcode Fuzzy Hash: a56a9a30ef2012127b917a59f2d363f2feb7ef4f35e8a2a621b6a2d5eec81ba0
                              • Instruction Fuzzy Hash: 3E412574D0620AEFCF18CFA5D1A46EEBBF2FB49300F2094AAC412B6254D7349A91CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05168C80, Relevance: .1, Instructions: 96COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d38f90a71d4651fbb70e433d06c7a3f8d4e9c93fcd31fd34f0f5070191d89501
                              • Instruction ID: 4912516704f4bf3359a947620de463b16a23bda1af2ecd0a428818c0149bbc9c
                              • Opcode Fuzzy Hash: d38f90a71d4651fbb70e433d06c7a3f8d4e9c93fcd31fd34f0f5070191d89501
                              • Instruction Fuzzy Hash: E5410574D0620AEFCF18CFA5D1946EEBBF2FB49300F2094AAC416B6254D7389A91CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05161C48, Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bf3923f809e1d431d64b660691fcb622efec49187dbc408b34285c71fb9c3bbf
                              • Instruction ID: afd6fe286d0b0a7eeb3f778ef239e0216e751e8e5e288ff898b738f8e9f39659
                              • Opcode Fuzzy Hash: bf3923f809e1d431d64b660691fcb622efec49187dbc408b34285c71fb9c3bbf
                              • Instruction Fuzzy Hash: 28313671E016188FDB28CFAAD8446DEBBB3BFC9310F14C06AD409A7254DB345A96CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05160098, Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72c52e50eaaccf5f1363238cfcb15799b9c1c76a0b794132f870e2b4418261e0
                              • Instruction ID: c5fd5d0abc572b14238bdb0e11ff3e95baaeea5278389ba7d428f232d5d2895b
                              • Opcode Fuzzy Hash: 72c52e50eaaccf5f1363238cfcb15799b9c1c76a0b794132f870e2b4418261e0
                              • Instruction Fuzzy Hash: 4A21E671E016189BEB18CF6BE84469EBBB3BFC9200F18C16AD548A6214EB701A428F51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05C443D6, Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.258073981.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: p$}
                              • API String ID: 0-1961647461
                              • Opcode ID: d41cebb020bee9a2105cf608fc85a32752f7ab91a8f502c8a71eba2c958bc599
                              • Instruction ID: 5fe7077d7c5747448580178053c15afde3904345f678a0fff6e75a2d1db9fc65
                              • Opcode Fuzzy Hash: d41cebb020bee9a2105cf608fc85a32752f7ab91a8f502c8a71eba2c958bc599
                              • Instruction Fuzzy Hash: 1D911674D09609DFDF14CFA9C580AEDBBB6AF4A310F20A669D42AB7395DB305A41CF10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05C4461F, Relevance: 2.7, Strings: 2, Instructions: 228COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.258073981.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: p$}
                              • API String ID: 0-1961647461
                              • Opcode ID: 4d76b72b970de4626abf725f7be2936235acdb752d7cf88a6d433cce6b7bc728
                              • Instruction ID: 3712f11bffa851576570a7f8c9c65b9191fafaae0937a8190d70993d685d8043
                              • Opcode Fuzzy Hash: 4d76b72b970de4626abf725f7be2936235acdb752d7cf88a6d433cce6b7bc728
                              • Instruction Fuzzy Hash: 58910574D09208DFDF14DFA9C580AEDBBB6AF4A310F209669D42AB7395DB305A42CF10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05C44F71, Relevance: 2.6, Strings: 2, Instructions: 149COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.258073981.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: o$t
                              • API String ID: 0-441057676
                              • Opcode ID: 8f49f6fc58d4ea9403b2ceda2d570124d3b8117667f1bbc17b6f4e1a3f27507b
                              • Instruction ID: 51e7ba2c101bfd5333ee2d45228b743e48155b33e9a55ae05b8bec7bb9ae1f94
                              • Opcode Fuzzy Hash: 8f49f6fc58d4ea9403b2ceda2d570124d3b8117667f1bbc17b6f4e1a3f27507b
                              • Instruction Fuzzy Hash: 70511778C4A248CFDF18CF96D484FFDBBBABB4A315F20A919D01AA6245C3750989CF44
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129A2AC, Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0129A346
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 3a0a9e43bf9f9320ba878db428ae4150ce66a579469bbf334f7b9db74edb00f6
                              • Instruction ID: faf7917b19fec2ad0ff25e955a32c9cf8370c0203b2d820742a360122921feb3
                              • Opcode Fuzzy Hash: 3a0a9e43bf9f9320ba878db428ae4150ce66a579469bbf334f7b9db74edb00f6
                              • Instruction Fuzzy Hash: 4E41C8715093C06FD7128F25DC45B62BFB8EF47620F0985DBED848F253D264A909CB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD0F93, Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05BD1043
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: cdbe59dc4dfdfc89f1d9bd6e7909d3992581a62245026d369bda7fd47d33a6f8
                              • Instruction ID: 362f67705b0d29492ebbad39983c9937dd8e71baa9572f75d56f766e71e149e9
                              • Opcode Fuzzy Hash: cdbe59dc4dfdfc89f1d9bd6e7909d3992581a62245026d369bda7fd47d33a6f8
                              • Instruction Fuzzy Hash: 0F31B4715043846FE7228F65DC45FA7BFACEF46710F0888AFE985CB152D224A909CB71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD0D2A, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              • GetLongPathNameW.KERNELBASE(?,?,?), ref: 05BD0DCE
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: LongNamePath
                              • String ID:
                              • API String ID: 82841172-0
                              • Opcode ID: 0f994ba3582850940a0759637d808357e33048b3ae62129f296cbd0480a04959
                              • Instruction ID: e980bab9090b02a3f7b4e24d83acd710af4115c6491d33362d073c902cbb7d8e
                              • Opcode Fuzzy Hash: 0f994ba3582850940a0759637d808357e33048b3ae62129f296cbd0480a04959
                              • Instruction Fuzzy Hash: AE313A6540E3C45FD7138B649C65AA2BFB4AF47220F0E84DBD8C49F1A3E2656909C772
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD07D2, Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                              Download Yara Rule
                              APIs
                              • GetTokenInformation.KERNELBASE(?,00000E2C,7F8FC67B,00000000,00000000,00000000,00000000), ref: 05BD087C
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: InformationToken
                              • String ID:
                              • API String ID: 4114910276-0
                              • Opcode ID: 8a101426b2d065679b5a98e7864b0354f49244623d9597eb33dfc159fb58a4b7
                              • Instruction ID: d89c5aba6b695cefe3cac47d47fc25b36b0545dbd978100f01b856bf2b60e36f
                              • Opcode Fuzzy Hash: 8a101426b2d065679b5a98e7864b0354f49244623d9597eb33dfc159fb58a4b7
                              • Instruction Fuzzy Hash: 32319371509784AFEB228B65DC45FA6BFB8EF06310F08849EE984DB152D225A548CBB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129AC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0129ACD1
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: Open
                              • String ID:
                              • API String ID: 71445658-0
                              • Opcode ID: 09c1f1e929106b7a4f4f776b4b5756c16be396e671e967a3a9577e338dfac0c1
                              • Instruction ID: db014065dde79d49ad0bdd89f74d8f682186ca9518105bc7a1bd2a16764f77a6
                              • Opcode Fuzzy Hash: 09c1f1e929106b7a4f4f776b4b5756c16be396e671e967a3a9577e338dfac0c1
                              • Instruction Fuzzy Hash: 0D31C4725043806FE7228B25DC45F67BFECEF0A710F0884AEED808B152D224A949CB71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD0360, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05BD0401
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 4954beab6d45db210d3c8463ec9050bd8254aa5d608e754728c044f3ad084590
                              • Instruction ID: af169cbcfd1cf25665ba14774a45c1e1ba6e7648cf171d8a617bd89e6c853ebb
                              • Opcode Fuzzy Hash: 4954beab6d45db210d3c8463ec9050bd8254aa5d608e754728c044f3ad084590
                              • Instruction Fuzzy Hash: F1316F71505244AFE722CF25DC44F66FFE8EF49610F08849EE9858B252E375E409CB71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD0182, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • CreateMutexW.KERNELBASE(?,?), ref: 05BD0229
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: CreateMutex
                              • String ID:
                              • API String ID: 1964310414-0
                              • Opcode ID: e75118b7763e05de5c72192f5ac89aa3184e14008ad8035fdf2edf76e2863ab8
                              • Instruction ID: 371724efca3e21cac7937c65fca808363a740f861f7d78cf7deeca0c97cac3ce
