Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report NEW ORDER_8876630.exe

Overview

General Information

Sample Name:NEW ORDER_8876630.exe
Analysis ID:320333
MD5:1745bf7233bdb5b42fba4517363b258f
SHA1:826f6dcbbe56fa62b3894f52c5ab18fd009930e2
SHA256:33d2ce58e713daa6aeae2d712dfbdac9e7f431df73c969f0c70afa75b56f1ab9
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore AveMaria MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected AveMaria stealer
Yara detected MailPassView
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • NEW ORDER_8876630.exe (PID: 6164 cmdline: 'C:\Users\user\Desktop\NEW ORDER_8876630.exe' MD5: 1745BF7233BDB5B42FBA4517363B258F)
    • schtasks.exe (PID: 6444 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • NEW ORDER_8876630.exe (PID: 5852 cmdline: {path} MD5: 1745BF7233BDB5B42FBA4517363B258F)
      • schtasks.exe (PID: 6624 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6156 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • vbc.exe (PID: 5876 cmdline: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\3agbefca.z1h' MD5: B3A917344F5610BEEC562556F11300FA)
      • vbc.exe (PID: 5796 cmdline: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh' MD5: B3A917344F5610BEEC562556F11300FA)
      • vbc.exe (PID: 5776 cmdline: 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh' MD5: B3A917344F5610BEEC562556F11300FA)
  • NEW ORDER_8876630.exe (PID: 6852 cmdline: 'C:\Users\user\Desktop\NEW ORDER_8876630.exe' 0 MD5: 1745BF7233BDB5B42FBA4517363B258F)
    • schtasks.exe (PID: 6672 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6900 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 1745BF7233BDB5B42FBA4517363B258F)
  • dhcpmon.exe (PID: 4088 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 1745BF7233BDB5B42FBA4517363B258F)
    • schtasks.exe (PID: 6916 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6508 cmdline: {path} MD5: 1745BF7233BDB5B42FBA4517363B258F)
    • dhcpmon.exe (PID: 4928 cmdline: {path} MD5: 1745BF7233BDB5B42FBA4517363B258F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x561e7:$a: NanoCore
    • 0x562d1:$a: NanoCore
    • 0x57148:$a: NanoCore
    • 0x602f2:$a: NanoCore
    • 0x60353:$a: NanoCore
    • 0x60396:$a: NanoCore
    • 0x603d6:$a: NanoCore
    • 0x60612:$a: NanoCore
    • 0x606b2:$a: NanoCore
    • 0x60e8a:$a: NanoCore
    • 0x6147d:$a: NanoCore
    • 0x615ce:$a: NanoCore
    • 0x62428:$a: NanoCore
    • 0x6268f:$a: NanoCore
    • 0x626a4:$a: NanoCore
    • 0x626c3:$a: NanoCore
    • 0x6b5c6:$a: NanoCore
    • 0x6b5ef:$a: NanoCore
    • 0x77368:$a: NanoCore
    • 0x77391:$a: NanoCore
    • 0x9c254:$a: NanoCore
    00000009.00000002.924508392.0000000007CDF000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 99 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x5b99:$x1: NanoCore.ClientPluginHost
          • 0x5bb3:$x2: IClientNetworkHost
          9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0x5b99:$x2: NanoCore.ClientPluginHost
          • 0x6bce:$s4: PipeCreated
          • 0x5b86:$s5: IClientLoggingHost
          9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x1f1db:$x1: NanoCore.ClientPluginHost
          • 0x1f1f5:$x2: IClientNetworkHost
          9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0x1f1db:$x2: NanoCore.ClientPluginHost
          • 0x22518:$s4: PipeCreated
          • 0x1f1c8:$s5: IClientLoggingHost
          9.2.NEW ORDER_8876630.exe.6100000.9.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0x1deb:$x1: NanoCore.ClientPluginHost
          • 0x1e24:$x2: IClientNetworkHost
          Click to see the 63 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\NEW ORDER_8876630.exe, ProcessId: 5852, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\NEW ORDER_8876630.exe' , ParentImage: C:\Users\user\Desktop\NEW ORDER_8876630.exe, ParentProcessId: 6164, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp', ProcessId: 6444

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 49%Perma Link
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeVirustotal: Detection: 49%Perma Link
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeReversingLabs: Detection: 41%
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 49%Perma Link
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeVirustotal: Detection: 49%Perma Link
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeReversingLabs: Detection: 41%
          Multi AV Scanner detection for submitted fileShow sources
          Source: NEW ORDER_8876630.exeVirustotal: Detection: 49%Perma Link
          Source: NEW ORDER_8876630.exeVirustotal: Detection: 49%Perma Link
          Yara detected AveMaria stealerShow sources
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.919477191.0000000003DD7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917813976.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORY
          Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: NEW ORDER_8876630.exeJoe Sandbox ML: detected
          Source: NEW ORDER_8876630.exeJoe Sandbox ML: detected
          Source: 28.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 28.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49729 -> 79.134.225.9:4321
          Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49729 -> 79.134.225.9:4321
          Source: global trafficTCP traffic: 192.168.2.4:49729 -> 79.134.225.9:4321
          Source: global trafficTCP traffic: 192.168.2.4:49729 -> 79.134.225.9:4321
          Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
          Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.9
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: NEW ORDER_8876630.exe, NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: NEW ORDER_8876630.exe, 00000000.00000002.670733862.0000000002721000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.693761971.0000000002A5E000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5e
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?oci
          Source: vbc.exe, 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.865177744.0000000000994000.00000004.00000010.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp, btuqens4.sdh.36.dr, 3agbefca.z1h.34.drString found in binary or memory: http://www.nirsoft.net/
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/staticY
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/favicon.ico
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/LMEMx
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=F
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=we
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: NEW ORDER_8876630.exe, NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpString found in binary or memory: http://google.com
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: NEW ORDER_8876630.exe, 00000000.00000002.670733862.0000000002721000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.693761971.0000000002A5E000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5e
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?oci
          Source: vbc.exe, 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.865177744.0000000000994000.00000004.00000010.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp, btuqens4.sdh.36.dr, 3agbefca.z1h.34.drString found in binary or memory: http://www.nirsoft.net/
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/staticY
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/favicon.ico
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/LMEMx
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=F
          Source: vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=we
          Source: dhcpmon.exe, 0000000F.00000002.693277110.0000000000E88000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: dhcpmon.exe, 0000000F.00000002.693277110.0000000000E88000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected AveMaria stealerShow sources
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.919477191.0000000003DD7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917813976.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORY
          Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.919842814.0000000004731000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c80000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.919842814.0000000004731000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c80000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: NEW ORDER_8876630.exe
          Source: initial sampleStatic PE information: Filename: NEW ORDER_8876630.exe
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00234E950_2_00234E95
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFC1240_2_00AFC124
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFE5610_2_00AFE561
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFE5700_2_00AFE570
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00234E950_2_00234E95
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFC1240_2_00AFC124
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFE5610_2_00AFE561
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFE5700_2_00AFE570
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 7_2_003C4E957_2_003C4E95
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_008E4E959_2_008E4E95
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_065222389_2_06522238
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_065237309_2_06523730
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_065146D39_2_065146D3
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_065142EB9_2_065142EB
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_065133249_2_06513324
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_011CE4719_2_011CE471
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_011CE4809_2_011CE480
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_011CBBD49_2_011CBBD4
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 14_2_00C24E9514_2_00C24E95
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 14_2_014FC12414_2_014FC124
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 14_2_014FE56214_2_014FE562
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 14_2_014FE57014_2_014FE570
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_006E4E9515_2_006E4E95
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00E7C12415_2_00E7C124
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00E7E56215_2_00E7E562
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00E7E57015_2_00E7E570
          Source: NEW ORDER_8876630.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: sTIihDLgsDxOeq.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: dhcpmon.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NEW ORDER_8876630.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: sTIihDLgsDxOeq.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: dhcpmon.exe.9.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: NEW ORDER_8876630.exe, 00000000.00000002.669871538.00000000002A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.672364153.0000000003948000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.679046010.0000000009480000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.679406024.0000000009570000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.679406024.0000000009570000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000007.00000002.668026345.0000000000436000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exeBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709414711.0000000007320000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000000.681598052.0000000000C96000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709634185.00000000075D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709634185.00000000075D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709295285.0000000007190000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.710228104.00000000093B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000013.00000000.695212366.00000000002A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.713524450.0000000000E76000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exeBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.669871538.00000000002A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.672364153.0000000003948000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.679046010.0000000009480000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.679406024.0000000009570000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000000.00000002.679406024.0000000009570000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000007.00000002.668026345.0000000000436000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exeBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709414711.0000000007320000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000000.681598052.0000000000C96000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709634185.00000000075D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709634185.00000000075D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.709295285.0000000007190000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.710228104.00000000093B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000013.00000000.695212366.00000000002A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.713524450.0000000000E76000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs NEW ORDER_8876630.exe
          Source: NEW ORDER_8876630.exeBinary or memory string: OriginalFilename vs NEW ORDER_8876630.exe
          Source: 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.919842814.0000000004731000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c80000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c80000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.919842814.0000000004731000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c80000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c80000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6100000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6140000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6150000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5670000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5240000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6c90000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5810000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6120000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 9.2.NEW ORDER_8876630.exe.6510000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: NEW ORDER_8876630.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: sTIihDLgsDxOeq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: dhcpmon.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: NEW ORDER_8876630.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: sTIihDLgsDxOeq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: dhcpmon.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@34/17@0/1
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\DtwUqciGKiRjooXSHiqUg
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_01
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1a99772f-8635-4efa-9ce3-0da1f36f00d5}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\DtwUqciGKiRjooXSHiqUg
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4864:120:WilError_01
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1a99772f-8635-4efa-9ce3-0da1f36f00d5}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBCE5.tmpJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Users\user\AppData\Local\Temp\tmpBCE5.tmpJump to behavior
          Source: NEW ORDER_8876630.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: NEW ORDER_8876630.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem information queried: HandleInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSystem information queried: HandleInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: NEW ORDER_8876630.exeVirustotal: Detection: 49%
          Source: NEW ORDER_8876630.exeVirustotal: Detection: 49%
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile read: C:\Users\user\Desktop\NEW ORDER_8876630.exeJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile read: C:\Users\user\Desktop\NEW ORDER_8876630.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe 'C:\Users\user\Desktop\NEW ORDER_8876630.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe 'C:\Users\user\Desktop\NEW ORDER_8876630.exe' 0
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\3agbefca.z1h'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe 'C:\Users\user\Desktop\NEW ORDER_8876630.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe 'C:\Users\user\Desktop\NEW ORDER_8876630.exe' 0
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\3agbefca.z1h'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe 'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: NEW ORDER_8876630.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: NEW ORDER_8876630.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: NEW ORDER_8876630.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: NEW ORDER_8876630.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: NEW ORDER_8876630.exe, 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmp
          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: NEW ORDER_8876630.exe, 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmp, vbc.exe, 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: NEW ORDER_8876630.exe
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: NEW ORDER_8876630.exe, 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmp
          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: NEW ORDER_8876630.exe, 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmp, vbc.exe, 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp
          Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp
          Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: NEW ORDER_8876630.exe
          Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_002360D2 push es; retf 0_2_002360DA
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFDEEF push cs; retn 0004h0_2_00AFDEFA
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFDF02 push cs; retn 0004h0_2_00AFDF0A
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_002360D2 push es; retf 0_2_002360DA
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFDEEF push cs; retn 0004h0_2_00AFDEFA
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00AFDF02 push cs; retn 0004h0_2_00AFDF0A
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 7_2_003C60D2 push es; retf 7_2_003C60DA
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 9_2_008E60D2 push es; retf 9_2_008E60DA
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 14_2_00C260D2 push es; retf 14_2_00C260DA
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 14_2_014FB5D0 pushad ; retf 14_2_014FB5ED
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_006E60D2 push es; retf 15_2_006E60DA
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75604514901
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75604514901
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75604514901
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75604514901
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75604514901
          Source: initial sampleStatic PE information: section name: .text entropy: 7.75604514901
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
          Source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeJump to dropped file
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exeJump to dropped file
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.670812071.00000000027A8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.699403409.0000000003042000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.693761971.0000000002A5E000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: NEW ORDER_8876630.exe, 00000000.00000002.671609130.0000000002AD9000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.694294173.0000000002DD9000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: NEW ORDER_8876630.exe, 00000000.00000002.671609130.0000000002AD9000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.694294173.0000000002DD9000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: NEW ORDER_8876630.exe, 00000000.00000002.671609130.0000000002AD9000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.694294173.0000000002DD9000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: NEW ORDER_8876630.exe, 00000000.00000002.671609130.0000000002AD9000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.694294173.0000000002DD9000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00235C2B sldt word ptr [eax]0_2_00235C2B
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeCode function: 0_2_00235C2B sldt word ptr [eax]0_2_00235C2B
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: threadDelayed 5509Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: threadDelayed 4153Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: foregroundWindowGot 571Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: foregroundWindowGot 704Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: threadDelayed 5509Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: threadDelayed 4153Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: foregroundWindowGot 571Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWindow / User API: foregroundWindowGot 704Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 2016Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6224Thread sleep time: -41500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 1808Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 1548Thread sleep time: -12912720851596678s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6908Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6920Thread sleep time: -41500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6896Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7092Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6912Thread sleep time: -41500s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7100Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 4044Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4344Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1620Thread sleep time: -41500s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4972Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7104Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 2016Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6224Thread sleep time: -41500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 1808Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 1548Thread sleep time: -12912720851596678s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6908Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6920Thread sleep time: -41500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 6896Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7092Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6912Thread sleep time: -41500s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7100Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exe TID: 4044Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4344Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1620Thread sleep time: -41500s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4972Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7104Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: dhcpmon.exe, 00000015.00000002.730097018.00000000029B9000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.698765888.000000000130E000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: dhcpmon.exe, 00000015.00000002.730097018.00000000029B9000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
          Source: NEW ORDER_8876630.exe, 00000009.00000003.858898194.0000000001048000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: dhcpmon.exe, 00000015.00000002.730097018.00000000029B9000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.698765888.000000000130E000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: dhcpmon.exe, 00000015.00000002.730097018.00000000029B9000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: dhcpmon.exe, 00000015.00000002.727609478.0000000002601000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
          Source: NEW ORDER_8876630.exe, 00000009.00000003.858898194.0000000001048000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeProcess created: C:\Users\user\Desktop\NEW ORDER_8876630.exe {path}Jump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp'
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
          Source: NEW ORDER_8876630.exe, 00000009.00000002.918787904.000000000317C000.00000004.00000001.sdmpBinary or memory string: Program Manager4w"
          Source: NEW ORDER_8876630.exe, 00000009.00000002.918734102.000000000316A000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917048714.0000000001740000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917048714.0000000001740000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: NEW ORDER_8876630.exe, 00000009.00000002.924138899.00000000072FE000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.922655257.00000000060FB000.00000004.00000001.sdmpBinary or memory string: Program ManagerT^
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917048714.0000000001740000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: NEW ORDER_8876630.exe, 00000009.00000002.923034146.00000000064FA000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmpBinary or memory string: Program Manager@
          Source: NEW ORDER_8876630.exe, 00000009.00000002.923953764.0000000006E7E000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$Tk9
          Source: NEW ORDER_8876630.exe, 00000009.00000002.918787904.000000000317C000.00000004.00000001.sdmpBinary or memory string: Program Manager4w"
          Source: NEW ORDER_8876630.exe, 00000009.00000002.918734102.000000000316A000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917048714.0000000001740000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917048714.0000000001740000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: NEW ORDER_8876630.exe, 00000009.00000002.924138899.00000000072FE000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.922655257.00000000060FB000.00000004.00000001.sdmpBinary or memory string: Program ManagerT^
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917048714.0000000001740000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: NEW ORDER_8876630.exe, 00000009.00000002.923034146.00000000064FA000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmpBinary or memory string: Program Manager@
          Source: NEW ORDER_8876630.exe, 00000009.00000002.923953764.0000000006E7E000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: NEW ORDER_8876630.exe, 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$Tk9
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Users\user\Desktop\NEW ORDER_8876630.exe VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
          Source: C:\Users\user\Desktop\NEW ORDER_8876630.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected AveMaria stealerShow sources
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Yara detected MailPassViewShow sources
          Source: Yara matchFile source: 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.924228437.000000000734F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.924432961.0000000007C61000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5876, type: MEMORY
          Source: Yara matchFile source: 34.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 34.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.919477191.0000000003DD7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917813976.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORY
          Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPE
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Tries to steal Instant Messenger accounts or passwordsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
          Tries to steal Mail credentials (via file access)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
          Yara detected WebBrowserPassView password recovery toolShow sources
          Source: Yara matchFile source: 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.924508392.0000000007CDF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5776, type: MEMORY
          Source: Yara matchFile source: 36.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 36.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Detected Nanocore RatShow sources
          Source: NEW ORDER_8876630.exe, 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exeString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: dhcpmon.exe, 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: NEW ORDER_8876630.exe, 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exeString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
          Source: NEW ORDER_8876630.exe, 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
          Source: NEW ORDER_8876630.exe, 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: NEW ORDER_8876630.exe, 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: NEW ORDER_8876630.exe, 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Source: dhcpmon.exe, 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
          Source: dhcpmon.exe, 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
          Yara detected AveMaria stealerShow sources
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.919477191.0000000003DD7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917813976.0000000002D81000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 5852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6164, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 6852, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: NEW ORDER_8876630.exe PID: 2456, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4088, type: MEMORY
          Source: Yara matchFile source: 28.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.NEW ORDER_8876630.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.NEW ORDER_8876630.exe.5300000.4.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection12Masquerading2OS Credential Dumping1Security Software Discovery221Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion4Input Capture21Virtualization/Sandbox Evasion4Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Credentials in Registry1Process Discovery3SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12Credentials In Files1Application Window Discovery1Distributed Component Object ModelData from Local System1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 320333 Sample: NEW ORDER_8876630.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 70 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 15 other signatures 2->76 8 NEW ORDER_8876630.exe 6 2->8         started        11 NEW ORDER_8876630.exe 4 2->11         started        13 dhcpmon.exe 2->13         started        15 dhcpmon.exe 3 2->15         started        process3 file4 62 C:\Users\user\AppData\...\sTIihDLgsDxOeq.exe, PE32 8->62 dropped 64 C:\Users\user\AppData\Local\...\tmpBCE5.tmp, XML 8->64 dropped 66 C:\Users\user\...66EW ORDER_8876630.exe.log, ASCII 8->66 dropped 17 NEW ORDER_8876630.exe 1 15 8->17         started        21 schtasks.exe 1 8->21         started        23 NEW ORDER_8876630.exe 8->23         started        25 schtasks.exe 11->25         started        27 NEW ORDER_8876630.exe 11->27         started        29 NEW ORDER_8876630.exe 11->29         started        31 schtasks.exe 13->31         started        33 dhcpmon.exe 13->33         started        35 dhcpmon.exe 13->35         started        process5 dnsIp6 68 79.134.225.9, 4321, 49729 FINK-TELECOM-SERVICESCH Switzerland 17->68 56 C:\Program Files (x86)\...\dhcpmon.exe, PE32 17->56 dropped 58 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 17->58 dropped 60 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 17->60 dropped 37 vbc.exe 17->37         started        40 vbc.exe 17->40         started        42 schtasks.exe 1 17->42         started        50 2 other processes 17->50 44 conhost.exe 21->44         started        46 conhost.exe 25->46         started        48 conhost.exe 31->48         started        file7 process8 signatures9 78 Tries to steal Instant Messenger accounts or passwords 37->78 80 Tries to steal Mail credentials (via file access) 37->80 82 Tries to harvest and steal browser information (history, passwords, etc) 40->82 52 conhost.exe 42->52         started        54 conhost.exe 50->54         started        process10

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          NEW ORDER_8876630.exe49%VirustotalBrowse
          NEW ORDER_8876630.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exe100%Joe Sandbox ML
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe49%VirustotalBrowse
          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe42%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exe49%VirustotalBrowse
          C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exe42%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          28.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          9.2.NEW ORDER_8876630.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
          20.2.NEW ORDER_8876630.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpfalse
            		high
            http://www.apache.org/licenses/LICENSE-2.0NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.comNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designersGNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                  		high
                  http://www.msn.com/?ocid=iehpLMEMvbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                        		high
                        http://www.tiro.comdhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersdhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                            		high
                            http://www.goodfont.co.krNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cTheNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-user.htmlNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                		high
                                https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2vbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8NEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.msn.com/de-ch/?ocivbc.exe, 00000024.00000002.866920446.000000000532D000.00000004.00000020.sdmpfalse
                                      		high
                                      http://www.fonts.comNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.nirsoft.net/vbc.exe, 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000024.00000002.865177744.0000000000994000.00000004.00000010.sdmp, vbc.exe, 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp, btuqens4.sdh.36.dr, 3agbefca.z1h.34.drfalse
                                          		high
                                          http://www.zhongyicts.com.cnNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNEW ORDER_8876630.exe, 00000000.00000002.670733862.0000000002721000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.699316079.0000000002FC1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.693761971.0000000002A5E000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sakkal.comNEW ORDER_8876630.exe, 00000000.00000002.677257887.00000000067D2000.00000004.00000001.sdmp, NEW ORDER_8876630.exe, 0000000E.00000002.708049355.0000000006000000.00000002.00000001.sdmp, dhcpmon.exe, 0000000F.00000002.698153795.0000000005AB0000.00000002.00000001.sdmp, dhcpmon.exe, 00000015.00000002.736413948.0000000005630000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            79.134.225.9
                                            		unknownSwitzerland
                                            		6775FINK-TELECOM-SERVICESCHtrue

                                            General Information

                                            Joe Sandbox Version:31.0.0 Red Diamond
                                            Analysis ID:320333
                                            Start date:19.11.2020
                                            Start time:09:20:03
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 13m 21s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:NEW ORDER_8876630.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:37
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.phis.troj.spyw.evad.winEXE@34/17@0/1
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 0.4% (good quality ratio 0.3%)
                                            • Quality average: 66.7%
                                            • Quality standard deviation: 37.1%
                                            HCA Information:
                                            • Successful, ratio: 92%
                                            • Number of executed functions: 90
                                            • Number of non-executed functions: 5
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                            • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            09:20:57API Interceptor65x Sleep call for process: NEW ORDER_8876630.exe modified
                                            09:21:05Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\NEW ORDER_8876630.exe" s>$(Arg0)
                                            09:21:06Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                            09:21:07AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                            09:21:10API Interceptor53x Sleep call for process: dhcpmon.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            79.134.225.9yrIVz5su2U.exeGet hashmaliciousBrowse
                                              DHL 2723382830#U6536#U636e,pdf.exeGet hashmaliciousBrowse
                                                Huidmwk.exeGet hashmaliciousBrowse
                                                  Huidmwk.exeGet hashmaliciousBrowse

                                                    Domains

                                                    No context

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    FINK-TELECOM-SERVICESCH9Pimjl3jyq.exeGet hashmaliciousBrowse
                                                    • 79.134.225.40
                                                    7tRM7RUC.exeGet hashmaliciousBrowse
                                                    • 79.134.225.99
                                                    PURCHASE_ORDER.exeGet hashmaliciousBrowse
                                                    • 79.134.225.87
                                                    YW2l1lBx5p2U84V.exeGet hashmaliciousBrowse
                                                    • 79.134.225.54
                                                    ORDER #201006.exeGet hashmaliciousBrowse
                                                    • 79.134.225.92
                                                    2HchQQHbc3.exeGet hashmaliciousBrowse
                                                    • 79.134.225.40
                                                    https://uc13b1859d0dd1d287abe11849bc.dl.dropboxusercontent.com/cd/0/get/BDYpKT2DghcT8k6q6ivr3Z10tH2fIzZ-quVnhNkvIaMzr65_x9Jb73dlKfp9-u2XxKjvY5mHqB-sTtfsf3X_DzOrS8DLCyWkeoM0ivsy2MmAb_UnT8m5tcbdlCmtPw__0Gg/file?dl=1Get hashmaliciousBrowse
                                                    • 79.134.225.8
                                                    JfBrVoAbZJ.exeGet hashmaliciousBrowse
                                                    • 79.134.225.12
                                                    hLP6IkkrSG.exeGet hashmaliciousBrowse
                                                    • 79.134.225.45
                                                    Payment Confirmation NOV-85869983TGTTAS.exeGet hashmaliciousBrowse
                                                    • 79.134.225.14
                                                    P9hBKKQw3T.exeGet hashmaliciousBrowse
                                                    • 79.134.225.110
                                                    uqR1VNxNJn.exeGet hashmaliciousBrowse
                                                    • 79.134.225.52
                                                    ORDER-#00654.doc.....exeGet hashmaliciousBrowse
                                                    • 79.134.225.92
                                                    7GAi7ZFQz8.exeGet hashmaliciousBrowse
                                                    • 79.134.225.92
                                                    KL0DeoXZFx.dllGet hashmaliciousBrowse
                                                    • 79.134.225.55
                                                    nbMZ4y9Dj5.exeGet hashmaliciousBrowse
                                                    • 79.134.225.40
                                                    IRS-TAXPAYERS RELIEF.exeGet hashmaliciousBrowse
                                                    • 79.134.225.28
                                                    FREAKHIVE MANUAL.exeGet hashmaliciousBrowse
                                                    • 79.134.225.104
                                                    544545.exeGet hashmaliciousBrowse
                                                    • 79.134.225.104
                                                    gtrd.exeGet hashmaliciousBrowse
                                                    • 79.134.225.104