                              • Opcode Fuzzy Hash: e75118b7763e05de5c72192f5ac89aa3184e14008ad8035fdf2edf76e2863ab8
                              • Instruction Fuzzy Hash: BA31A4715097846FE722CB25CC84F56FFE8EF06310F09849AE984CB292E325A908CB71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129AD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegQueryValueExW.KERNELBASE(?,00000E2C,7F8FC67B,00000000,00000000,00000000,00000000), ref: 0129ADD4
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: QueryValue
                              • String ID:
                              • API String ID: 3660427363-0
                              • Opcode ID: bb388267010080d47e62178abe740a18e1aa7d44b31bdb66c8456eb6fb095892
                              • Instruction ID: d325df4f21feb20a5c80380ed937e13653eeb98d5059d6b1c0323b248e909dc2
                              • Opcode Fuzzy Hash: bb388267010080d47e62178abe740a18e1aa7d44b31bdb66c8456eb6fb095892
                              • Instruction Fuzzy Hash: BC31A4715097845FEB22CB25CC85FA2BFF8EF06710F08849AE985CB153D264E548CB71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD0B03, Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                              • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 05BD0B9F
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: OpenPolicy
                              • String ID:
                              • API String ID: 2030686058-0
                              • Opcode ID: fdd5b3f24a3acc011c497e40d2f45b0222ea75154afdc08d702b9b6b84ccbea3
                              • Instruction ID: 2af1e951b2d1d9079a2bbeb7c05a767346f5c387afd9d9648732780769b63c21
                              • Opcode Fuzzy Hash: fdd5b3f24a3acc011c497e40d2f45b0222ea75154afdc08d702b9b6b84ccbea3
                              • Instruction Fuzzy Hash: 012171725082446FE721DF65DC45FAAFFA8EF49710F08889AED84DB152D224A548CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD0FC6, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,00000E2C), ref: 05BD1043
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: cf0f25c658b893bd20b30c73ec530d858483c45ebebf76fef711b593513bbf73
                              • Instruction ID: 4937c779d1861ea20af39316b0060d72f404e4556530b659d4b5abd3b43e319f
                              • Opcode Fuzzy Hash: cf0f25c658b893bd20b30c73ec530d858483c45ebebf76fef711b593513bbf73
                              • Instruction Fuzzy Hash: 0F21B072500604AFEB219F69DC44F6AFBECEF08320F04886AED85DB151D275A508CB71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD10A1, Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileW.KERNELBASE(?), ref: 05BD1128
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: DeleteFile
                              • String ID:
                              • API String ID: 4033686569-0
                              • Opcode ID: 5e0caf792162915029c62e138bc50c648ed3c1a73564c0c36197ccbcaf939efe
                              • Instruction ID: 15eb62b651047e6d1c452deba838cb8a6a461f02394c3bf6a1f3dbd57aea32a8
                              • Opcode Fuzzy Hash: 5e0caf792162915029c62e138bc50c648ed3c1a73564c0c36197ccbcaf939efe
                              • Instruction Fuzzy Hash: F5217F765093C05FDB13CB25DC95AA2BFA4EF47610F1984DADC858F263E225A908CB72
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD0458, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                              • GetFileType.KERNELBASE(?,00000E2C,7F8FC67B,00000000,00000000,00000000,00000000), ref: 05BD04ED
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: FileType
                              • String ID:
                              • API String ID: 3081899298-0
                              • Opcode ID: 05e77431c45824b56c17d2504f52a604b2a791f56bac69789fda7bd79bc7c731
                              • Instruction ID: cb376ea4fdf1b6e118ed4ecdfca9ce86efa62da313802a88fc0f104898dd4088
                              • Opcode Fuzzy Hash: 05e77431c45824b56c17d2504f52a604b2a791f56bac69789fda7bd79bc7c731
                              • Instruction Fuzzy Hash: CC21D6B64087846FE7128B269C54FB3BFA8EF46720F0885DAED849B153D224A909C771
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD0382, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05BD0401
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: b2ea72dc8bedac86d28076cb3558b485aaf0e4106bc8c385b0fca3ae6f681f89
                              • Instruction ID: 7afb56b687690290ff185b2f36a1cc0709d96797c3319d9a5f5d9253032cf0e3
                              • Opcode Fuzzy Hash: b2ea72dc8bedac86d28076cb3558b485aaf0e4106bc8c385b0fca3ae6f681f89
                              • Instruction Fuzzy Hash: CA216B71504244AFEB21DF65DD89F66FBE8EF08720F1884AAED898B251E375E404CA71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD1420, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05BD14A2
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: LookupPrivilegeValue
                              • String ID:
                              • API String ID: 3899507212-0
                              • Opcode ID: db0752fa5d5a228ecc562aebe8003fba51cd6631ba8d1c9174e7bc25b5b07b46
                              • Instruction ID: 30ad674d8208f2fbe1654902a17e359df94051d09902ad109bf0fc22c1061ea9
                              • Opcode Fuzzy Hash: db0752fa5d5a228ecc562aebe8003fba51cd6631ba8d1c9174e7bc25b5b07b46
                              • Instruction Fuzzy Hash: 982151725093805FD7128B25DC85BA2BFA4EF06220F0984EAE885CF153E225A548CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129AC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0129ACD1
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: Open
                              • String ID:
                              • API String ID: 71445658-0
                              • Opcode ID: 13ad619c7068049c69b5749977a40845788fe1e821d1012ac8fcf156e8fd8beb
                              • Instruction ID: 01471c00bd7cbfa1b00ac49a44266f453a8446b6e1e9439ee9b455c4732250a3
                              • Opcode Fuzzy Hash: 13ad619c7068049c69b5749977a40845788fe1e821d1012ac8fcf156e8fd8beb
                              • Instruction Fuzzy Hash: 8B219F72500704AFEB219F69DC85F6AFBECEF08710F14885AEE459B241D664E9488BB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD01B6, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • CreateMutexW.KERNELBASE(?,?), ref: 05BD0229
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: CreateMutex
                              • String ID:
                              • API String ID: 1964310414-0
                              • Opcode ID: 24e361d14d631c7dc126740d8eada9efc5fb9986123064e657b1b66c8f28876c
                              • Instruction ID: aadb28528855290447d3d48c3753a6f30ee882345178f90c96919532b33a066d
                              • Opcode Fuzzy Hash: 24e361d14d631c7dc126740d8eada9efc5fb9986123064e657b1b66c8f28876c
                              • Instruction Fuzzy Hash: 9A218E71605244AFE720DF65DD89B66FBE8EF48310F1884AAED898B241E375F904CA71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD0B2E, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 05BD0B9F
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: OpenPolicy
                              • String ID:
                              • API String ID: 2030686058-0
                              • Opcode ID: 7d5f1347a27e35dd49a13c0b74c5cba3021a70cb04c2eddb74d977a20235261f
                              • Instruction ID: 079c49ffb310636db0b1228ca8fc54a37af4058d8ef39bcca99b87b303751937
                              • Opcode Fuzzy Hash: 7d5f1347a27e35dd49a13c0b74c5cba3021a70cb04c2eddb74d977a20235261f
                              • Instruction Fuzzy Hash: C421A572504304AFEB20DF69DD45FAAFBECEF48714F14886AED45DB241E274A5048B71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD060A, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNELBASE(?,00000E2C,7F8FC67B,00000000,00000000,00000000,00000000), ref: 05BD0689
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: FileWrite
                              • String ID:
                              • API String ID: 3934441357-0
                              • Opcode ID: 3bf25d6b6bc5295507c6a18bfee4c5ea5141d17f755ab51ee889e306f7765cb4
                              • Instruction ID: 35228d40f93c69a64d1b562c9d86a23c04249e52d155427127c09475397d3a5c
                              • Opcode Fuzzy Hash: 3bf25d6b6bc5295507c6a18bfee4c5ea5141d17f755ab51ee889e306f7765cb4
                              • Instruction Fuzzy Hash: 83219272409384AFDB228F55DC44F67FFB8EF45310F08889AE9449B152D235A508CB75
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD0812, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                              Download Yara Rule
                              APIs