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):487936
                                                    Entropy (8bit):7.729635851000467
                                                    Encrypted:false
                                                    SSDEEP:6144:sirOTLIHLIQXLdOgffsHGOu7O77ci7rFlfx++Y+Am1DOdvRdBHMlU8LFCcN:ETL4IoJ38H27O97/fxY9Jt8LFj
                                                    MD5:1745BF7233BDB5B42FBA4517363B258F
                                                    SHA1:826F6DCBBE56FA62B3894F52C5AB18FD009930E2
                                                    SHA-256:33D2CE58E713DAA6AEAE2D712DFBDAC9E7F431DF73C969F0C70AFA75B56F1AB9
                                                    SHA-512:D787F9ADE504D281689A66A3C160A2B99CDC3B429F02C78385732AD5F987EFC33C80B3EFE1B5B97085CA3F1F116BCF82B6AB1DEDC05DB05C9FDBBD8866CC644B
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: Virustotal, Detection: 49%, Browse
                                                    • Antivirus: ReversingLabs, Detection: 42%
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j._..............0..,...D......&K... ...`....@.. ....................................@..................................J..O....`...A........................................................................... ............... ..H............text...,+... ...,.................. ..`.rsrc....A...`...B..................@..@.reloc...............p..............@..B.................K......H........Y...C......o.......0...........................................B.(........}....*....0..!.........{....r...p.|....(....(.....+..*....0..<.............6...%..*.o.......o.......+.......o........X.........-....o...........,..r...p(....&...8..........(....}.......&.r?..p(....&.............(....}.......&.ro..p(....&...........}.....{....r...p(........,..r...p(....&...+X....}.....{....r...p(........,..r...p(....&...+(......(....}.......&.r...p(....&......+...*.(....b..t..
                                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW ORDER_8876630.exe.log
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1301
                                                    Entropy (8bit):5.345637324625647
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz5
                                                    MD5:6C42AAF2F2FABAD2BAB70543AE48CEDB
                                                    SHA1:8552031F83C078FE1C035191A32BA43261A63DA9
                                                    SHA-256:51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
                                                    SHA-512:014E89857B811765EA7AA0B030AB04A2DA1957571608C4512EC7662F6A4DCE8B0409626624DABC96CBFF079E7F0F4A916E6F49C789E00B6E46AD37C36C806DCA
                                                    Malicious:true
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1301
                                                    Entropy (8bit):5.345637324625647
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4VE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz5
                                                    MD5:6C42AAF2F2FABAD2BAB70543AE48CEDB
                                                    SHA1:8552031F83C078FE1C035191A32BA43261A63DA9
                                                    SHA-256:51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
                                                    SHA-512:014E89857B811765EA7AA0B030AB04A2DA1957571608C4512EC7662F6A4DCE8B0409626624DABC96CBFF079E7F0F4A916E6F49C789E00B6E46AD37C36C806DCA
                                                    Malicious:false
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                    C:\Users\user\AppData\Local\Temp\3agbefca.z1h
                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                    File Type:HTML document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):523
                                                    Entropy (8bit):5.166440724009737
                                                    Encrypted:false
                                                    SSDEEP:12:BMQkS9xyR4VrR1LEIJ9yuNJmcfNXbYmvmAwYxZwgJwnbnyAwoE:WlS9v5N9ZmcfSYm0XwgynbnyF
                                                    MD5:69B2A2E17E78D24ABEE9F1DE2F04811A
                                                    SHA1:D19C109704E83876AB3527457F9418A7D053AA33
                                                    SHA-256:1B1491F21E64681F8FDC27B2265E2274FB7813EECB6AD8B446D2E431F6300EDD
                                                    SHA-512:EB7269979BC4187520636FE3D7B3089F2C7C02E81C4CE2A738ADE680F72C61C67FE9577EEAA09D3CA93F34B60BE8C434D2CFBFED6566E783F6611279F056150F
                                                    Malicious:false
                                                    Preview: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">..<html><head><title>Email Accounts List</title></head>..<body>.. <h3>Email Accounts List</h3>..<br><h4>Created by using <a href="http://www.nirsoft.net/" target="newwin">Mail PassView</a></h4><p><table border="1" cellpadding="5"><tr bgcolor="E0E0E0">..<th>Name..<th>Application..<th>Email..<th>Server..<th>Server Port..<th>Secured..<th>Type..<th>User..<th>Password..<th>Profile..<th>Password Strength..<th>SMTP Server..<th>SMTP Server Port..</table>....</body></html>
                                                    C:\Users\user\AppData\Local\Temp\btuqens4.sdh
                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                    File Type:HTML document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):926
                                                    Entropy (8bit):3.5897431793749606
                                                    Encrypted:false
                                                    SSDEEP:24:QAl45i94TBYTCvq4A3Y7eOhv8UFaoQBIn4+pS:a5icwVTOhnFaoQ+n4+4
                                                    MD5:919E671C3D5959A91EF2D4C377D2B2FF
                                                    SHA1:B1202B19512BBD390D3D5164792501C87BB42C41
                                                    SHA-256:D2E079DF7CF6388315368BA79BF099AD2FF5428AF51BF5ABF2D99A2D7C5EB651
                                                    SHA-512:F3298256372BEAB8EFE81B2E08D3B3869281F625DE1EE13189C6B95EB2134D223DF6F64CC9E490DD6B52A53AA936ADC17BD5DFE4E50EE0FE420F3EBAE276381C
                                                    Malicious:false
                                                    Preview: ..<.!.D.O.C.T.Y.P.E. .H.T.M.L. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .H.T.M.L. .3...2. .F.i.n.a.l././.E.N.".>.....<.h.t.m.l.>.<.h.e.a.d.>.<.t.i.t.l.e.>.W.e.b. .B.r.o.w.s.e.r. .P.a.s.s.w.o.r.d.s.<./.t.i.t.l.e.>.<./.h.e.a.d.>.....<.b.o.d.y.>..... .<.h.3.>.W.e.b. .B.r.o.w.s.e.r. .P.a.s.s.w.o.r.d.s.<./.h.3.>.....<.b.r.>.<.h.4.>.C.r.e.a.t.e.d. .b.y. .u.s.i.n.g. .<.a. .h.r.e.f.=.".h.t.t.p.:././.w.w.w...n.i.r.s.o.f.t...n.e.t./.". .t.a.r.g.e.t.=.".n.e.w.w.i.n.".>.W.e.b.B.r.o.w.s.e.r.P.a.s.s.V.i.e.w.<./.a.>.<./.h.4.>.<.p.>.<.t.a.b.l.e. .b.o.r.d.e.r.=.".1.". .c.e.l.l.p.a.d.d.i.n.g.=.".5.".>.<.t.r. .b.g.c.o.l.o.r.=.".E.0.E.0.E.0.".>.....<.t.h.>.U.R.L.....<.t.h.>.W.e.b. .B.r.o.w.s.e.r.....<.t.h.>.U.s.e.r. .N.a.m.e.....<.t.h.>.P.a.s.s.w.o.r.d.....<.t.h.>.P.a.s.s.w.o.r.d. .S.t.r.e.n.g.t.h.....<.t.h.>.U.s.e.r. .N.a.m.e. .F.i.e.l.d.....<.t.h.>.P.a.s.s.w.o.r.d. .F.i.e.l.d.....<./.t.a.b.l.e.>.........<./.b.o.d.y.>.<./.h.t.m.l.>.
                                                    C:\Users\user\AppData\Local\Temp\tmp11AC.tmp
                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1647
                                                    Entropy (8bit):5.17953057668383
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGotn:cbhK79lNQR/rydbz9I3YODOLNdq3d
                                                    MD5:605F7E07FF8FA3CC8A082BC33F645C62
                                                    SHA1:FD4CCF90636B71A77E5DF5B84BE8A86CF9A9E728
                                                    SHA-256:DF7BAD86F81276B8CC5A4ED68C5352FA4319303953AAB4CF8AC29B55E5EC52CE
                                                    SHA-512:FD3FC1D8112C3588B141C75170F023DADE256768F024FCD56AC1C06A12D3FF8C2921A302390D5185E81E4D3EE4F10F5BB97729F8DBAC8403DCDBBA218060EE20
                                                    Malicious:false
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1647
                                                    Entropy (8bit):5.17953057668383
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGotn:cbhK79lNQR/rydbz9I3YODOLNdq3d
                                                    MD5:605F7E07FF8FA3CC8A082BC33F645C62
                                                    SHA1:FD4CCF90636B71A77E5DF5B84BE8A86CF9A9E728
                                                    SHA-256:DF7BAD86F81276B8CC5A4ED68C5352FA4319303953AAB4CF8AC29B55E5EC52CE
                                                    SHA-512:FD3FC1D8112C3588B141C75170F023DADE256768F024FCD56AC1C06A12D3FF8C2921A302390D5185E81E4D3EE4F10F5BB97729F8DBAC8403DCDBBA218060EE20
                                                    Malicious:true
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Local\Temp\tmpD09C.tmp
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1307
                                                    Entropy (8bit):5.136554816166762
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Yqxtn:cbk4oL600QydbQxIYODOLedq3Oj
                                                    MD5:DC8F7205DF5B6966603257D088246BFF
                                                    SHA1:86387DC4A771D6608164787033EF2E626F0A80A0
                                                    SHA-256:326F10B4DA063CD4C6A6B953EFABDFC4CE63F605B96DC3B1AAC7DF3BE467492F
                                                    SHA-512:1EEA785908317987359038A226C548BA3DC6925C3BFFD9E83AD9CC82794D6A3AE0E653BEEB9AB2A668D1F088DD330CA9EC9C8F758C7340044D8EF2AFA3011DC9
                                                    Malicious:false
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                    C:\Users\user\AppData\Local\Temp\tmpD35C.tmp
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1310
                                                    Entropy (8bit):5.109425792877704
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                    MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                    SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                    SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                    SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                    Malicious:false
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                    C:\Users\user\AppData\Local\Temp\tmpEF30.tmp
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1647
                                                    Entropy (8bit):5.17953057668383
                                                    Encrypted:false
                                                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGotn:cbhK79lNQR/rydbz9I3YODOLNdq3d
                                                    MD5:605F7E07FF8FA3CC8A082BC33F645C62
                                                    SHA1:FD4CCF90636B71A77E5DF5B84BE8A86CF9A9E728
                                                    SHA-256:DF7BAD86F81276B8CC5A4ED68C5352FA4319303953AAB4CF8AC29B55E5EC52CE
                                                    SHA-512:FD3FC1D8112C3588B141C75170F023DADE256768F024FCD56AC1C06A12D3FF8C2921A302390D5185E81E4D3EE4F10F5BB97729F8DBAC8403DCDBBA218060EE20
                                                    Malicious:false
                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):232
                                                    Entropy (8bit):7.024371743172393
                                                    Encrypted:false
                                                    SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                                                    MD5:32D0AAE13696FF7F8AF33B2D22451028
                                                    SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                                                    SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                                                    SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                                                    Malicious:false
                                                    Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:Non-ISO extended-ASCII text, with CR line terminators
                                                    Category:dropped
                                                    Size (bytes):8
                                                    Entropy (8bit):3.0
                                                    Encrypted:false
                                                    SSDEEP:3:AH:AH
                                                    MD5:DF0AF2A58ACFB586F3EB1F4752CDD35C
                                                    SHA1:A6AEA5722491C8AB0A221BBF53DBA9622055309C
                                                    SHA-256:1C97C8725B4FA0052000FD20D30894F5945F2BE879CDDDC6CFDA789BAFAB0855
                                                    SHA-512:10BEECBAF1C1F827DB0A2B014299D71EF09F32B434634F48750561AC7193973037FF8D53D7E338ED21DC18E3A2ECA7BD94FD04DF8CC7907E035ABC708DF412C4
                                                    Malicious:true
                                                    Preview: WT..d..H
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:data
                                                    Category:modified
                                                    Size (bytes):40
                                                    Entropy (8bit):5.153055907333276
                                                    Encrypted:false
                                                    SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                    MD5:4E5E92E2369688041CC82EF9650EDED2
                                                    SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                    SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                    SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                    Malicious:false
                                                    Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):327432
                                                    Entropy (8bit):7.99938831605763
                                                    Encrypted:true
                                                    SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                    MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                    SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                    SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                    SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                    Malicious:false
                                                    Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):44
                                                    Entropy (8bit):4.559212516945552
                                                    Encrypted:false
                                                    SSDEEP:3:oNt+WfWryp6fPA:oNwvmUfPA
                                                    MD5:1E848A7D7A8CD3DF5CD19585CDD7F7C3
                                                    SHA1:66CB715806767DB8905571F18955A3B596F9B3C0
                                                    SHA-256:C2276128170167404E72C69F31F3FB3CA930D9E96026CFC18A2517EA584B562F
                                                    SHA-512:3571F16BD442A7EAE1F7751A5FCCE32DD4097171BE8D07492D2011927EBDC674D1C676862CFDDA838A3C756A8D2E6871CCDF35EB939D846F7745F409C799283A
                                                    Malicious:false
                                                    Preview: C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    C:\Users\user\AppData\Roaming\sTIihDLgsDxOeq.exe
                                                    Process:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):487936
                                                    Entropy (8bit):7.729635851000467
                                                    Encrypted:false
                                                    SSDEEP:6144:sirOTLIHLIQXLdOgffsHGOu7O77ci7rFlfx++Y+Am1DOdvRdBHMlU8LFCcN:ETL4IoJ38H27O97/fxY9Jt8LFj
                                                    MD5:1745BF7233BDB5B42FBA4517363B258F
                                                    SHA1:826F6DCBBE56FA62B3894F52C5AB18FD009930E2
                                                    SHA-256:33D2CE58E713DAA6AEAE2D712DFBDAC9E7F431DF73C969F0C70AFA75B56F1AB9
                                                    SHA-512:D787F9ADE504D281689A66A3C160A2B99CDC3B429F02C78385732AD5F987EFC33C80B3EFE1B5B97085CA3F1F116BCF82B6AB1DEDC05DB05C9FDBBD8866CC644B
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: Virustotal, Detection: 49%, Browse
                                                    • Antivirus: ReversingLabs, Detection: 42%
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j._..............0..,...D......&K... ...`....@.. ....................................@..................................J..O....`...A........................................................................... ............... ..H............text...,+... ...,.................. ..`.rsrc....A...`...B..................@..@.reloc...............p..............@..B.................K......H........Y...C......o.......0...........................................B.(........}....*....0..!.........{....r...p.|....(....(.....+..*....0..<.............6...%..*.o.......o.......+.......o........X.........-....o...........,..r...p(....&...8..........(....}.......&.r?..p(....&.............(....}.......&.ro..p(....&...........}.....{....r...p(........,..r...p(....&...+X....}.....{....r...p(........,..r...p(....&...+(......(....}.......&.r...p(....&......+...*.(....b..t..