                              • GetTokenInformation.KERNELBASE(?,00000E2C,7F8FC67B,00000000,00000000,00000000,00000000), ref: 05BD087C
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: InformationToken
                              • String ID:
                              • API String ID: 4114910276-0
                              • Opcode ID: 73c1fe934898b3f7901703cfc20f6c21b36ba641978bd5e69970bf3c7e9c08f8
                              • Instruction ID: e3652ff49b8a6eee3b10cf9b08c026eb03d30efb9f2ee4026798ae10cebd8eae
                              • Opcode Fuzzy Hash: 73c1fe934898b3f7901703cfc20f6c21b36ba641978bd5e69970bf3c7e9c08f8
                              • Instruction Fuzzy Hash: 58119371500204AFEB21DF66DC85FA6FBECEF44320F04886AED45DB241E675A5048BB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129AD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegQueryValueExW.KERNELBASE(?,00000E2C,7F8FC67B,00000000,00000000,00000000,00000000), ref: 0129ADD4
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: QueryValue
                              • String ID:
                              • API String ID: 3660427363-0
                              • Opcode ID: a52498c1cf32f083eeb1fb072c8203ce5771252ff8889d358595c647996f4570
                              • Instruction ID: 622bb571e57278c292e6aa32d10800c78bda4c2945cd1c963b884a4b611feeb3
                              • Opcode Fuzzy Hash: a52498c1cf32f083eeb1fb072c8203ce5771252ff8889d358595c647996f4570
                              • Instruction Fuzzy Hash: 88216D71604704AFEB21CF2ADC81FA6BBE8EF08711F08846AEE459B251D760E504CA71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD1364, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
                              Download Yara Rule
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05BD13E4
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 0376c1427ef67f63043175d2b1ccb87646b25c7a6042bc480c98dfa913edf28a
                              • Instruction ID: 08083da8c016efab232ee90b9f120e9b8e56e285dddd8a49193f7b7d302f3d38
                              • Opcode Fuzzy Hash: 0376c1427ef67f63043175d2b1ccb87646b25c7a6042bc480c98dfa913edf28a
                              • Instruction Fuzzy Hash: 8B21CF765093C09FD7128B25DC85AA6FFF4EF07220F0984EEEC818B163D225A848DB21
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129B42D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0129B4A9
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: LibraryLoadShim
                              • String ID:
                              • API String ID: 1475914169-0
                              • Opcode ID: 39696f0ed48c3f1be2ef3242647411922d6e182faf8ce8f095a17e6533b11fa1
                              • Instruction ID: 8b0e07e51abacc7c50169d9504ee345750325bcbc900cf94d9856f581a937248
                              • Opcode Fuzzy Hash: 39696f0ed48c3f1be2ef3242647411922d6e182faf8ce8f095a17e6533b11fa1
                              • Instruction Fuzzy Hash: 472193B15093805FDB228F19DC45B62BFE8EF46614F08849AED84CB253D365A908D772
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD1869, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,?,?,?), ref: 05BD18DD
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 16ee4d998f0d699e7660ec6519ccd94f402f1aa07c49d4ee847c6d82d3fdb3f1
                              • Instruction ID: f1fdb6dea491c288ebdbd85f581dd179b8f4dbaaa085499f10ef88148a782606
                              • Opcode Fuzzy Hash: 16ee4d998f0d699e7660ec6519ccd94f402f1aa07c49d4ee847c6d82d3fdb3f1
                              • Instruction Fuzzy Hash: 26218C714093C09FDB238B25DC44A62FFB4EF07210F0985DAEDC48F163D225A918DB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129A5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0129A666
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: ef6e0048ace6607c6a179eeab7aa198004176d04572d0539c8a79e80db9bfe5b
                              • Instruction ID: b6fab3971190604f6d1a10fdf31a560bdbdffa2e924d2cc8e04e2f94e23a096b
                              • Opcode Fuzzy Hash: ef6e0048ace6607c6a179eeab7aa198004176d04572d0539c8a79e80db9bfe5b
                              • Instruction Fuzzy Hash: 99117271409780AFDB238F55DC44A62FFF4EF8A210F08899AED858B152D275A518DB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD062A, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNELBASE(?,00000E2C,7F8FC67B,00000000,00000000,00000000,00000000), ref: 05BD0689
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: FileWrite
                              • String ID:
                              • API String ID: 3934441357-0
                              • Opcode ID: d508e50196f8fb04e278dc01058e2e137deb45d187a440fb6b0afbf5998a9996
                              • Instruction ID: 014a1bb5c9cd14972380172f8eab2f421f28b75f1b580caa7f05ac37c573eea9
                              • Opcode Fuzzy Hash: d508e50196f8fb04e278dc01058e2e137deb45d187a440fb6b0afbf5998a9996
                              • Instruction Fuzzy Hash: AC11E771504304AFEB21DF56DD44F66FFE8EF48720F0488AAED459B251E275A404CB75
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD12C3, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05BD1328
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 2516c051d705178a6db19d5cdfb7194dc3ad62d65c3bf852ea8b2a43ecc5410d
                              • Instruction ID: 415ebd221bc00041e7cfafd96403101cdd7d025199de6e01d0539002361af7b9
                              • Opcode Fuzzy Hash: 2516c051d705178a6db19d5cdfb7194dc3ad62d65c3bf852ea8b2a43ecc5410d
                              • Instruction Fuzzy Hash: 7311E676509780AFDB228F25DC40A52FFB4EF06220F0C84DEED858B563D375A558DB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD121C, Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON
                              Download Yara Rule
                              APIs
                              • SetThreadContext.KERNELBASE(?,?), ref: 05BD127B
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: ContextThread
                              • String ID:
                              • API String ID: 1591575202-0
                              • Opcode ID: 7b9e7b07a018abed74795d62e2c0be3e4e6fd1a263bded4e94ef40ff8757963a
                              • Instruction ID: a014fcbb44c20ab324df362c941eea1b3a3f213f9d140aff2a624d77a2b4a146
                              • Opcode Fuzzy Hash: 7b9e7b07a018abed74795d62e2c0be3e4e6fd1a263bded4e94ef40ff8757963a
                              • Instruction Fuzzy Hash: FC11BF715093809FD7118B15DC84A62FFE8EF46220F0880EEED458B262D239A908CB71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD145A, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 05BD14A2
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: LookupPrivilegeValue
                              • String ID:
                              • API String ID: 3899507212-0
                              • Opcode ID: 1d5c54d9e31d6f800637e966e8f32e17ad883b3c49967338b255c44b02f43532
                              • Instruction ID: 7cddbdca6f4fdd032148572ec7c3de7d1f1cd2df7ca323d4a3ad900cb920aeff
                              • Opcode Fuzzy Hash: 1d5c54d9e31d6f800637e966e8f32e17ad883b3c49967338b255c44b02f43532
                              • Instruction Fuzzy Hash: D81161B56042408FDB20CF29ED85B76FBD8EF44620F08C4AAED49CB642E674E404CE72
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD049A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                              Download Yara Rule
                              APIs
                              • GetFileType.KERNELBASE(?,00000E2C,7F8FC67B,00000000,00000000,00000000,00000000), ref: 05BD04ED
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: FileType
                              • String ID:
                              • API String ID: 3081899298-0
                              • Opcode ID: 74475e0e5c945aaf37d408856932d895f96916b97d20117be943aa2655abeb5d
                              • Instruction ID: 5f27df250a92b91da40519760c47c92c18d736ae2f26d51d9d898f5636d737b6
                              • Opcode Fuzzy Hash: 74475e0e5c945aaf37d408856932d895f96916b97d20117be943aa2655abeb5d
                              • Instruction Fuzzy Hash: 0501D271504204AFEB20DB1ADD85FB6FBE8EF48720F14C4AAED449B241E274A5048A76
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129AEF0, Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0129AF50
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: a5f9f1813d7ee0b83a485f8ec900b56120e5bedc34820537c430f2b578d6e339
                              • Instruction ID: 2e46722651a33195896fdb8d553ef87904592b7da651e470f8c89b32c8f4ce0e
                              • Opcode Fuzzy Hash: a5f9f1813d7ee0b83a485f8ec900b56120e5bedc34820537c430f2b578d6e339
                              • Instruction Fuzzy Hash: 7F119171409780AFDB228F15DC44A52FFF4EF4A220F08859EED854B262C375A518CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129A42A, Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                              Download Yara Rule
                              APIs
                              • ResumeThread.KERNELBASE(?), ref: 0129A480
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: eeced00bb0bd5849aa1dc1037488fa6486dc2dadfeb5b48d650c9af1b3fe063a
                              • Instruction ID: 04a8f25d2a588fac4debd841afb20db5cf7db5814174fe9e183ce5ea2266799c
                              • Opcode Fuzzy Hash: eeced00bb0bd5849aa1dc1037488fa6486dc2dadfeb5b48d650c9af1b3fe063a
                              • Instruction Fuzzy Hash: 19018475509384AFDB128B19DC84B62FFA8DF46620F08C4DAED854F253D375A908DB72
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129AAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: LongWindow
                              • String ID:
                              • API String ID: 1378638983-0
                              • Opcode ID: 27f3a50085c46e8316b53badf0ab81aeda02c7acb93ae0f98f6aab708b5dec6a
                              • Instruction ID: c0b5617ed97a3f780a89f197ebc440d293b916565be2634f8f510830696d07b8
                              • Opcode Fuzzy Hash: 27f3a50085c46e8316b53badf0ab81aeda02c7acb93ae0f98f6aab708b5dec6a
                              • Instruction Fuzzy Hash: 00118E714097849FDB228F19DC84A52FFB4EF46620F08C8DAED854F263D375A918CB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD139E, Relevance: 1.5, APIs: 1, Instructions: 47injectionCOMMON
                              Download Yara Rule
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05BD13E4
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: af15685e71b289a4e67295fab40d5366a37eeee2c62ce12a14f37033967748b2
                              • Instruction ID: 891747dc35dc1d2e42b915e4e592633ee3b4d43174d678553421303a9c1a148d
                              • Opcode Fuzzy Hash: af15685e71b289a4e67295fab40d5366a37eeee2c62ce12a14f37033967748b2
                              • Instruction Fuzzy Hash: 04016D756046009FDB20CF1AE885B66FBE5EF04620F0884AEED858B651E375E458DF71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD10EE, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileW.KERNELBASE(?), ref: 05BD1128
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: DeleteFile
                              • String ID:
                              • API String ID: 4033686569-0
                              • Opcode ID: 56687995b70eedb2484d054453cbdded71edc861afdb6ab7e4bb5f9f73def607
                              • Instruction ID: 9c8829ba193abd22a01ee9699a6df3fbc0588f5e2f38491fe8eb9b1946666703
                              • Opcode Fuzzy Hash: 56687995b70eedb2484d054453cbdded71edc861afdb6ab7e4bb5f9f73def607
                              • Instruction Fuzzy Hash: 84017171A042408FDB60CF29E8857A6FBD8EF45620F18C4AADD49CF742E675E544CB71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129B45E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0129B4A9
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: LibraryLoadShim
                              • String ID:
                              • API String ID: 1475914169-0
                              • Opcode ID: 4d4a219c11f34ce242dd5c53adb383f44e160840badc4fdb609aebee469ec4eb
                              • Instruction ID: 0c5b936f636ab5545966f309d383f0b04b24cb23387bac5975fa67cbd30d6cc9
                              • Opcode Fuzzy Hash: 4d4a219c11f34ce242dd5c53adb383f44e160840badc4fdb609aebee469ec4eb
                              • Instruction Fuzzy Hash: 390180755102408FDF20CF1DE885B62FBE4EF04620F089499DE498B242D375E404DB72
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129A622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0129A666
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: bb7f8c1f5cb3a9d77c38946e59e20a570319a631aa1da55a33d66499ef3082c8
                              • Instruction ID: 396c01701a5edb00a9f995bceb97c48726355996a463a97215283759f87079de
                              • Opcode Fuzzy Hash: bb7f8c1f5cb3a9d77c38946e59e20a570319a631aa1da55a33d66499ef3082c8
                              • Instruction Fuzzy Hash: A601AD318107009FDF228F59E944B56FFE0EF88320F08C8AADE894B612D375A018CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD123E, Relevance: 1.5, APIs: 1, Instructions: 44threadinjectionCOMMON
                              Download Yara Rule
                              APIs
                              • SetThreadContext.KERNELBASE(?,?), ref: 05BD127B
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: ContextThread
                              • String ID:
                              • API String ID: 1591575202-0
                              • Opcode ID: 9f50d94d15ed94e1d4b48f68fa4f3f3ee7f35e0fe126160c801d151eeadf30c2
                              • Instruction ID: 1e0faad1b34104775494cda6e1da86552a5f15291a0e95e2fe677b6a7df9e018
                              • Opcode Fuzzy Hash: 9f50d94d15ed94e1d4b48f68fa4f3f3ee7f35e0fe126160c801d151eeadf30c2
                              • Instruction Fuzzy Hash: 2001B1756042408FDB20CF19E884B66FBD4EF05220F08C0AADD45CB651E276E504CE71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD12EA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05BD1328
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 9b244734ea12928e09d970da1db4a0aed5b47fa004754aab152501019533db12
                              • Instruction ID: f166cec07ea1c3e48d14b111eee46239db1d43611c317e386d6949744d44376d
                              • Opcode Fuzzy Hash: 9b244734ea12928e09d970da1db4a0aed5b47fa004754aab152501019533db12
                              • Instruction Fuzzy Hash: 84019E71900640DFDB218F19E884B66FFA5EF09720F08C4AEED894BA51D375E418CB72
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129A2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              • CreateActCtxA.KERNEL32(?,00000E2C,?,?), ref: 0129A346
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 2264a53e712f2e8ed54f3cb5c4a7ded370fbc365aa4adb3c0455861a825e589b
                              • Instruction ID: a06a0d42af12ad7e8038ab951c9afc5004b033475ff95348fe1be71c156ab013
                              • Opcode Fuzzy Hash: 2264a53e712f2e8ed54f3cb5c4a7ded370fbc365aa4adb3c0455861a825e589b
                              • Instruction Fuzzy Hash: DF01AD71600200ABD220DF1ADC82B26FBE8FFC9B20F14815AED084B741E235F915CBE6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD0D96, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • GetLongPathNameW.KERNELBASE(?,?,?), ref: 05BD0DCE
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: LongNamePath
                              • String ID:
                              • API String ID: 82841172-0
                              • Opcode ID: b3d4aadc2ef2351e7836daa028c574bc424eca00c5fe90c185c5f4b035d07394
                              • Instruction ID: 157a7fa2448646484d86975b420116738994f26572a9fda7fe7a5f2b5ee722d3
                              • Opcode Fuzzy Hash: b3d4aadc2ef2351e7836daa028c574bc424eca00c5fe90c185c5f4b035d07394
                              • Instruction Fuzzy Hash: 2A0171759042449FDB20DF55E889B65FBA5EF44320F08C4AADD898F251E275A404CBB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129AF12, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0129AF50
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 5ae83c903fd67df15cda988fa936c78df887c02928f51905b18cfef62dfc69d5
                              • Instruction ID: 948d1e6c19664435fc5fbe6401962c920ff1e2f52bed99a03ed25f1ad6cf72df
                              • Opcode Fuzzy Hash: 5ae83c903fd67df15cda988fa936c78df887c02928f51905b18cfef62dfc69d5
                              • Instruction Fuzzy Hash: 82017C71514740DFDB218F59E885B65FBA0EF08720F08849ADE894B662D3B6A418CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05BD18A2, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,?,?,?), ref: 05BD18DD
                              Memory Dump Source
                              • Source File: 00000000.00000002.258058985.0000000005BD0000.00000040.00000001.sdmp, Offset: 05BD0000, based on PE: false
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 69f1da0f49bc264f8ad8a7bd04527ee44bffd7ad3a53763ac995514fc9dc081f
                              • Instruction ID: 0fa2b23221f1325b18ba96bf74704e9f21bd3c43bc04340e1018442f6ce500de
                              • Opcode Fuzzy Hash: 69f1da0f49bc264f8ad8a7bd04527ee44bffd7ad3a53763ac995514fc9dc081f
                              • Instruction Fuzzy Hash: 8F018F75904344DFDB20CF59E884B65FBA5EF08321F08C4AADD894B212D376A419CB72
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129AB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: LongWindow
                              • String ID:
                              • API String ID: 1378638983-0
                              • Opcode ID: 71a335fce6637eb6c0de8412da08a4e8d2eb2daed58bef883eaba44275a5667b
                              • Instruction ID: 5c4e7a269235649a9298e9f3142dda85c62db634f6e8a256a79ed622bb77ce31
                              • Opcode Fuzzy Hash: 71a335fce6637eb6c0de8412da08a4e8d2eb2daed58bef883eaba44275a5667b
                              • Instruction Fuzzy Hash: 6501AD315147408FDB218F09E885B61FBA0EF14720F08C8AADE8A4B652D3B5A408CB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0129A44E, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                              Download Yara Rule
                              APIs
                              • ResumeThread.KERNELBASE(?), ref: 0129A480
                              Memory Dump Source
                              • Source File: 00000000.00000002.252817307.000000000129A000.00000040.00000001.sdmp, Offset: 0129A000, based on PE: false
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 7155a80f41f4118005bf18197133f5133425d20cc7ad0f54d69e066533da7692
                              • Instruction ID: b0fec6cce70ac9d5d9f5bfdac2d7d4dd0d0ef422d050a1fbc092f61357f45d13
                              • Opcode Fuzzy Hash: 7155a80f41f4118005bf18197133f5133425d20cc7ad0f54d69e066533da7692
                              • Instruction Fuzzy Hash: A5F0AF759143408FDB208F19E889761FBA4EF44720F08D4AADE894F356D2B9A508CEA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 051614E0, Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: me
                              • API String ID: 0-2269804443
                              • Opcode ID: 75204d39e522f9b265e98f94e8872b7fc6fcf38c5f0be8c6251deab4d8510da9
                              • Instruction ID: faea7e9c8998398df2539051671b9fd29431fa9f87c4e92de0d6b30f7e54545f
                              • Opcode Fuzzy Hash: 75204d39e522f9b265e98f94e8872b7fc6fcf38c5f0be8c6251deab4d8510da9
                              • Instruction Fuzzy Hash: 1E315E74D0420ADFCB44CF95D580AAEFBB1FB49300F10D46AD811A7314D374AA51CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 051614F0, Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: me
                              • API String ID: 0-2269804443
                              • Opcode ID: 1d0d9db89cbe168b36a9f45a66348365243b56f52aa689e34fb35d59aaed4d04
                              • Instruction ID: 07bda47a8dc3ccd5da5121667e6141253b1149765c4b68d1255b55d53b69fe37
                              • Opcode Fuzzy Hash: 1d0d9db89cbe168b36a9f45a66348365243b56f52aa689e34fb35d59aaed4d04
                              • Instruction Fuzzy Hash: 41312B74E0520ADFCB48CF99D5809AEFBB1FB89300F10D46AD826AB754D374AA51CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0516B650, Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: u
                              • API String ID: 0-4067256894
                              • Opcode ID: e1305159476a3759e64b0774f47ff4dea07050efcb16b05f9bb1b36d5265a64b
                              • Instruction ID: 2be448ce6769ca6e6ce4b6299a83849a56f2dd4e695f04a67ca3d5b837fc9079
                              • Opcode Fuzzy Hash: e1305159476a3759e64b0774f47ff4dea07050efcb16b05f9bb1b36d5265a64b
                              • Instruction Fuzzy Hash: DA1145B4D0D209DBCB28DFAAD0016AEBBFAEB48300F10C4699816EB294EB345611CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05160DC1, Relevance: .2, Instructions: 237COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 26e2b767cff90953606bc45d9f826d18bcc3a3c77e51c18b588a6313a675e720
                              • Instruction ID: f4bd8e88293afe20888323d21d250cb4f2832c31b5e6e562b3ebf08185308b15
                              • Opcode Fuzzy Hash: 26e2b767cff90953606bc45d9f826d18bcc3a3c77e51c18b588a6313a675e720
                              • Instruction Fuzzy Hash: DEA1D274E1021ADFCB54DFA8D880A9EFBB2FF88300F618629D515AB355D730A946CF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0516A8D8, Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5dbff060c2ac3f2a28b51b6276422fa78dc5ab5b4c4aabf3304892116284863a
                              • Instruction ID: 6f773f8d5a83dcbdb1f83c32b37ef6d03d05ad263045c99b35f8ebb7799cc7f4
                              • Opcode Fuzzy Hash: 5dbff060c2ac3f2a28b51b6276422fa78dc5ab5b4c4aabf3304892116284863a
                              • Instruction Fuzzy Hash: 3741B0B4E01208DFCB14DFA9D585AADBBF2BF49300F21842AE416BB290DB355951CF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0516B378, Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 69ddb6cadc5a1f73ee97660001d2670b7e4ed4b3676b6e02c1040240d59633b4
                              • Instruction ID: 49af7bf36b498264af5343055db43cf9e7f140765d99a4cbdab358fb485b1282
                              • Opcode Fuzzy Hash: 69ddb6cadc5a1f73ee97660001d2670b7e4ed4b3676b6e02c1040240d59633b4
                              • Instruction Fuzzy Hash: 3321F634B08259DBCB14DBAD9850ABEBFBABF85700F24445AE405DB281EF709D15C3A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05161619, Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 99c3027700fa9a3509555a34f51f71f7e944efefae9a4f3e1e31c3518b52c793
                              • Instruction ID: 7a0bd4a1d7acd07041954752ce28d637de50b372063a1324ddd30496f0816d50
                              • Opcode Fuzzy Hash: 99c3027700fa9a3509555a34f51f71f7e944efefae9a4f3e1e31c3518b52c793
                              • Instruction Fuzzy Hash: 263162B4D09209EFCB18CFA5D5819AEFBF2FB89300F15C499C014A7254D374AA51CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02B30702, Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.252917624.0000000002B30000.00000040.00000040.sdmp, Offset: 02B30000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0dfe919211d54f4070853b141f444055dff1dd804b8ec42db4c068e9269ee517
                              • Instruction ID: e4d1e2abee2e9b0e3b386f074e43fda7f516a0cb8d138d7ee3bf076650244d5b
                              • Opcode Fuzzy Hash: 0dfe919211d54f4070853b141f444055dff1dd804b8ec42db4c068e9269ee517
                              • Instruction Fuzzy Hash: D721963410D380DFD307DB20D950B56BFA1EF4A708F2989DEE5884B2A3C33A9816CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02B3075C, Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.252917624.0000000002B30000.00000040.00000040.sdmp, Offset: 02B30000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b830c49dc7807c4a83acd85f4bef13c52127b35015f4d631b1663d53fcf071b3
                              • Instruction ID: 22e8e2352917e6fbe34b058843890b9e0b313fd17f9c47842b92b54f93309855
                              • Opcode Fuzzy Hash: b830c49dc7807c4a83acd85f4bef13c52127b35015f4d631b1663d53fcf071b3
                              • Instruction Fuzzy Hash: 7511B134204244EFD716DB24D980B26BB95EF88B18F28C9EDE9495B652C77BD803CE91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05160006, Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f4e898154625aa4284567e3d291739bb4d378d0bacfd562729f5be7c07204c7
                              • Instruction ID: 2c9ecaeb1de667777d5cd4031151d6055ecc54cc0eeaeb6689d7b705841d1ea3
                              • Opcode Fuzzy Hash: 7f4e898154625aa4284567e3d291739bb4d378d0bacfd562729f5be7c07204c7
                              • Instruction Fuzzy Hash: 6601E86504E3C04FD3138BB4AD6A7903F749B17151F4E02D7D4C4CB2A7D66C8A29D322
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05163050, Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0dfd3d9e6b3338dfc7267993ff0e768f5c45a6ecc813f4f1c7cbb6940154158e
                              • Instruction ID: ec2661c09ee6d74ce610272d06c714d9b8f0c74672beedd381b3b490f7df0a32
                              • Opcode Fuzzy Hash: 0dfd3d9e6b3338dfc7267993ff0e768f5c45a6ecc813f4f1c7cbb6940154158e
                              • Instruction Fuzzy Hash: 0C114970D04209EFCF18CFA9D5459AEFBB1FB89300F11C9AAD4219B214D7319795DB40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0516BCA0, Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9595f2ed975eb837241fe37f393ebfdf960bfb826f74317ccbb051d305326819
                              • Instruction ID: 3196632e31e988ab2a1bf9a8e4ef4ec1e7f316bffd8452cf2cf06d318229da3f
                              • Opcode Fuzzy Hash: 9595f2ed975eb837241fe37f393ebfdf960bfb826f74317ccbb051d305326819
                              • Instruction Fuzzy Hash: B621FE74E10209DFCF04EFA8D4959ADBBF6FF88304F108569E815A7354DB305901CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05163118, Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a486fe292f37530f6ee31fbfb0f09f47388cbb37da61ef598c73606f80357a74
                              • Instruction ID: 0262ed8274439e9ccf5e250358145fc4efc35c47e1016daca2dc653b807657bc
                              • Opcode Fuzzy Hash: a486fe292f37530f6ee31fbfb0f09f47388cbb37da61ef598c73606f80357a74