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.729635851000467
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:NEW ORDER_8876630.exe
                                                    File size:487936
                                                    MD5:1745bf7233bdb5b42fba4517363b258f
                                                    SHA1:826f6dcbbe56fa62b3894f52c5ab18fd009930e2
                                                    SHA256:33d2ce58e713daa6aeae2d712dfbdac9e7f431df73c969f0c70afa75b56f1ab9
                                                    SHA512:d787f9ade504d281689a66a3c160a2b99cdc3b429f02c78385732ad5f987efc33c80b3efe1b5b97085ca3f1f116bcf82b6ab1dedc05db05c9fdbbd8866cc644b
                                                    SSDEEP:6144:sirOTLIHLIQXLdOgffsHGOu7O77ci7rFlfx++Y+Am1DOdvRdBHMlU8LFCcN:ETL4IoJ38H27O97/fxY9Jt8LFj
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j._..............0..,...D......&K... ...`....@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:0dd21272d9ccc439

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x474b26
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x5FB56AD3 [Wed Nov 18 18:41:23 2020 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x74ad40x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x41c0.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7c0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x72b2c0x72c00False0.860081358932data7.75604514901IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x760000x41c00x4200False0.31220407197data4.22937385179IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x7c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_ICON0x761900x468GLS_BINARY_LSB_FIRST
                                                    RT_ICON0x765f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4290054656, next used block 4290054656
                                                    RT_ICON0x776a00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4290251780, next used block 4290189330
                                                    RT_GROUP_ICON0x79c480x30data
                                                    RT_VERSION0x79c780x35cdata
                                                    RT_MANIFEST0x79fd40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright Microsoft 2017 - 2020
                                                    Assembly Version1.0.0.0
                                                    InternalName.exe
                                                    FileVersion1.0.0.0
                                                    CompanyNameMicrosoft
                                                    LegalTrademarks
                                                    Comments
                                                    ProductNameMonopoly Simulator
                                                    ProductVersion1.0.0.0
                                                    FileDescriptionMonopoly Simulator
                                                    OriginalFilename.exe

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    11/19/20-09:21:07.833217TCP2025019ET TROJAN Possible NanoCore C2 60B497294321192.168.2.479.134.225.9

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 19, 2020 09:21:07.574177027 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:07.777597904 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:07.777743101 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:07.833216906 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:08.059365988 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:08.244832039 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:08.305620909 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:08.932408094 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:09.219861031 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:09.432524920 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:09.652750969 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:10.035526037 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.174184084 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:10.383342981 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.383404016 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.383476019 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:10.599653006 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.599709034 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.599771976 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:10.599915028 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.653995037 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:10.824536085 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.875585079 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.875837088 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:10.875881910 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:10.875978947 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.095186949 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.096019983 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.105705976 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.105794907 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.305669069 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.305974960 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.318087101 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.318126917 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.318191051 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.432882071 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.548851967 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.638549089 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.638609886 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.863959074 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.869226933 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.869307995 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:11.869482040 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:11.932651997 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.079642057 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.079916954 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.080179930 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.156668901 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.156694889 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.156764030 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.293311119 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.293401003 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.293479919 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.382618904 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.382644892 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.382663012 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.382894039 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.432719946 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.511066914 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.513133049 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.513909101 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.639528990 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.639573097 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.639622927 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.639735937 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.639849901 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.639894962 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.862952948 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.862977982 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.862994909 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.863009930 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.863025904 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.863039970 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.863064051 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.863936901 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.864898920 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:12.866702080 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:12.932749987 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.069506884 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.070662022 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.070691109 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.070720911 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.076715946 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.076781988 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.076886892 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.088591099 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.088648081 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.134604931 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.245286942 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.291349888 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291412115 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291456938 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291485071 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.291533947 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291594982 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.291603088 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291650057 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291687012 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291723013 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.291753054 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.291789055 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.464363098 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.498791933 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.499006987 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.499064922 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.499104023 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.499182940 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.510063887 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.514969110 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.515022993 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.515151024 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.516828060 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.516941071 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.621627092 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.702860117 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.702960968 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.718038082 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.718084097 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.718108892 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.718128920 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.718183994 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.718189001 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.718229055 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.722441912 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.722501040 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.722611904 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.722670078 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.722696066 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.722714901 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.722738981 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.912163973 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.913167000 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.945759058 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.945938110 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.946235895 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.946269989 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.946373940 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.946598053 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.946636915 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.946672916 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:13.952862024 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:13.953469992 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:14.130660057 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.156771898 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.156861067 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.156892061 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:14.162482977 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.162518024 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.162612915 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:14.362200975 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.362230062 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.362301111 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:14.375940084 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.375967979 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.375986099 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.376123905 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:14.405487061 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.405702114 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:14.564877987 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.565794945 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.565879107 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:14.594326019 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.594348907 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.594449997 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:14.594485998 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.594769001 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.594861031 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:14.644289970 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.684458971 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:14.770880938 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.794850111 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.795661926 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:14.823827028 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.824012995 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.824076891 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:14.830102921 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.830135107 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.830187082 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:14.830265045 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.899799109 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:14.900063038 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.013015985 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.016804934 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.016992092 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.079823017 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.080019951 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.080218077 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.080503941 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.080586910 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.214241982 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.233705044 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.233795881 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.235918999 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.236082077 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.236135006 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.236162901 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.294503927 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.294537067 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.294559002 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.294589996 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.294648886 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.294889927 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.339217901 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.454138994 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.455635071 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.455656052 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.455730915 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.504290104 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.504318953 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.504338980 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.504357100 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.504398108 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.504436970 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.545772076 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.546272039 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.668818951 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.668894053 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.669004917 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.669023037 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.669061899 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.669364929 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.702841043 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.702963114 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.702994108 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.704055071 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.773623943 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.773648024 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.773730993 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.773823023 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.891516924 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.891588926 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.891635895 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.891689062 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.891697884 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.891802073 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.924545050 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.924659967 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.936400890 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.936672926 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:15.988148928 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:15.990056992 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:16.106400967 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.106735945 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:16.198879957 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.198900938 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.198952913 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:16.199295044 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.199357033 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:16.204437017 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.204458952 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.204495907 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:16.204549074 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:16.401721001 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.429755926 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.429786921 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.429810047 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.429833889 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.429848909 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:16.429990053 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:16.663975954 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.664088011 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.664266109 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:16.666456938 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.688715935 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.688819885 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:16.689032078 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.729969978 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:16.872886896 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.873577118 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.874145985 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:16.915704966 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.915746927 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.915884018 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:16.915894032 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:16.949995995 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:16.951101065 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.078524113 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.078818083 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.100796938 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.100868940 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.100955963 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.100963116 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.124829054 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.125039101 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.139691114 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.139848948 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.152812004 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.153211117 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.308079004 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.319936991 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.321041107 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.323748112 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.328536987 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.329802036 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.360440969 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.402401924 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.525827885 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.543720961 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.543960094 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.544032097 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.589968920 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.615164042 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.667675972 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.756397963 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.757009983 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.757231951 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.759263039 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.808141947 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.812273026 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.855158091 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.871671915 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.917965889 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:17.977597952 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.977648973 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:17.977735996 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:18.016518116 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:18.016618967 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:18.076939106 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:18.077887058 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:18.187081099 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:18.187166929 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:18.187649965 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:18.187757969 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:18.233244896 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:18.233438015 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:18.298810959 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:18.298890114 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:18.391726017 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:18.391859055 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:18.401815891 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:18.402209044 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:18.402844906 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:18.470885992 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:18.471158028 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:18.472232103 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:18.516674042 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:18.516872883 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:18.619858027 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:18.667722940 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:18.882800102 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:18.882818937 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:18.883574963 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:19.103543043 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:19.103710890 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:19.310561895 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:19.313949108 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:19.433814049 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:19.436069965 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:19.621881962 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:19.655277014 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:19.655302048 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:19.659423113 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:19.829894066 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:19.830054045 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:20.042839050 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:20.042990923 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:20.043064117 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:20.043263912 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:20.043313980 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:20.329802990 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:20.329941034 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:20.337625027 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:20.337726116 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:20.548175097 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:20.548203945 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:20.548219919 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:20.548247099 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:20.548266888 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:20.548284054 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:20.754287004 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:20.754313946 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:20.754379988 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:20.958272934 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:20.958296061 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:20.958328962 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:20.958527088 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:21.187758923 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.187951088 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.188034058 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:21.192209005 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.192270041 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.193893909 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:21.404855013 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.408739090 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.408788919 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.408972025 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:21.412035942 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.412322044 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.412733078 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:21.613698959 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.613913059 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.613940001 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.614130020 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:21.630496025 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.630532026 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.630561113 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.630588055 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:21.630613089 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:21.821774006 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.821825027 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.821918011 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.821980953 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:21.837862015 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.837908030 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.837964058 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:21.837990999 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:21.838207006 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.024791002 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.026696920 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.026717901 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.026818991 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.053868055 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.053993940 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.054034948 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.054105043 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.054160118 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.054699898 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.105355978 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.231864929 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.256937981 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.257074118 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.267920971 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.267973900 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.268023968 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.268069029 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.268661022 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.268745899 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.309762955 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.309858084 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.452791929 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.452900887 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.482947111 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.483007908 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.483057022 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.483083010 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.483099937 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.483112097 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.483122110 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.483139992 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.483175039 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.511226892 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.511362076 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.658030033 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.699032068 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.699089050 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.699158907 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.739957094 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.748943090 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.792951107 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.908245087 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.908279896 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.908301115 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.908524036 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.942409992 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:22.942501068 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:22.999829054 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.042936087 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:23.132028103 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.132186890 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.132266045 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:23.156259060 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.156322002 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.156362057 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.156421900 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:23.242409945 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.293009996 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:23.350512028 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.350594044 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.350745916 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:23.358489990 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.364717007 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.365350008 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:23.367259026 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.377674103 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.377916098 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:23.485471964 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.562473059 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.562500000 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.562537909 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:23.582742929 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.582807064 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.582911968 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:23.746159077 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:23.780132055 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.780225039 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.780253887 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:23.780282974 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.780406952 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:23.780417919 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:23.994502068 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.994550943 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.994592905 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:23.994658947 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:23.994765997 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:24.210176945 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:24.355799913 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:24.797888041 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:25.355678082 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:25.557542086 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:25.959280014 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:26.043275118 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:28.022557020 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:28.132864952 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:28.225815058 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:28.658839941 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:28.746592999 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:28.865263939 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:28.933336020 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:29.043500900 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:29.364025116 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:29.364113092 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:29.567327023 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:29.652894020 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:29.690978050 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:29.866930962 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:30.023623943 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:30.153033972 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:30.153284073 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:30.555496931 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:30.555627108 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:31.055569887 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:32.987598896 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:33.017210960 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:33.518615007 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:35.549546957 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:36.029771090 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:36.875401974 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:36.919159889 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:37.992052078 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:38.044210911 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:40.607775927 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:41.069662094 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:42.972656012 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:43.169644117 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:45.380747080 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:45.466747999 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:45.711893082 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:46.202677965 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:47.989875078 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:48.098988056 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:50.686422110 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:51.122334957 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:52.862782955 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:52.920435905 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:53.132621050 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:53.174117088 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:55.743563890 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:21:56.153767109 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:58.023607016 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:21:58.077173948 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:00.719494104 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:00.882580042 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:00.923410892 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:01.214593887 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:01.514508009 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:01.514594078 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:02.984592915 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:03.030786991 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:06.375310898 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:06.791160107 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:07.978461981 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:08.031117916 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:08.909450054 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:08.953154087 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:11.377161980 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:11.589013100 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:11.589080095 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:11.805651903 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:11.823605061 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:11.823632002 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:11.823697090 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:12.023600101 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:12.030426979 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:12.030566931 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:12.893708944 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:12.937741041 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:13.188999891 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:13.189130068 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:13.190407038 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:13.190619946 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:13.422014952 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:13.422086000 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:13.422297001 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:13.629137993 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:13.629172087 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:13.629316092 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:13.642622948 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:13.643078089 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:13.643194914 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:13.839359999 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:13.857939959 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:13.857994080 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:13.858141899 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:13.860254049 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:13.862076998 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:14.076031923 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:14.076240063 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:14.076337099 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:14.076421022 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:14.286458969 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:14.286658049 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:14.297449112 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:14.297599077 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:14.297940016 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:14.344237089 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:14.480057955 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:14.535160065 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:14.573071957 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:14.573147058 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:14.573266983 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:14.751657963 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:14.785907984 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:14.786149979 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:14.800657034 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:14.844265938 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:15.014131069 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.014189959 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.014244080 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:15.014296055 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:15.053944111 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.054227114 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:15.236316919 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.236352921 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.236421108 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:15.236450911 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:15.268640041 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.268743038 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.268795967 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:15.312983990 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:15.463355064 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.463392019 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.463494062 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:15.678850889 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.678879976 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.678898096 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.678930044 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:15.719234943 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:15.889205933 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.892925024 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.893218994 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:15.896075010 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.925728083 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:15.925822020 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.096805096 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.096831083 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.096976042 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.130415916 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.130439043 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.130455017 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.130633116 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.299604893 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.299627066 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.299814939 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.328684092 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.328710079 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.328727007 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.328815937 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.341330051 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.341428995 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.423862934 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.496587038 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.496855974 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.498079062 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.498167038 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.526355982 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.528703928 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.533622026 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.550116062 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.550252914 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.550841093 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.550915956 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.558638096 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.558784008 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.706517935 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.729758978 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.729872942 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.755153894 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.755184889 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.755300999 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.762522936 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.765959024 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.766695976 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.768620968 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.813144922 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.936177969 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.936532021 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.936636925 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.936686039 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.966588020 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:16.966871977 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:16.970767975 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.016277075 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:17.039232016 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.039355040 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:17.155853987 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.156066895 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:17.156275034 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.156392097 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:17.156399012 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.156491995 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:17.181639910 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.181700945 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.181895018 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:17.225941896 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.226181030 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:17.240793943 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.241020918 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:17.379580021 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.379628897 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.379673958 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:17.379704952 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:17.383753061 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.383882046 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:17.441307068 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.441628933 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:17.588385105 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.588434935 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.588558912 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.588761091 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:17.662739992 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.662986994 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:17.810633898 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.810748100 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:17.866302013 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:17.866410971 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:18.066482067 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:18.066695929 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:18.214776993 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:18.214888096 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:18.439662933 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:18.439728022 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:18.439754963 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:18.439791918 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:18.655200005 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:18.655447960 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:18.935519934 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:18.935801983 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:18.935856104 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:18.935892105 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:18.936284065 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:18.936362982 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:18.936620951 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:18.936897039 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:18.936961889 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:18.937259912 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:18.985169888 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:19.200761080 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.211906910 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.212352991 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:19.221158981 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.221199989 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.221223116 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.221247911 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.221271038 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.221338034 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:19.221380949 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:19.438251019 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.438345909 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.438385010 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.438406944 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.438429117 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.438472033 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:19.438515902 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:19.461441040 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.461472034 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.461488962 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.461601019 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:19.653310061 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.653340101 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.653570890 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:19.656207085 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.656229019 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.656353951 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:19.656512976 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.656651974 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.656725883 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:19.673835039 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.673872948 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.673892021 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.674010992 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:19.719672918 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:19.859951973 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.889507055 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.889542103 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.889559984 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.889643908 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:19.889683008 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:19.909431934 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.909467936 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.909573078 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.909604073 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:19.909638882 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:19.909678936 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.102612019 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.102776051 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.109597921 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.109659910 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.109688997 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.109772921 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.110141993 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.110199928 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.110232115 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.110260963 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.110399008 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.110521078 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.322913885 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.322957039 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.323117971 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.323158979 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.393594027 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.393630028 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.393702030 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.393728971 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.393809080 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.393851995 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.540744066 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.540915966 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.612319946 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.612407923 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.614698887 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.614819050 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.632042885 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.632193089 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.632328987 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.632390022 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.756134033 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.813462019 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:20.827110052 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.834692001 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:20.834872007 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:21.028398037 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:21.035072088 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:21.035229921 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:21.036541939 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:21.036734104 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:21.036850929 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:21.240282059 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:21.246798992 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:21.246978045 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:21.252049923 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:21.252187967 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:21.252271891 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:21.471060038 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:21.471179008 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:21.471235037 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:21.471297979 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:21.683690071 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:21.683875084 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:21.693300962 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:21.693464994 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:22.037832022 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:22.476512909 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:22.575092077 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:22.575172901 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:22.819605112 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:22.819660902 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:22.819686890 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:22.819716930 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:23.023118019 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:23.024055958 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:23.761166096 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:23.761403084 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:23.975475073 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:23.975498915 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:23.975565910 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:24.176620960 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.176722050 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:24.193195105 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.193387032 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:24.408109903 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.408158064 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.408201933 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.408231974 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.408365965 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:24.633166075 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.633398056 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.633490086 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:24.634407043 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.634433985 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.634454012 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.634505987 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:24.688853979 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:24.855292082 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.855330944 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.855616093 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:24.855680943 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.855770111 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.855889082 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:24.855892897 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.896560907 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:24.896670103 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.079541922 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.079571009 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.079634905 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.079715014 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.096155882 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.096226931 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.100804090 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.119082928 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.119105101 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.119157076 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.173191071 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.309478045 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.309576035 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.309645891 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.324346066 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.324381113 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.324476957 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.326672077 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.342446089 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.342647076 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.342685938 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.387151957 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.387270927 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.528415918 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.528507948 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.528709888 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.558748007 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.558995962 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.559123039 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.559349060 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.559856892 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.560412884 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.603518009 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.603698969 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.603786945 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.603828907 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.657573938 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.732826948 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.746001959 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.746139050 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.780988932 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.796685934 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.796775103 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.814270020 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.814297915 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.814356089 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.814380884 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.871440887 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.871471882 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.871516943 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.871555090 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.951179981 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.951910019 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:25.952347994 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:25.952445030 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.026233912 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.026582003 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.026808977 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.026886940 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.026952982 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.090331078 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.091789961 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.108920097 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.109080076 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.109246016 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.157634974 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.180623055 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.180737972 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.180795908 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.246428013 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.246457100 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.246712923 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.309246063 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.360785961 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.398354053 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.398397923 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.398480892 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.450911999 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.450941086 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.450953007 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.451031923 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.575153112 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.611532927 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.611574888 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.611639977 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.668584108 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.668615103 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.668708086 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.669655085 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.669677019 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.669748068 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.824054956 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.840203047 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.840265036 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.840405941 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.866112947 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.866338968 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.873492956 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.874277115 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.874382019 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:26.877736092 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:26.924330950 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.067701101 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.068613052 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.068681955 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.069653034 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.074127913 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.074173927 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.074260950 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.111732960 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.111934900 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.111946106 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.127404928 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.142900944 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.144359112 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.287286997 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.287348986 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.287420988 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.287476063 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.287544966 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.310741901 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.310944080 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.310972929 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.311019897 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.326241016 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.326353073 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.326451063 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.326493025 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.331357956 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.331899881 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.511396885 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.511466980 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.511688948 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.517560005 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.517613888 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.517775059 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.531667948 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.533513069 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.533540964 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.533566952 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.533610106 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.533672094 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.553463936 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.553503990 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.553811073 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.733948946 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.733971119 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.733988047 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.734006882 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.734095097 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.737633944 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.737660885 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.737763882 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.859519958 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:27.932209969 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:27.985908985 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:28.068532944 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:28.110896111 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:29.458600044 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:29.936858892 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:32.411699057 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:32.836925030 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:32.985697985 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:33.033216000 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:33.191608906 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:33.955157042 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:34.169326067 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:34.220871925 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:37.605226040 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:37.972470999 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:38.018140078 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:42.599193096 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:42.605748892 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:42.986217976 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:43.034030914 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:47.976664066 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:48.018954992 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:48.629353046 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:49.103730917 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:50.643562078 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:50.690938950 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:53.022406101 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:53.066109896 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:53.695367098 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:54.213433981 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:57.993866920 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:58.035324097 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:59.380069971 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:59.513540983 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:22:59.567698956 CET497294321192.168.2.479.134.225.9
                                                    Nov 19, 2020 09:22:59.849611998 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:23:02.979374886 CET43214972979.134.225.9192.168.2.4
                                                    Nov 19, 2020 09:23:03.020116091 CET497294321192.168.2.479.134.225.9

                                                    Code Manipulations

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: NEW ORDER_8876630.exe PID: 6164 Parent PID: 5864

                                                    General

                                                    Start time:09:20:51
                                                    Start date:19/11/2020
                                                    Path:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\NEW ORDER_8876630.exe'
                                                    Imagebase:0x230000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.670812071.00000000027A8000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.671708351.0000000003721000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: schtasks.exe PID: 6444 Parent PID: 6164

                                                    General

                                                    Start time:09:20:58
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpBCE5.tmp'
                                                    Imagebase:0x8f0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: conhost.exe PID: 4864 Parent PID: 6444

                                                    General

                                                    Start time:09:20:59
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: NEW ORDER_8876630.exe PID: 6804 Parent PID: 6164

                                                    General

                                                    Start time:09:20:59
                                                    Start date:19/11/2020
                                                    Path:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:{path}
                                                    Imagebase:0x3c0000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: NEW ORDER_8876630.exe PID: 5852 Parent PID: 6164

                                                    General

                                                    Start time:09:21:00
                                                    Start date:19/11/2020
                                                    Path:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:{path}
                                                    Imagebase:0x8e0000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000003.867613174.0000000008492000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.920217037.00000000048AF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000002.924508392.0000000007CDF000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000002.919063635.00000000032BE000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.921527598.0000000005240000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922774518.0000000006140000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922410499.0000000005810000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.923822273.0000000006C80000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000003.866883621.00000000049BB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.920399226.000000000499A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.924228437.000000000734F000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.923784278.0000000006C70000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.923733323.0000000006C50000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922678965.0000000006100000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000009.00000002.924432961.0000000007C61000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.915147294.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.917926783.0000000002DEC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.919477191.0000000003DD7000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.923757856.0000000006C60000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922720592.0000000006120000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922180318.0000000005670000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.917813976.0000000002D81000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.919842814.0000000004731000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.921619762.0000000005300000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.922805153.0000000006150000.00000004.00000001.sdmp, Author: Florian Roth
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: schtasks.exe PID: 6624 Parent PID: 5852

                                                    General

                                                    Start time:09:21:03
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpD09C.tmp'
                                                    Imagebase:0x8f0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: conhost.exe PID: 6644 Parent PID: 6624

                                                    General

                                                    Start time:09:21:03
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: schtasks.exe PID: 6156 Parent PID: 5852

                                                    General

                                                    Start time:09:21:04
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpD35C.tmp'
                                                    Imagebase:0x8f0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: conhost.exe PID: 6716 Parent PID: 6156

                                                    General

                                                    Start time:09:21:04
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: NEW ORDER_8876630.exe PID: 6852 Parent PID: 968

                                                    General

                                                    Start time:09:21:06
                                                    Start date:19/11/2020
                                                    Path:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\NEW ORDER_8876630.exe' 0
                                                    Imagebase:0xc20000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.699403409.0000000003042000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.699982010.0000000003FC1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: dhcpmon.exe PID: 6900 Parent PID: 968

                                                    General

                                                    Start time:09:21:07
                                                    Start date:19/11/2020
                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                    Imagebase:0x6e0000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.694323608.0000000003A21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.693761971.0000000002A5E000.00000004.00000001.sdmp, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 49%, Virustotal, Browse
                                                    • Detection: 42%, ReversingLabs
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: schtasks.exe PID: 6672 Parent PID: 6852

                                                    General

                                                    Start time:09:21:11
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmpEF30.tmp'
                                                    Imagebase:0x8f0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: conhost.exe PID: 4864 Parent PID: 6672

                                                    General

                                                    Start time:09:21:12
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: NEW ORDER_8876630.exe PID: 3484 Parent PID: 6852

                                                    General

                                                    Start time:09:21:12
                                                    Start date:19/11/2020
                                                    Path:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:{path}
                                                    Imagebase:0x230000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: NEW ORDER_8876630.exe PID: 2456 Parent PID: 6852

                                                    General

                                                    Start time:09:21:13
                                                    Start date:19/11/2020
                                                    Path:C:\Users\user\Desktop\NEW ORDER_8876630.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:{path}
                                                    Imagebase:0xe00000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.714393476.00000000040B9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.713414094.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.714293728.00000000030B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: dhcpmon.exe PID: 4088 Parent PID: 3424

                                                    General

                                                    Start time:09:21:15
                                                    Start date:19/11/2020
                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                    Imagebase:0x280000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000015.00000002.728033710.000000000264A000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.730217998.0000000003601000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: schtasks.exe PID: 6916 Parent PID: 4088

                                                    General

                                                    Start time:09:21:20
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\sTIihDLgsDxOeq' /XML 'C:\Users\user\AppData\Local\Temp\tmp11AC.tmp'
                                                    Imagebase:0x8f0000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: conhost.exe PID: 6988 Parent PID: 6916

                                                    General

                                                    Start time:09:21:21
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff724c50000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Chronological Activities

                                                    Analysis Process: dhcpmon.exe PID: 6508 Parent PID: 4088

                                                    General

                                                    Start time:09:21:22
                                                    Start date:19/11/2020
                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:{path}
                                                    Imagebase:0x80000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: dhcpmon.exe PID: 4928 Parent PID: 4088

                                                    General

                                                    Start time:09:21:22
                                                    Start date:19/11/2020
                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:{path}
                                                    Imagebase:0x7e0000
                                                    File size:487936 bytes
                                                    MD5 hash:1745BF7233BDB5B42FBA4517363B258F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.740705876.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.742249975.0000000002AB1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.742409970.0000000003AB9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:low

                                                    Chronological Activities

                                                    Analysis Process: vbc.exe PID: 5876 Parent PID: 5852

                                                    General

                                                    Start time:09:22:27
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\3agbefca.z1h'
                                                    Imagebase:0xe90000
                                                    File size:2688096 bytes
                                                    MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000022.00000002.856704899.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                    Reputation:moderate

                                                    Chronological Activities

                                                    Analysis Process: vbc.exe PID: 5796 Parent PID: 5852

                                                    General

                                                    Start time:09:22:28
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh'
                                                    Imagebase:0xe90000
                                                    File size:2688096 bytes
                                                    MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language

                                                    Chronological Activities

                                                    Analysis Process: vbc.exe PID: 5776 Parent PID: 5852

                                                    General

                                                    Start time:09:22:30
                                                    Start date:19/11/2020
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe' /shtml 'C:\Users\user\AppData\Local\Temp\btuqens4.sdh'
                                                    Imagebase:0xe90000
                                                    File size:2688096 bytes
                                                    MD5 hash:B3A917344F5610BEEC562556F11300FA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000024.00000002.865013144.0000000000400000.00000040.00000001.sdmp, Author: Joe Security

                                                    Chronological Activities

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >

                                                      Analysis Process: NEW ORDER_8876630.exe PID: 6164 Parent PID: 5864 NEW ORDER_8876630.exeCOMMON