                              • Instruction Fuzzy Hash: 3F111974E01108EFCB04DFA8D548A6DFBF2FB48300F59C499D419A7365DB30AA508B40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05168BA1, Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 66879d21063e668ce2cc4d2e4dc1e9621db6fdd7db4585de5ecbe926f8438b12
                              • Instruction ID: 9b683d7805e1d82a0a068301b15fe9b791967b1beda22b3aeffa418255a92aff
                              • Opcode Fuzzy Hash: 66879d21063e668ce2cc4d2e4dc1e9621db6fdd7db4585de5ecbe926f8438b12
                              • Instruction Fuzzy Hash: E0116AB4C09209EFCF14DFA9E5956AEBBF1FB49300F608496C802A7354D7315A92DFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02B3072F, Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.252917624.0000000002B30000.00000040.00000040.sdmp, Offset: 02B30000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 507107a2c3a805ac5ebe8b7c4e87ea13fa13ad7d8b5885e2005e10d56c7d6d1b
                              • Instruction ID: 8d225e9528a5c7bf2df5d1f6cdaffd7183f390446c9eed1e1a90a8fd1cb5dd4d
                              • Opcode Fuzzy Hash: 507107a2c3a805ac5ebe8b7c4e87ea13fa13ad7d8b5885e2005e10d56c7d6d1b
                              • Instruction Fuzzy Hash: 45218E351092C09FD7138B20C890B55BFB1EF47308F2986EED4888B6A3C33A9817CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05163128, Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 745328b7dae5c877425841810ae4571f09be8c0388bd9b80493495e966c4409e
                              • Instruction ID: fb6a20f792e1c723b4b67a84d59666dec863aefcf19f634cd35f1133866c8927
                              • Opcode Fuzzy Hash: 745328b7dae5c877425841810ae4571f09be8c0388bd9b80493495e966c4409e
                              • Instruction Fuzzy Hash: C2110A74E01108EFCB08DFA9D54896DFBF6FF88300F15C499D519AB355DB30AA608B40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02B305CF, Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.252917624.0000000002B30000.00000040.00000040.sdmp, Offset: 02B30000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4184e54b470494456f74ceaaa2e522930eafe58580d1e499c77b744f10250e3f
                              • Instruction ID: 37c1bcb9284c1d0de3e2419c9a6f6e8b67424ec4e91f2087e3c1661c4da2f1e8
                              • Opcode Fuzzy Hash: 4184e54b470494456f74ceaaa2e522930eafe58580d1e499c77b744f10250e3f
                              • Instruction Fuzzy Hash: 1101D6B65483805FC7128B16EC44853FFF8DF8623070984ABEC89CB211D239A909CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0516E4C0, Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: afd27df0c87a5a0b6256208637afea3657769d632775ff2d1cd95383e2717724
                              • Instruction ID: ce984992306f560471ff4fd8dc4345caa8e1964f237b1c223efb82582c4778b5
                              • Opcode Fuzzy Hash: afd27df0c87a5a0b6256208637afea3657769d632775ff2d1cd95383e2717724
                              • Instruction Fuzzy Hash: CC01EC74D1021ADBCF14EFA8D54569EFBB5FF48300F1082A9A815AB384DB715E41CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 051688E6, Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 00e8fa9469b249c59e67ae3799b1e3ed40d67189cebcc6d82b16f3ed1353ef2d
                              • Instruction ID: c371f3acb64b193cfe284aa566e02e750c93873cd462b1a5758c25be805d5706
                              • Opcode Fuzzy Hash: 00e8fa9469b249c59e67ae3799b1e3ed40d67189cebcc6d82b16f3ed1353ef2d
                              • Instruction Fuzzy Hash: 67F06234A09388AFCB02DF74985579D7FB0EF46204F1880EECCC096392D6349A64CB56
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02B30818, Relevance: .0, Instructions: 31COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.252917624.0000000002B30000.00000040.00000040.sdmp, Offset: 02B30000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
                              • Instruction ID: 3e02fb72978f772da56b0483a33b1d3460095c8f4e0447d94724381e3cb4f106
                              • Opcode Fuzzy Hash: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
                              • Instruction Fuzzy Hash: 97F0FB39104644DFC206DF44D940B26FBA6EB89718F24CAA9E9491B652C737A813DA81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0516CE30, Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4738ee76d4e096fe0d158acbcd8bbffe6150dec026c49652f0fa104d7ea7f7ea
                              • Instruction ID: e7e9e08abfe5c8fee4c9b8d0a141fe9e2f97eaf3157393db0296ec272e8c5799
                              • Opcode Fuzzy Hash: 4738ee76d4e096fe0d158acbcd8bbffe6150dec026c49652f0fa104d7ea7f7ea
                              • Instruction Fuzzy Hash: CAF0B778D0120DEBCB04DF98D5419AEFBB5FF44304F208699980467355D730AE518B85
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05165262, Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9586741e7972790965162c80875f2f10d3cfe04a08fb2587ebe40d2062fe3f4e
                              • Instruction ID: 710ed32d5d41c6cb4d26db6c50fb89c23d60ae16f18aee63ce07948624ff294c
                              • Opcode Fuzzy Hash: 9586741e7972790965162c80875f2f10d3cfe04a08fb2587ebe40d2062fe3f4e
                              • Instruction Fuzzy Hash: E5F06D30901208DFC708EFA8E9457AEFFF4EF46300F8041B99804A7251EB306A51CB89
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 02B305F6, Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.252917624.0000000002B30000.00000040.00000040.sdmp, Offset: 02B30000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0c6b9e7cd9bbba98d680b7af37785c4ce752699c94d0a69b2d5ff1fa7443c990
                              • Instruction ID: c992d9f2b47d060fcc24c37ed80a71bd9bb05e3cdf1dd5e5ad479c8ba760f149
                              • Opcode Fuzzy Hash: 0c6b9e7cd9bbba98d680b7af37785c4ce752699c94d0a69b2d5ff1fa7443c990
                              • Instruction Fuzzy Hash: BBE092B66046004BD750CF0AEC81456F7D8EB88630B18C47FDC0D8B700D639B504CEA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05169B98, Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a0d332b0f99f0bad0c25660dc3b44300c3407837d644b1286d68b664c7e57b3c
                              • Instruction ID: 024af4680d4973bb96b5801df675418d63f2ada6881841a0283a8f820a041905
                              • Opcode Fuzzy Hash: a0d332b0f99f0bad0c25660dc3b44300c3407837d644b1286d68b664c7e57b3c
                              • Instruction Fuzzy Hash: EDF0A030A0130CCFCF14EBB9E00999D7BB4FB80308F9081A98C0497748EB706E96CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05C44B08, Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.258073981.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ae87d17f4ad96751168a93229d98b39931386e76b4e5cef8a8632a6f25ef8fb
                              • Instruction ID: ca750f2d4d2e26e472af641858f61f0a7cd38f74b8b400b1ec5366a6aa61464a
                              • Opcode Fuzzy Hash: 5ae87d17f4ad96751168a93229d98b39931386e76b4e5cef8a8632a6f25ef8fb
                              • Instruction Fuzzy Hash: AEF0303495434CDBCB04EFA4A45ABAD7FB8AB02705F2449ACEC05172C1CB716940CB56
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05C44BB6, Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.258073981.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f61174571138e2623238b1014834d92c0cf8c4d0a3e857d7d4b59c74b09955ac
                              • Instruction ID: ff71f925dbc59a42c49eb8b53c951070ad2dbc117a42612e7b6654e6d5d36c3a
                              • Opcode Fuzzy Hash: f61174571138e2623238b1014834d92c0cf8c4d0a3e857d7d4b59c74b09955ac
                              • Instruction Fuzzy Hash: 83E0ED70D085498BCF04DFA4D8D1FFEBBF5AB0D201F201959D506BB200D62259408E94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05165270, Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ff15f5b775767a1a71bffb35f7bc4a5828edf083fff127be20cfbfb6b6d934c0
                              • Instruction ID: c3bc2e8b71693a1ffe581d23c8916c78765095d747921cfec1a9d31c57fa8af6
                              • Opcode Fuzzy Hash: ff15f5b775767a1a71bffb35f7bc4a5828edf083fff127be20cfbfb6b6d934c0
                              • Instruction Fuzzy Hash: 2FE04F70D01108DFC748EFB9D9446ADFBF5AF46300F9051B98808A3250EB306A54CB99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05168999, Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c3647ded70bd86ddabba0fcf335b78e5910070cde11fadb1047ec2a025ad318f
                              • Instruction ID: 8604b5bf9867fa5690306c6aa6e1af53c8ba5d9496db321013e4786b1f482c10
                              • Opcode Fuzzy Hash: c3647ded70bd86ddabba0fcf335b78e5910070cde11fadb1047ec2a025ad318f
                              • Instruction Fuzzy Hash: 3FE0CD31C0524CBFC754EFB8B8143BDBFF0A749310F5491A5C44463251D6305615C79D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05C44B18, Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.258073981.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70971b17fa5947822eea1cfb47f8f1aaf9e472a03725640ac6cb56437acc55c4