                                                      Executed Functions

                                                      Function 00AFB681, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 00AFB6F0
                                                      • GetCurrentThread.KERNEL32 ref: 00AFB72D
                                                      • GetCurrentProcess.KERNEL32 ref: 00AFB76A
                                                      • GetCurrentThreadId.KERNEL32 ref: 00AFB7C3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID: (qv
                                                      • API String ID: 2063062207-1180521204
                                                      • Opcode ID: e13e16cfafd0cebbe362ef3fa0a857235d86a88f96f73971bcea6e8ce285dbc2
                                                      • Instruction ID: 1be0c4ea90a73fc6a27a063ba586fc102ef69e76da8574a8899933464f433cc4
                                                      • Opcode Fuzzy Hash: e13e16cfafd0cebbe362ef3fa0a857235d86a88f96f73971bcea6e8ce285dbc2
                                                      • Instruction Fuzzy Hash: 1B5166B0D052488FDB50CFA9D5887EEBBF1EF88304F2484AAE519A7350C7756844CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AFB690, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 00AFB6F0
                                                      • GetCurrentThread.KERNEL32 ref: 00AFB72D
                                                      • GetCurrentProcess.KERNEL32 ref: 00AFB76A
                                                      • GetCurrentThreadId.KERNEL32 ref: 00AFB7C3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID: (qv
                                                      • API String ID: 2063062207-1180521204
                                                      • Opcode ID: 63dbf72dc03c49bda79cc89d1d59d6589eaa9d115fc06601d9bccaefb995e70b
                                                      • Instruction ID: c231c3f85412c53e5dcb5c9896ded64c74577253aff88c8e9511375e3d523132
                                                      • Opcode Fuzzy Hash: 63dbf72dc03c49bda79cc89d1d59d6589eaa9d115fc06601d9bccaefb995e70b
                                                      • Instruction Fuzzy Hash: 315154B4D052098FDB50CFA9D588BEEBBF1EF88304F24846AE519A3350C7746884CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AF7D17, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID: MetricsSystem
                                                      • String ID: (qv
                                                      • API String ID: 4116985748-1180521204
                                                      • Opcode ID: 3b65d3ac2873e78d7728e2651e624533e65136ac3c45b0332e9c692ddf467893
                                                      • Instruction ID: 088652b79b29fc54231347012ba3a8162a2667b11a2133802c5b777808a79f3e
                                                      • Opcode Fuzzy Hash: 3b65d3ac2873e78d7728e2651e624533e65136ac3c45b0332e9c692ddf467893
                                                      • Instruction Fuzzy Hash: A831DF718087C88FDB129BA8E8453FA7FB0EF16314F08449AE58097257CB799986CB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AFFCF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00AFFE0A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 027adc8faed9ffeec3d236297fa9230d70f1fcef36e8fa994d2840167df253e2
                                                      • Instruction ID: 2f38ac5509e0026ab6a49d4b9776f0ff54a4e18bc4a842928b9ef3a9512245e6
                                                      • Opcode Fuzzy Hash: 027adc8faed9ffeec3d236297fa9230d70f1fcef36e8fa994d2840167df253e2
                                                      • Instruction Fuzzy Hash: 4D41CEB1D00309AFDB14CFA9C884ADEFBB5BF48314F24812AE919AB215D774A945CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AFFCEF, Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00AFFE0A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: b2be3db9cf83eb336a5e130c7ffd803c8ee112938d46b07623c1d65eacefb7ff
                                                      • Instruction ID: ce0830bb899b4fe56cd22de29addb020fb970278e578262e5dab76a0826a60c0
                                                      • Opcode Fuzzy Hash: b2be3db9cf83eb336a5e130c7ffd803c8ee112938d46b07623c1d65eacefb7ff
                                                      • Instruction Fuzzy Hash: 1F41DEB1D003089FDF14CFA9C880ADEFBB2BF48314F25852AE919AB215D775A945CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AF5364, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 00AF5421
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: e2f63930cbb4d5bf35de02ea727a481a7d354e640faa6aa989c7b5528ad24f55
                                                      • Instruction ID: 820063b65bef5915b5bae05a7219ba98ea5fb004918809cc870f48967d05fb31
                                                      • Opcode Fuzzy Hash: e2f63930cbb4d5bf35de02ea727a481a7d354e640faa6aa989c7b5528ad24f55
                                                      • Instruction Fuzzy Hash: 6E412270C0461CCFDB24CFA9C8847DDBBB6BF48308F218069D518AB251DBB55986CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AF3DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 00AF5421
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 5a8419c5e43bbc877d017268ce5733fa34cbc0f191e8103380660ee7428a2f28
                                                      • Instruction ID: 62236507191921b148964ec546b501b189f8bc8ff4f8ab8ab4e76364cc1893f3
                                                      • Opcode Fuzzy Hash: 5a8419c5e43bbc877d017268ce5733fa34cbc0f191e8103380660ee7428a2f28
                                                      • Instruction Fuzzy Hash: A2410470C0461CCBDB24CFA9C88479EBBB6FF48305F218069D619AB255DBB56986CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AFB8B3, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AFB93F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 3a6d8a97dfa4d8fdf119290c5179509af874308ef892844e55005af62bb605af
                                                      • Instruction ID: cfda8216a0182ed9ad01530f59281c478a7a92a203503a1b152e7d379f91b711
                                                      • Opcode Fuzzy Hash: 3a6d8a97dfa4d8fdf119290c5179509af874308ef892844e55005af62bb605af
                                                      • Instruction Fuzzy Hash: 9E21E3B5900248AFDB10CFA9D984BEEFBF5FB48320F14841AE955A3311C374A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AFB8B8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00AFB93F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 5251f0be0fb4c58182c3df1bb2e21093fbc6fc669b182b41d0cef9251a6f3bd8
                                                      • Instruction ID: 35dac5011e985feec2e19905dd466875276c8a45ba3a6f760ee0aea9507ea8d7
                                                      • Opcode Fuzzy Hash: 5251f0be0fb4c58182c3df1bb2e21093fbc6fc669b182b41d0cef9251a6f3bd8
                                                      • Instruction Fuzzy Hash: D921C4B5900219AFDB10CFA9D884BEEFBF9EB48324F14841AE915A3350D374A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AF9AF0, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00AF9951,00000800,00000000,00000000), ref: 00AF9B62
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 25f1edb0b4ad23aeddd4ef0e2d8cf3bbf9af26a850d04fe450e83bbc2fd8816e
                                                      • Instruction ID: 93764122062fcaf91ff4832454a2813943706af1186760f84b21e5dc1cdb2461
                                                      • Opcode Fuzzy Hash: 25f1edb0b4ad23aeddd4ef0e2d8cf3bbf9af26a850d04fe450e83bbc2fd8816e
                                                      • Instruction Fuzzy Hash: E8211AB6D002499FDB10CFA9D444BEEFBF5EB48310F14852AD555A7600C3756945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AF9478, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00AF9951,00000800,00000000,00000000), ref: 00AF9B62
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 297690bfab5c9cc048056481031193979261ea929475ba920b627ee70118b660
                                                      • Instruction ID: a248a7b5de7e071bf509c271669b51ae52513d83f0900460644e0a495067ac41
                                                      • Opcode Fuzzy Hash: 297690bfab5c9cc048056481031193979261ea929475ba920b627ee70118b660
                                                      • Instruction Fuzzy Hash: 1D1117B6D042499FDB10CF9AD444BEFFBF4EB48314F15842AE515A7200C3B5A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AF9868, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00AF98D6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: f2a96511cb4f777edeb54eb654d4d9c241b2f554b0f314c2edcbbb313f029152
                                                      • Instruction ID: 4dc61163be2563cb451d41c1ac1be62c388189da073864dec1357874ecde5d30
                                                      • Opcode Fuzzy Hash: f2a96511cb4f777edeb54eb654d4d9c241b2f554b0f314c2edcbbb313f029152
                                                      • Instruction Fuzzy Hash: 082144B1C006499ECB20CF9AC4447EEFBF0EF49324F14805AD869A3200C375A505CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AF9870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00AF98D6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 734732540480fe5e55b5a5c820a8159555ecd2cdd6d6d8da501f13e2502302ec
                                                      • Instruction ID: f78a637137ebb88e4c1e0793a99e1531855b788ace3c7a09518786625e7b464c
                                                      • Opcode Fuzzy Hash: 734732540480fe5e55b5a5c820a8159555ecd2cdd6d6d8da501f13e2502302ec
                                                      • Instruction Fuzzy Hash: FC11D2B5C002499FDB20CF9AD444BDEFBF4EB89324F15842AD929B7600C375A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AFFF38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?), ref: 00AFFF9D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: c0e4a9fa486e9eed24d819a13d964326e808ef5ecc7656801d8d3c447c14a470
                                                      • Instruction ID: 1e523ab3f6e1212cb2adf71c6ed738cc5067858f5933a75181bc65d21cda1554
                                                      • Opcode Fuzzy Hash: c0e4a9fa486e9eed24d819a13d964326e808ef5ecc7656801d8d3c447c14a470
                                                      • Instruction Fuzzy Hash: 871145B58002089FDB20CF99D484BEEFBF4EB48320F14841AE965B3340C3B4AA45CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AFFF40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?), ref: 00AFFF9D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: b906fc134a98fd069f08df9c55be041f0bf88069829123515919ea0921716f90
                                                      • Instruction ID: a711c93d15acd35208320073ddaf53e31633760938d72ea80774f8ee37f19328
                                                      • Opcode Fuzzy Hash: b906fc134a98fd069f08df9c55be041f0bf88069829123515919ea0921716f90
                                                      • Instruction Fuzzy Hash: 8311E5B58002099FDB20CF99D584BDEFBF8EB48324F14841AE915B7340C3B5A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A9D4C4, Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670434075.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9f68c484c7dc31d9c5b7728ad01dc0ae855797ee09242b75045bc72ef352a219
                                                      • Instruction ID: 8567e3ec1b94dd6eddcc26276af61c8b7fcf7c7465f743bfffb50f1e64ee6747
                                                      • Opcode Fuzzy Hash: 9f68c484c7dc31d9c5b7728ad01dc0ae855797ee09242b75045bc72ef352a219
                                                      • Instruction Fuzzy Hash: FA2125B5604240DFCF11DF14D9C0B26BFA5FB88328F258569E9054B216C336E886CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AAD01C, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670454777.0000000000AAD000.00000040.00000001.sdmp, Offset: 00AAD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1e3f20d5dbc1b129f036ef4fa6a1093448741883a750a7fc649df10d897749df
                                                      • Instruction ID: 63c36cdc28917c66ec726dd5a89da5a3b896ad23607a5fa42eec374c165869ea
                                                      • Opcode Fuzzy Hash: 1e3f20d5dbc1b129f036ef4fa6a1093448741883a750a7fc649df10d897749df
                                                      • Instruction Fuzzy Hash: 4A2104B5508240DFCB14CF20D9C0B26BBA5FB89314F24C969D98B4B686C37BD847CA61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AAD1D4, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670454777.0000000000AAD000.00000040.00000001.sdmp, Offset: 00AAD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77a6b326d7ef9ff3fb3aee29d1a0b279bf2c541488d0885979c1fe8fff0e1ed0
                                                      • Instruction ID: 91738d603d7ddad79a974ec134e9ed95fd0722f2eda5a614b9a8b653ecc082c6
                                                      • Opcode Fuzzy Hash: 77a6b326d7ef9ff3fb3aee29d1a0b279bf2c541488d0885979c1fe8fff0e1ed0
                                                      • Instruction Fuzzy Hash: B02107B5508200EFDB11CF10D9C0B66BBA5FB85314F24CA7DD98A4B696C376D84ACA61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A9D4BF, Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670434075.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 76d66a488a8e2eb4ea502f692b6080f8959fcb036056923dacca0f9efaf34805
                                                      • Instruction ID: 86acdd4f12a3af7c46a305165e82bc5f1b059a7c29b6a28eae1d4cab7951a0f8
                                                      • Opcode Fuzzy Hash: 76d66a488a8e2eb4ea502f692b6080f8959fcb036056923dacca0f9efaf34805
                                                      • Instruction Fuzzy Hash: 5411B676904280DFCF15CF14D9C4B16BFB1FB94324F24C6A9D8454B656C336D896CBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AAD1CF, Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670454777.0000000000AAD000.00000040.00000001.sdmp, Offset: 00AAD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 950d924f8a873d9ddf14c36ba7e309aa77c9ccc93364ff4276970397c34955e3
                                                      • Instruction ID: 56ce47ed7e1d1a3ae8065172656af5c55b1cd94a1f53097b30c2c144b6e2a60f
                                                      • Opcode Fuzzy Hash: 950d924f8a873d9ddf14c36ba7e309aa77c9ccc93364ff4276970397c34955e3
                                                      • Instruction Fuzzy Hash: 52119075904280DFCB11CF10D5C4B55FB71FB85314F24C6ADD8494B696C33AD84ACB51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AAD017, Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670454777.0000000000AAD000.00000040.00000001.sdmp, Offset: 00AAD000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 950d924f8a873d9ddf14c36ba7e309aa77c9ccc93364ff4276970397c34955e3
                                                      • Instruction ID: 801816ba8f4134f017ceec599319b4764997d05d5eaea2444856186733b84724
                                                      • Opcode Fuzzy Hash: 950d924f8a873d9ddf14c36ba7e309aa77c9ccc93364ff4276970397c34955e3
                                                      • Instruction Fuzzy Hash: 20119075504280DFCB11CF14D5C4B15FB71FB45314F24C6AAD84A4BA96C33AD84ACB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A9D781, Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670434075.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 278d1cbd80440a49f53c051883f9235c21ac29fabc56d139506e761787661748
                                                      • Instruction ID: 47b6d91d2501b75cc1ddfe8134b8049504159e296edaea5b3a3dc965547065ae
                                                      • Opcode Fuzzy Hash: 278d1cbd80440a49f53c051883f9235c21ac29fabc56d139506e761787661748
                                                      • Instruction Fuzzy Hash: 2801DB7160C3449EEB208F66CDC4766FBE8EF41378F188559ED055E246C3B99C84C6B1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00A9D780, Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670434075.0000000000A9D000.00000040.00000001.sdmp, Offset: 00A9D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c293e19f6f81309ce9d8486b4f498031fb6fa929eb4dec768caf1a4a6094b1d
                                                      • Instruction ID: bbd0698cd78fe84ca12fcb29398c95982540a23c13dec2b8208ab579ae8547c8
                                                      • Opcode Fuzzy Hash: 9c293e19f6f81309ce9d8486b4f498031fb6fa929eb4dec768caf1a4a6094b1d
                                                      • Instruction Fuzzy Hash: 2CF096715083849EEB208B15DDC4B62FFD8EB91774F18C56AED085B286C3799C84CAB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 00234E95, Relevance: 1.9, Instructions: 1871COMMONCrypto
                                                      Download Yara Rule
                                                      C-Code - Quality: 73%
                                                      			E00234E95(signed int __eax, intOrPtr* __ebx, signed int __ecx, void* __edx, signed int __edi) {
				signed int _t331;
				signed char _t332;
				intOrPtr* _t333;
				intOrPtr* _t334;
				signed char _t335;
				signed char _t336;
				signed char _t337;
				signed char _t338;
				signed char _t339;
				signed char _t340;
				signed char _t341;
				signed char _t342;
				signed char _t343;
				signed char _t344;
				signed char _t345;
				signed char _t347;
				signed char _t349;
				signed char _t351;
				signed char _t352;
				signed char _t354;
				signed char _t356;
				signed char _t358;
				signed char _t360;
				signed char _t363;
				signed char _t366;
				signed char _t368;
				signed char _t370;
				signed char _t372;
				signed char _t375;
				intOrPtr* _t377;
				void* _t378;
				intOrPtr* _t379;
				signed char _t383;
				intOrPtr* _t386;
				signed char _t387;
				intOrPtr* _t388;
				signed char _t389;
				signed char _t563;
				signed char _t567;
				signed char _t571;
				signed char _t573;
				intOrPtr* _t577;
				signed char _t578;
				signed char _t586;
				signed char _t587;
				signed char _t617;
				signed char _t618;
				intOrPtr* _t644;
				signed char _t645;
				intOrPtr* _t646;
				signed int _t656;
				signed int* _t661;
				void* _t667;
				signed char _t711;

				_t656 = __edi;
				_t577 = __ebx;
				asm("popfd");
				 *__eax =  *__eax + __eax;
				_t617 = __ecx |  *0x120fded0;
				_t644 = __edx + __ebx;
				_push(ss);
				 *__ebx =  *__ebx + __ebx;
				asm("outsd");
				 *_t644 =  *_t644 + _t617;
				_t331 = (__eax ^ 0x00000000) + __ebx | 0x2a09002b;
				 *_t331 =  *_t331 + _t331;
				 *_t331 =  *_t331 + _t644;
				 *_t331 =  *_t331 + _t331;
				_t332 = _t331 +  *_t331;
				asm("adc eax, 0x493400");
				asm("sldt word [eax]");
				 *_t332 =  *_t332 + _t332;
				_t661 = ss;
				_t645 = _t644 +  *((intOrPtr*)(0x4000092 + __edi * 2));
				while(1) {
					 *_t332 =  *_t332 + _t332;
					_t333 = _t332 + 2;
					 *_t333 =  *_t333 - _t617;
					 *_t645 =  *_t645 + _t617;
					 *_t333 =  *_t333 + _t333;
					_t617 = _t617 +  *_t333;
					if (_t617 > 0) goto L2;
					 *_t661 =  *_t661 + _t333;
					 *_t645 =  *_t645 + _t617;
					asm("adc esi, [eax]");
					_t334 = _t333 +  *_t333;
					asm("pushfd");
					 *_t334 =  *_t334 + _t334;
					 *_t577 =  *_t577 + _t334;
					 *_t334 =  *_t334 + _t334;
					asm("adc [eax], eax");
					_t577 = _t577 +  *((intOrPtr*)(_t577 - 0x6b));
					 *_t334 =  *_t334 + _t334;
					_t332 = _t334 + 0x6f;
					asm("sahf");
					 *_t332 =  *_t332 + _t332;
					_t645 = _t645 |  *(_t645 - 0x51);
					 *_t332 =  *_t332 + _t332;
					if( *_t332 < 0) {
						goto L5;
					}
					_push(ds);
					 *_t332 =  *_t332 + _t332;
					_t618 = _t617 |  *_t645;
					_push(es);
					_t351 = _t332 - 0xe;
					 *((intOrPtr*)(_t645 - 0x39)) =  *((intOrPtr*)(_t645 - 0x39)) + _t645;
					_push(es);
					 *((intOrPtr*)(_t351 + 0x28)) =  *((intOrPtr*)(_t351 + 0x28)) + _t645;
					L4:
					asm("sbb al, 0x0");
					 *_t645 =  *_t645 + _t618;
					_t661 = _t661 -  *[es:ebx];
					 *_t351 =  *_t351 + _t351;
					asm("outsd");
					asm("o16 add [eax], al");
					_t332 = _t351 + 0x00000016 |  *(_t351 + 0x16);
					_t577 = _t578 +  *((intOrPtr*)(_t578 - 0x6a)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x6a)) - 0x6b));
					 *_t332 =  *_t332 + _t332;
					L5:
					_t11 = _t656 + _t645;
					 *_t11 =  *((intOrPtr*)(_t656 + _t645)) + _t332;
					asm("outsd");
					if ( *_t11 != 0) goto L6;
					 *_t645 =  *_t645 + _t617;
					 *_t645 =  *_t645 + _t332;
					if( *_t645 != 0) {
						continue;
					}
					 *_t332 =  *_t332 + _t332;
					_t335 = _t332 + 0x17;
					asm("outsd");
					_t618 = _t617 - 1;
					 *_t335 =  *_t335 + _t335;
					_t336 = _t335 |  *_t335;
					_t578 = _t577 +  *((intOrPtr*)(_t577 - 0x69));
					while(1) {
						 *_t336 =  *_t336 + _t336;
						_t337 = _t336 + 0x17;
						asm("outsd");
						 *_t337 =  *_t337 + _t337;
						_t338 = _t337 |  *_t337;
						 *_t338 =  *_t338 + _t338;
						_t339 = _t338 + 0x17;
						asm("outsd");
						 *_t339 =  *_t339 + _t339;
						_t340 = _t339 |  *_t339;
						 *_t340 =  *_t340 + _t340;
						_t341 = _t340 + 0x17;
						asm("outsd");
						 *_t341 =  *_t341 + _t341;
						_t342 = _t341 |  *_t341;
						_t578 = _t578 +  *((intOrPtr*)(_t578 - 0x68)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x68)) - 0x67)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x68)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x68)) - 0x67)) - 0x66));
						 *_t342 =  *_t342 + _t342;
						_t343 = _t342 + 0x17;
						asm("outsd");
						_t618 = _t618 - 0xfffffffffffffffe;
						 *_t343 =  *_t343 + _t343;
						_t344 = _t343 |  *_t343;
						if(_t344 > 0) {
						}
						L9:
						 *_t344 =  *_t344 + _t344;
						_t351 = _t344 + 2;
						if(_t351 != 0) {
							goto L4;
						} else {
							L10:
							 *_t351 =  *_t351 + _t351;
							_t352 = _t351 + 0x6f;
							asm("sahf");
							 *_t352 =  *_t352 + _t352;
							 *_t352 =  *_t352 + _t352;
							_push(es);
							 *_t352 =  *_t352 + _t352;
							_t645 = _t645 -  *_t578;
							 *_t645 =  *_t645 ^ _t352;
							 *_t578 =  *_t578 + _t645;
							 *_t352 =  *_t352 + _t352;
							 *_t352 =  *_t352 + _t352;
							 *_t352 =  *_t352 + _t352;
							_t661[0x1e] = _t661[0x1e] + _t578;
							 *_t352 =  *_t352 + _t352;
							_t336 = _t352 + 0x28;
							asm("lahf");
							 *_t336 =  *_t336 + _t336;
							_t618 = _t618 |  *(_t656 + 0x63) |  *(_t656 + 0x65);
							L11:
							asm("outsd");
							 *[gs:eax] =  *[gs:eax] + _t336;
							_push(es);
							 *_t645 =  *_t645 + _t336;
							if( *_t645 != 0) {
								 *_t336 =  *_t336 + _t336;
								_t337 = _t336 + 0x17;
								asm("outsd");
								 *_t337 =  *_t337 + _t337;
								_t338 = _t337 |  *_t337;
								 *_t338 =  *_t338 + _t338;
								_t339 = _t338 + 0x17;
								asm("outsd");
								 *_t339 =  *_t339 + _t339;
								_t340 = _t339 |  *_t339;
								 *_t340 =  *_t340 + _t340;
								_t341 = _t340 + 0x17;
								asm("outsd");
								 *_t341 =  *_t341 + _t341;
								_t342 = _t341 |  *_t341;
								_t578 = _t578 +  *((intOrPtr*)(_t578 - 0x68)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x68)) - 0x67)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x68)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x68)) - 0x67)) - 0x66));
								 *_t342 =  *_t342 + _t342;
								_t343 = _t342 + 0x17;
								asm("outsd");
								_t618 = _t618 - 0xfffffffffffffffe;
								 *_t343 =  *_t343 + _t343;
								_t344 = _t343 |  *_t343;
								if(_t344 > 0) {
								}
							} else {
								 *_t336 =  *_t336 + _t336;
								asm("outsd");
								asm("o16 add [eax], al");
								_t354 = _t336 + 0x00000016 |  *(_t336 + 0x16);
								 *_t354 =  *_t354 + _t354;
								asm("outsd");
								asm("o16 add [eax], al");
								_t356 = _t354 + 0x00000016 |  *(_t354 + 0x16);
								 *_t356 =  *_t356 + _t356;
								asm("outsd");
								asm("o16 add [eax], al");
								_t358 = _t356 + 0x00000016 |  *(_t356 + 0x16);
								_t578 = _t578 +  *((intOrPtr*)(_t578 - 0x68)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x68)) - 0x67)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x68)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x68)) - 0x67)) - 0x66));
								 *_t358 =  *_t358 + _t358;
								asm("outsd");
								asm("o16 add [eax], al");
								_t351 = _t358 + 0x00000016 |  *(_t358 + 0x16);
								L13:
								 *_t645 =  *_t645 + _t351;
								if( *_t645 != 0) {
									goto L10;
								} else {
									 *_t351 =  *_t351 + _t351;
									_t360 = _t351 + 0x17;
									asm("outsd");
									_t618 = _t618 - 1;
									 *_t360 =  *_t360 + _t360;
									asm("adc esi, [eax]");
									_t344 = (_t360 |  *_t360) -  *(_t360 |  *_t360) +  *((intOrPtr*)((_t360 |  *_t360) -  *(_t360 |  *_t360)));
								}
							}
						}
						L15:
						_push(_t578);
						 *_t344 =  *_t344 + _t344;
						 *_t344 =  *_t344 + _t344;
						 *_t344 =  *_t344 + _t344;
						 *_t344 =  *_t344 + _t344;
						if( *_t344 <= 0) {
							L26:
							 *_t645 =  *_t645 + _t344;
							if( *_t645 != 0) {
								goto L19;
							} else {
								 *_t344 =  *_t344 + _t344;
								asm("outsd");
								asm("o16 add [eax], al");
								_t571 = _t344 + 0x00000016 |  *(_t344 + 0x16);
								 *_t571 =  *_t571 + _t571;
								asm("outsd");
								asm("o16 add [eax], al");
								_t573 = _t571 + 0x00000016 |  *(_t571 + 0x16);
								_t578 = _t578 +  *((intOrPtr*)(_t578 - 0x67)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x67)) - 0x66));
								 *_t573 =  *_t573 + _t573;
								asm("outsd");
								asm("o16 add [eax], al");
								_t351 = _t573 + 0x00000016 |  *(_t573 + 0x16);
								goto L28;
							}
						} else {
							 *_t344 =  *_t344 + _t344;
							_t336 =  *0x6f0a0000;
							L17:
							asm("outsd");
							 *[gs:eax] =  *[gs:eax] + _t336;
							_push(es);
							 *_t645 =  *_t645 + _t336;
							if( *_t645 != 0) {
								goto L11;
							} else {
								 *_t336 =  *_t336 + _t336;
								_t344 = _t336 + 0x16;
								asm("outsd");
								L19:
								asm("o16 add [eax], al");
								_t345 = _t344 |  *_t344;
								 *_t345 =  *_t345 + _t345;
								asm("outsd");
								asm("o16 add [eax], al");
								_t347 = _t345 + 0x00000016 |  *(_t345 + 0x16);
								 *_t347 =  *_t347 + _t347;
								asm("outsd");
								asm("o16 add [eax], al");
								_t349 = _t347 + 0x00000016 |  *(_t347 + 0x16);
								_t578 = _t578 +  *((intOrPtr*)(_t578 - 0x68)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x68)) - 0x67)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x68)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x68)) - 0x67)) - 0x66));
								 *_t349 =  *_t349 + _t349;
								asm("outsd");
								asm("o16 add [eax], al");
								_t351 = _t349 + 0x00000016 |  *(_t349 + 0x16);
								L20:
								 *_t645 =  *_t645 + _t351;
								if( *_t645 != 0) {
									goto L13;
								} else {
									 *_t351 =  *_t351 + _t351;
									_t363 = _t351 + 0x17;
									asm("outsd");
									_t618 = _t618 - 1;
									 *_t363 =  *_t363 + _t363;
									asm("adc esi, [eax]");
									_t366 = (_t363 |  *_t363) -  *(_t363 |  *_t363) +  *((intOrPtr*)((_t363 |  *_t363) -  *(_t363 |  *_t363)));
									_push(_t578);
									 *_t366 =  *_t366 + _t366;
									 *_t366 =  *_t366 + _t366;
									 *_t366 =  *_t366 + _t366;
									 *_t366 =  *_t366 + _t366;
									if( *_t366 <= 0) {
										L32:
										 *_t645 =  *_t645 + _t366;
										if( *_t645 != 0) {
											goto L25;
										} else {
											 *_t366 =  *_t366 + _t366;
											asm("outsd");
											asm("o16 add [eax], al");
											_t368 = _t366 + 0x00000016 |  *(_t366 + 0x16);
											 *_t368 =  *_t368 + _t368;
											asm("outsd");
											asm("o16 add [eax], al");
											_t370 = _t368 + 0x00000016 |  *(_t368 + 0x16);
											 *_t370 =  *_t370 + _t370;
											asm("outsd");
											asm("o16 add [eax], al");
											_t351 = _t370 + 0x00000016 |  *(_t370 + 0x16);
											_t578 = _t578 +  *((intOrPtr*)(_t578 - 0x67)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x67)) - 0x66)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x67)) +  *((intOrPtr*)(_t578 +  *((intOrPtr*)(_t578 - 0x67)) - 0x66)) - 0x64));
											_t711 = _t578;
											L34:
											if(_t711 != 0) {
												L28:
												 *_t645 =  *_t645 + _t351;
												if( *_t645 != 0) {
													goto L20;
												} else {
													 *_t351 =  *_t351 + _t351;
													_t372 = _t351 + 0x17;
													asm("outsd");
													_t618 = _t618 - 1;
													 *_t372 =  *_t372 + _t372;
													asm("adc esi, [eax]");
													_t375 = (_t372 |  *_t372) -  *(_t372 |  *_t372) +  *((intOrPtr*)((_t372 |  *_t372) -  *(_t372 |  *_t372)));
													_push(_t578);
													 *_t375 =  *_t375 + _t375;
													 *_t375 =  *_t375 + _t375;
													 *_t375 =  *_t375 + _t375;
													 *_t375 =  *_t375 + _t375;
													if( *_t375 <= 0) {
														goto L37;
													} else {
														 *_t375 =  *_t375 + _t375;
														_t336 = _t375 + 0x28;
														 *0x6f0a0000 = _t336;
														 *[gs:eax] =  *[gs:eax] + _t336;
														_push(es);
														 *_t645 =  *_t645 + _t336;
														if( *_t645 != 0) {
															goto L23;
														} else {
															 *_t336 =  *_t336 + _t336;
															asm("outsd");
															asm("o16 add [eax], al");
															_t366 = _t336 + 0x00000016 |  *(_t336 + 0x16);
															goto L32;
														}
													}
												}
											} else {
												 *_t351 =  *_t351 + _t351;
												_t383 = _t351 + 0x17;
												asm("outsd");
												_t618 = _t618 - 1;
												 *_t383 =  *_t383 + _t383;
												asm("adc esi, [eax]");
												_t386 = (_t383 |  *_t383) -  *(_t383 |  *_t383) +  *((intOrPtr*)((_t383 |  *_t383) -  *(_t383 |  *_t383)));
												 *[cs:eax] =  *[cs:eax] + _t386;
												 *((intOrPtr*)(_t386 + _t386)) =  *((intOrPtr*)(_t386 + _t386)) + _t386;
												 *_t618 =  *_t618 + _t645;
												_t661[0x1e] = _t661[0x1e] + _t578;
												 *_t386 =  *_t386 + _t386;
												_t387 = _t386 + 0x6f;
												 *((intOrPtr*)(_t661 + _t578)) =  *((intOrPtr*)(_t661 + _t578)) + _t387;
												_push(es);
												 *((intOrPtr*)(_t387 + _t387)) =  *((intOrPtr*)(_t387 + _t387)) - _t578;
												 *_t645 =  *_t645 + _t618;
												if( *_t645 < 0) {
													 *_t387 =  *_t387 + _t387;
													_push(es);
													_t375 = _t387 |  *_t661;
													asm("outsd");
													 *0x260a0000 = _t375;
													L37:
													_t645 = _t645 +  *[es:esi];
													 *_t618 =  *_t618 - _t618;
													 *_t645 =  *_t645 + _t618;
													 *_t645 =  *_t645 + _t375;
													 *((intOrPtr*)(_t375 + _t375 + 0x2a000a00)) =  *((intOrPtr*)(_t375 + _t375 + 0x2a000a00)) - _t375;
													 *_t375 =  *_t375 + _t375;
													asm("adc esi, [eax]");
													_t377 = _t375 +  *_t375 -  *((intOrPtr*)(_t375 +  *_t375));
													 *_t377 =  *_t377 + _t377;
													_t378 = _t377 +  *_t377;
													 *_t618 =  *_t618 + _t645;
													 *_t578 =  *_t578 + _t378;
													_t379 = _t378 - 0xb;
													_t578 = _t578 +  *((intOrPtr*)(_t578 - 0x6e));
													 *_t379 =  *_t379 + _t379;
													 *_t578 =  *_t578 + 1;
													_push(ss);
													_t351 = (_t379 + 0x00000014 -  *_t618 |  *_t661) - 0xe;
													 *_t645 =  *_t645 + _t351;
													if( *_t645 != 0) {
														goto L34;
													} else {
														 *_t351 =  *_t351 + _t351;
														_t567 = _t351 + 0x0000006f ^ 0x00000000;
														 *_t645 =  *_t645 + _t618;
														 *_t567 =  *_t567 + _t567;
														_t387 = _t567 +  *_t578;
														 *_t656 =  *_t656 - _t387;
														 *_t645 =  *_t645 + _t618;
														 *_t645 =  *_t645 + _t618;
														 *_t578 =  *_t578 + _t645;
													}
												}
											}
										}
									} else {
										 *_t366 =  *_t366 + _t366;
										_t336 =  *0x6f0a0000;
										L23:
										asm("outsd");
										 *[gs:eax] =  *[gs:eax] + _t336;
										_push(es);
										 *_t645 =  *_t645 + _t336;
										if( *_t645 != 0) {
											goto L17;
										} else {
											 *_t336 =  *_t336 + _t336;
											_t366 = _t336 + 0x16;
											asm("outsd");
											L25:
											asm("o16 add [eax], al");
											_t344 = _t366 |  *_t366;
											goto L26;
										}
									}
								}
							}
						}
						 *_t661 =  *_t661 ^ _t387;
						 *((intOrPtr*)(_t387 + 7)) =  *((intOrPtr*)(_t387 + 7)) + _t578;
						 *_t387 =  *_t387 + _t387;
						 *_t387 =  *_t387 + _t387;
						_t646 = _t645 +  *((intOrPtr*)(_t578 + 0x6b));
						 *_t387 =  *_t387 + _t387;
						_t586 = _t578 |  *(_t667 - 0x6d);
						 *_t387 =  *_t387 + _t387;
						_t388 = _t387 + 2;
						while(1) {
							_t646 = _t646 +  *((intOrPtr*)(_t586 + 0x6b));
							 *_t388 =  *_t388 + _t388;
							_t587 = _t586 |  *(_t667 - 0x6c);
							 *_t388 =  *_t388 + _t388;
							_t389 = _t388 + 2;
							if (_t389 >= 0) goto L56;
							asm("insb");
							_t59 = _t656 + _t646;
							 *_t59 =  *((intOrPtr*)(_t656 + _t646)) + _t388;
							asm("outsd");
							if ( *_t59 > 0) goto L54;
							 *_t646 =  *_t646 + _t618;
							 *_t646 =  *_t646 + _t388;
							if ( *_t646 != 0) goto L42;
							_t389 = _t586;
							_t587 = _t563;
						}
					}
				}
			}

























