                              • Instruction ID: d5fbea7871bc25c74447a60e0e04083518a6fd7aaa2fde9f5c27afaf4b32462a
                              • Opcode Fuzzy Hash: 70971b17fa5947822eea1cfb47f8f1aaf9e472a03725640ac6cb56437acc55c4
                              • Instruction Fuzzy Hash: 83E04F34954208EBCB14EFA4E85ABADBF79FB05701F200998E8052B3D0DFB16940CB55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05168910, Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2741917f430d4a22f443521609c9d3d7e7ccaf8e01f085c63b58a7164997e7c6
                              • Instruction ID: 23c4384868be22f600f5cc73c6cde1f8edeffd227e2b138641ac5b27ae2b2d76
                              • Opcode Fuzzy Hash: 2741917f430d4a22f443521609c9d3d7e7ccaf8e01f085c63b58a7164997e7c6
                              • Instruction Fuzzy Hash: BBE09A74E1120CAFCB54EFA8E54569DBBB5EB84300F2081AA9C4497350E6705A64CB96
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05169A40, Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c1e73139cb457392a684f5ff852df61b11e19526a37c37223ebb31596ed744b4
                              • Instruction ID: 272e20bcc4542f1c11f04724f6b02366f1b66721b916b069718b660e56f4a414
                              • Opcode Fuzzy Hash: c1e73139cb457392a684f5ff852df61b11e19526a37c37223ebb31596ed744b4
                              • Instruction Fuzzy Hash: A0E01A74D00208EFCB44EFA8D544AADBBF0FB08300F1085AADC14A3350D7706A64DF95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05C46152, Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.258073981.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b0494d3e8539b1ba64bb9e89660bb5dafaec6861c362ca793d5e652f33fa800c
                              • Instruction ID: b3b82e66a0fbef7745ff39370a0df5ed0980afe55e7c89aaf8660943bd6f5c82
                              • Opcode Fuzzy Hash: b0494d3e8539b1ba64bb9e89660bb5dafaec6861c362ca793d5e652f33fa800c
                              • Instruction Fuzzy Hash: 3DD0C26888E0449BC7018A40C9259E03EBCFF02241B200AC1D45A0E0EBC2B50A08CEA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05C44B7C, Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.258073981.0000000005C40000.00000040.00000001.sdmp, Offset: 05C40000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6f88b8fe7a0a4f4ce83506355299ecc45470ce890e1befef0e2dbfa0a98ff35a
                              • Instruction ID: 298dd22c356871a5bbcdf9ca926595843a4613e5d6e099a7a40f2cc12d4410c6
                              • Opcode Fuzzy Hash: 6f88b8fe7a0a4f4ce83506355299ecc45470ce890e1befef0e2dbfa0a98ff35a
                              • Instruction Fuzzy Hash: 3FE0E634954608DBDB14DF50E459B797B79FB45301F201958E8051B2D0CFB21940CE55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 051625D1, Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c4d880e4e9a752545993fdc0fd92c07ca4ed52c98f6f3b33e1bb8ebe21b0f4aa
                              • Instruction ID: 3258dcd6293a07decb88d4f95b38795fe22c7ade02a63f374d817476bdd14a5b
                              • Opcode Fuzzy Hash: c4d880e4e9a752545993fdc0fd92c07ca4ed52c98f6f3b33e1bb8ebe21b0f4aa
                              • Instruction Fuzzy Hash: 90F006789022689FCBA4CF68D980A99BBB1FB09300F5115E9E80AA7310D731AAC1CF00
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05167A10, Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 18d03067a31401274b3fe4b4193315b82b6606a6ca28d030cc64640ec97bc65d
                              • Instruction ID: d2123b5961233cf635f5fff16853a4d028bd372d9c38f329167925a26fb703f8
                              • Opcode Fuzzy Hash: 18d03067a31401274b3fe4b4193315b82b6606a6ca28d030cc64640ec97bc65d
                              • Instruction Fuzzy Hash: 52F098749111188FCB65CF66E898A9DB7B6FB48300F4055D9D40AA7254D7315F80CF04
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05165222, Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c14ca9c69c4f8d311e916c27dbdf9f9d608c0a632d6a3d6a5a3088663f4577f9
                              • Instruction ID: 24159a34a48a0142e91649f6dfd0e07671a17e40f748abf4eebd0ef181e33dd2
                              • Opcode Fuzzy Hash: c14ca9c69c4f8d311e916c27dbdf9f9d608c0a632d6a3d6a5a3088663f4577f9
                              • Instruction Fuzzy Hash: 7FE02B7082E29C9BCB05EB78A94635CBFF4AB02604F5400EDCC8491280D6345664C355
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 051689A8, Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f976ad8e285c1318e595d1d45720057e0d1ca0c9f81e079d64557c1e49b1bdba
                              • Instruction ID: 9055a9e194d6d156383f17ce2d6c343d9dafa8ce397b73983bc3ed761eee7581
                              • Opcode Fuzzy Hash: f976ad8e285c1318e595d1d45720057e0d1ca0c9f81e079d64557c1e49b1bdba
                              • Instruction Fuzzy Hash: CAD09E70D4520DABCB58FFBCA50566EBBF4AB45300F5091B98808A3340D6755A64CB9E
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 051651EA, Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 83ea9bfc300c8816b16452fb53a68a85e35ee368055fa58aa2cf5107705d9570
                              • Instruction ID: f44bb8a5978b56076284fd49e3e9d9caca6a94cad64f490d8acfa14c4a0a6763
                              • Opcode Fuzzy Hash: 83ea9bfc300c8816b16452fb53a68a85e35ee368055fa58aa2cf5107705d9570
                              • Instruction Fuzzy Hash: BAD0A7B0446244CFC3A5DBB8640576A7BF57706304F1442BAD805D3152C6340550C7E9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 012923F4, Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.252812978.0000000001292000.00000040.00000001.sdmp, Offset: 01292000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 98bd3ee2eec53fe80ad1115886ade9bb7331c40d82cc58af303ca6bc42aaee9d
                              • Instruction ID: f9ceee23ce1276c8f40ad5c6c03157827812da87f1f0b97ef0a6b9f73b8b685c
                              • Opcode Fuzzy Hash: 98bd3ee2eec53fe80ad1115886ade9bb7331c40d82cc58af303ca6bc42aaee9d
                              • Instruction Fuzzy Hash: 7FD02E38210A928FE7228A0CC0A8B843FA0EB61B04F0640FDE8008B263C328D580C200
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 012923BC, Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.252812978.0000000001292000.00000040.00000001.sdmp, Offset: 01292000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 94a444cb8b4300ec5ec5423768d53738fc574bc25c5da716dde03efacf90981b
                              • Instruction ID: 89f516ed0e0147d24ba58663e4ed1bb027aa96047843f7e06de30f4cdf2e010a
                              • Opcode Fuzzy Hash: 94a444cb8b4300ec5ec5423768d53738fc574bc25c5da716dde03efacf90981b
                              • Instruction Fuzzy Hash: D3D05E342102828BDB25DB0CC1D4F593BD4AF81B00F0644FDBD008B262C7A4D8C1C600
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05160070, Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cbb1111aa69ebc983b202aed6d9d862a65d98d792c06b3dae45182ea01bd30ac
                              • Instruction ID: 11abac9d02eb48a1c20b11dac5323b616bb9c906230b3fe578ee37ef8ded36a0
                              • Opcode Fuzzy Hash: cbb1111aa69ebc983b202aed6d9d862a65d98d792c06b3dae45182ea01bd30ac
                              • Instruction Fuzzy Hash: 80C08C70505208DBC724EFF8B90D75ABBECF70A302F5040A9990DC3245EB71AA64C7EA
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05166698, Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e3192e3a99f2dd719a212dc5fa5c4dd7f6965a76dceae0436f065b27ba2b3c88
                              • Instruction ID: 928205fd15f4c2fce78086cb797207c2a29fca80f65c970469404c9d7db3cfed
                              • Opcode Fuzzy Hash: e3192e3a99f2dd719a212dc5fa5c4dd7f6965a76dceae0436f065b27ba2b3c88
                              • Instruction Fuzzy Hash: 03E0EC74D12329DBCB65CF64C96469DBBB5EF45210F4059CEC455A3211DB344FC08F10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05166CB8, Relevance: .0, Instructions: 8COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b921be6d0f7a81d6731c5245e6bca36596e9d4e427cc748b650c39e32d88bb8c
                              • Instruction ID: 845d15fb85adaa9c1a9419c2ebfb3f1b9034a85f3d63534c5cb38a5b25bf9b9a
                              • Opcode Fuzzy Hash: b921be6d0f7a81d6731c5245e6bca36596e9d4e427cc748b650c39e32d88bb8c
                              • Instruction Fuzzy Hash: C8C08C30C4410A9ECB19CB61C6800BEF3F7EF84260F819C9A8022AA140CB344600CF00
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 05168E11, Relevance: 3.9, Strings: 3, Instructions: 196COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: PE@b$PE@b$Z.:i
                              • API String ID: 0-2307061755
                              • Opcode ID: 20b6dbae5a7e30e98b209b92fefb18f234a1db381d86c0b7c9fe65ba37228f2b
                              • Instruction ID: 89cf0efb75d65af792dd45cbca0ec07d17248b07c1d2c175f8bedcae8b0c0eae
                              • Opcode Fuzzy Hash: 20b6dbae5a7e30e98b209b92fefb18f234a1db381d86c0b7c9fe65ba37228f2b
                              • Instruction Fuzzy Hash: 99911674D04219DFDB18DFA9C584AADFBF2FF89304F2081AAD815AB255D734AA42CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05161731, Relevance: .2, Instructions: 171COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b8815708526be1ac279497eea38dfd9e81ea81650e87d70b04beb28721a0cdb4
                              • Instruction ID: 4f63c55f42363b633a56819352ccb434d4f14c04aed6732063147cfb61424735
                              • Opcode Fuzzy Hash: b8815708526be1ac279497eea38dfd9e81ea81650e87d70b04beb28721a0cdb4
                              • Instruction Fuzzy Hash: 50710574D4420AEFCB18DFA8D5809AEFBF2FB49300F25955AD815BB214D334AA50CFA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05163818, Relevance: .2, Instructions: 163COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c97d9e7e9cf6f41e8805c63efc6d16330661d7e0ad3f110fb2799a20f5280b7d
                              • Instruction ID: 682d16ad2456f8a932f0204dbb8d3f6dbb83baf7247b06ad23eff80f79f2fc5e
                              • Opcode Fuzzy Hash: c97d9e7e9cf6f41e8805c63efc6d16330661d7e0ad3f110fb2799a20f5280b7d
                              • Instruction Fuzzy Hash: 8471FD74E15209EFCB44CFA9D48599DFBF1FF49310F1189AAE42AAB254D334AA90CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05163808, Relevance: .2, Instructions: 163COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e61e9db740616db3b16e6c9f8df8be98b11dd2b83c3f2e6b6726d6721136bd45
                              • Instruction ID: 4b59e1cc05dfaff8826ecbc3d207991d3c1c8aa44963ed83d3fd3af278162818
                              • Opcode Fuzzy Hash: e61e9db740616db3b16e6c9f8df8be98b11dd2b83c3f2e6b6726d6721136bd45
                              • Instruction Fuzzy Hash: 7D71FE74E15209EFCB44CFA9D48599DFBF1FF49310F1489AAE42AAB254D334AA90CF10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05161780, Relevance: .1, Instructions: 144COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fc732cd37bb44c3068b57bef7e8d120bcea35130b9c0ede1657c470e2414a68a
                              • Instruction ID: f2456a72681cbc50c85b3556f72bc2a4cd9f190e011e46fdd66acc4b97e3cd20
                              • Opcode Fuzzy Hash: fc732cd37bb44c3068b57bef7e8d120bcea35130b9c0ede1657c470e2414a68a
                              • Instruction Fuzzy Hash: C8510674D4420AEFCB08CFA8D6819AEFBF2FB49340F259559D415BB214D334AA50CFA6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 051649C2, Relevance: .1, Instructions: 143COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 67eeba583204cabb3d7a7f3984304fc4d9b8e7622a4ac10ba79d1db3ba436345
                              • Instruction ID: c0441dc00b4ea0bf4546a9aadd58d0291e46a9cc34ea4033dc8399ed35397659
                              • Opcode Fuzzy Hash: 67eeba583204cabb3d7a7f3984304fc4d9b8e7622a4ac10ba79d1db3ba436345
                              • Instruction Fuzzy Hash: 46512578D05209EFCF18CFA9C5809AEFBF2FB89240F15856AD416B7214D3749A51CF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 051649D0, Relevance: .1, Instructions: 139COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 14fd3a542e971ec57abef075825c4863b9aa5b5730b455e3eba242f36226087e
                              • Instruction ID: 3f21bd1a51914e6c309a87ab62297604e5795ea586bf68e38d4e11cbf0761ae8
                              • Opcode Fuzzy Hash: 14fd3a542e971ec57abef075825c4863b9aa5b5730b455e3eba242f36226087e
                              • Instruction Fuzzy Hash: 9F51F478D05209EFCF18CFA9C5809AEFBF2FB89200F11956AD416B7214D3749A51CF98
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05164831, Relevance: .1, Instructions: 103COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f8cd424861e8884d26bed31e882b6bf2e137cb93d5bda0873b7a1735ad7f0561
                              • Instruction ID: ef7ca3901ee43c45fd33bb8c77e766ece2fc4a407b2793fdd730325e3714599e
                              • Opcode Fuzzy Hash: f8cd424861e8884d26bed31e882b6bf2e137cb93d5bda0873b7a1735ad7f0561
                              • Instruction Fuzzy Hash: A3414470D0520A9FDF08CFE6D5814AEFBB6FF89300F25D46AC411AB254E3749A518F94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05168328, Relevance: .1, Instructions: 102COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5b0c2c16ffaadc8f56579c1dbdb738cc8e667080a835f6a848388d930ed3f82f
                              • Instruction ID: e383735175dffaa6494af8cae1593a1961ac2774cee9449fafe1edfc9c51ac7d
                              • Opcode Fuzzy Hash: 5b0c2c16ffaadc8f56579c1dbdb738cc8e667080a835f6a848388d930ed3f82f
                              • Instruction Fuzzy Hash: 4A411874E04609DFDB58CFAAC541A9EFBF2BF88300F20C12AD514AB255D7349A12CF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05168318, Relevance: .1, Instructions: 99COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f24881b155b4f6c1e3c63f3d375055f18753f42aa1187592a0a5d183749d5317
                              • Instruction ID: c2d4d452ab8ab9a0a535d36937891128cd63a20ba8a4f681a29e61bbf057b956
                              • Opcode Fuzzy Hash: f24881b155b4f6c1e3c63f3d375055f18753f42aa1187592a0a5d183749d5317
                              • Instruction Fuzzy Hash: 37412970D04609DFDB68CFAAC941A9EFBF2BF88700F24C12AD514AB265D7349A12CF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05164840, Relevance: .1, Instructions: 99COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6aa66f9c30e1b7f250f744c1c5ac01e0b15d5628c5df89cbe6dadde8b1d4ad89
                              • Instruction ID: fb1f84809725d3fc1765bcb1b2751246778339c5606d034652011a1caf2c5c76
                              • Opcode Fuzzy Hash: 6aa66f9c30e1b7f250f744c1c5ac01e0b15d5628c5df89cbe6dadde8b1d4ad89
                              • Instruction Fuzzy Hash: 64411270D0520ADFDF08CFE6D5815AEFBB6FB88300F21A42AC415BB254E77496518F94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05164BDA, Relevance: .1, Instructions: 93COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8a9f94d3d776dd5bb7f3f6802efe4c9d3ccdf170d6b43da5c675e76477ff3aa5
                              • Instruction ID: 2e2d1b5f19db45e2d556015a28e16e802f06f6694ef9c66fd4828bd7bc9424e2
                              • Opcode Fuzzy Hash: 8a9f94d3d776dd5bb7f3f6802efe4c9d3ccdf170d6b43da5c675e76477ff3aa5
                              • Instruction Fuzzy Hash: D941F3B0D0520ADBCF08CFA5D5814AEFBB2FB88310F24D85AC405BB304D7709A51CB94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05164BE8, Relevance: .1, Instructions: 93COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 693304b22524f95dc2b1adb92dd6a33f6c96e1878fc65ee3cf80bf2f818d7aa3
                              • Instruction ID: 9f1b1bb2a70358884405e75d03d8378bf8185d116016c2ce9547d4eb758380e9
                              • Opcode Fuzzy Hash: 693304b22524f95dc2b1adb92dd6a33f6c96e1878fc65ee3cf80bf2f818d7aa3
                              • Instruction Fuzzy Hash: 8841E2B0E0520ADBCF18CF99D5914AEFBB2FB89301F20D86AC415BB304D7709A51CB95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0516947A, Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4293107d8b619cb4a456f9b7fefe548462acaa20cf4becc2ccf657fdd2a1a165
                              • Instruction ID: 877e58cd816a3173eb8ed9f0c5c607bcc320e770831817a523b4040534ab5f89
                              • Opcode Fuzzy Hash: 4293107d8b619cb4a456f9b7fefe548462acaa20cf4becc2ccf657fdd2a1a165
                              • Instruction Fuzzy Hash: 603126B0D04249DFDB19DFBAD9452AEBFF2BB88200F14C4AAC414AB259DB345A52DF40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 05169488, Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ea898df9c704c32b1484fe7d514c0b48e7207b586f1c40ed1ccbe80727a37224
                              • Instruction ID: eadfc6737c5abd869277bbb7b6c381cf148003d81b50b1da0fa7e9c985546ac9
                              • Opcode Fuzzy Hash: ea898df9c704c32b1484fe7d514c0b48e7207b586f1c40ed1ccbe80727a37224
                              • Instruction Fuzzy Hash: E0110AB1D05209DFDB18CFABD54159EFBF6BF88200F24C56AC418AB215DB384A518F44
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0516A1A8, Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.256816194.0000000005160000.00000040.00000001.sdmp, Offset: 05160000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 12f2d66833e513c327cecb5270bf3fe0f316b74a72353e51afa96d10011bfddf
                              • Instruction ID: 6ec57366bae5c4999c808e7644c3a321b16e8d3edd805d6aa892b54fa8233147
                              • Opcode Fuzzy Hash: 12f2d66833e513c327cecb5270bf3fe0f316b74a72353e51afa96d10011bfddf
                              • Instruction Fuzzy Hash: 211105B1E04608CBEB18CFAB99415AEFBF7AFC8300F64C07A8918A7215DB3456528F51
                              Uniqueness

                              Uniqueness Score: -1.00%