                                                      0x00234e95
                                                      0x00234e95
                                                      0x00234e95
                                                      0x00234e96
                                                      0x00234e98
                                                      0x00234e9e
                                                      0x00234ea0
                                                      0x00234ea3
                                                      0x00234ea5
                                                      0x00234ea8
                                                      0x00234ead
                                                      0x00234eb2
                                                      0x00234eb4
                                                      0x00234eb6
                                                      0x00234eb8
                                                      0x00234eba
                                                      0x00234ebf
                                                      0x00234ec2
                                                      0x00234ec4
                                                      0x00234ec5
                                                      0x00234ec9
                                                      0x00234ec9
                                                      0x00234ecb
                                                      0x00234ecd
                                                      0x00234ed0
                                                      0x00234ed2
                                                      0x00234ed4
                                                      0x00234ed6
                                                      0x00234ed8
                                                      0x00234eda
                                                      0x00234edc
                                                      0x00234ede
                                                      0x00234ee0
                                                      0x00234ee1
                                                      0x00234ee3
                                                      0x00234ee5
                                                      0x00234ee7
                                                      0x00234ee9
                                                      0x00234eec
                                                      0x00234eee
                                                      0x00234ef0
                                                      0x00234ef1
                                                      0x00234ef3
                                                      0x00234ef6
                                                      0x00234ef8
                                                      0x00000000
                                                      0x00000000
                                                      0x00234efa
                                                      0x00234efb
                                                      0x00234efd
                                                      0x00234eff
                                                      0x00234f00
                                                      0x00234f02
                                                      0x00234f05
                                                      0x00234f06
                                                      0x00234f09
                                                      0x00234f09
                                                      0x00234f0b
                                                      0x00234f0d
                                                      0x00234f14
                                                      0x00234f18
                                                      0x00234f19
                                                      0x00234f1c
                                                      0x00234f1e
                                                      0x00234f21
                                                      0x00234f22
                                                      0x00234f22
                                                      0x00234f22
                                                      0x00234f25
                                                      0x00234f26
                                                      0x00234f28
                                                      0x00234f2a
                                                      0x00234f2c
                                                      0x00000000
                                                      0x00000000
                                                      0x00234f2e
                                                      0x00234f30
                                                      0x00234f32
                                                      0x00234f33
                                                      0x00234f34
                                                      0x00234f36
                                                      0x00234f38
                                                      0x00234f3b
                                                      0x00234f3b
                                                      0x00234f3d
                                                      0x00234f3f
                                                      0x00234f41
                                                      0x00234f43
                                                      0x00234f48
                                                      0x00234f4a
                                                      0x00234f4c
                                                      0x00234f4e
                                                      0x00234f50
                                                      0x00234f55
                                                      0x00234f57
                                                      0x00234f59
                                                      0x00234f5b
                                                      0x00234f5d
                                                      0x00234f5f
                                                      0x00234f62
                                                      0x00234f64
                                                      0x00234f66
                                                      0x00234f67
                                                      0x00234f68
                                                      0x00234f6a
                                                      0x00234f6c
                                                      0x00234f6c
                                                      0x00234f6e
                                                      0x00234f6e
                                                      0x00234f70
                                                      0x00234f72
                                                      0x00000000
                                                      0x00234f74
                                                      0x00234f74
                                                      0x00234f74
                                                      0x00234f76
                                                      0x00234f78
                                                      0x00234f79
                                                      0x00234f7e
                                                      0x00234f80
                                                      0x00234f81
                                                      0x00234f83
                                                      0x00234f85
                                                      0x00234f87
                                                      0x00234f8a
                                                      0x00234f8c
                                                      0x00234f8e
                                                      0x00234f90
                                                      0x00234f93
                                                      0x00234f95
                                                      0x00234f97
                                                      0x00234f98
                                                      0x00234f9a
                                                      0x00234f9b
                                                      0x00234f9b
                                                      0x00234f9c
                                                      0x00234f9f
                                                      0x00234fa0
                                                      0x00234fa2
                                                      0x00234f3b
                                                      0x00234f3d
                                                      0x00234f3f
                                                      0x00234f41
                                                      0x00234f43
                                                      0x00234f48
                                                      0x00234f4a
                                                      0x00234f4c
                                                      0x00234f4e
                                                      0x00234f50
                                                      0x00234f55
                                                      0x00234f57
                                                      0x00234f59
                                                      0x00234f5b
                                                      0x00234f5d
                                                      0x00234f5f
                                                      0x00234f62
                                                      0x00234f64
                                                      0x00234f66
                                                      0x00234f67
                                                      0x00234f68
                                                      0x00234f6a
                                                      0x00234f6c
                                                      0x00234f6c
                                                      0x00234fa4
                                                      0x00234fa4
                                                      0x00234fa8
                                                      0x00234fa9
                                                      0x00234fac
                                                      0x00234fb1
                                                      0x00234fb5
                                                      0x00234fb6
                                                      0x00234fb9
                                                      0x00234fbe
                                                      0x00234fc2
                                                      0x00234fc3
                                                      0x00234fc6
                                                      0x00234fc8
                                                      0x00234fcb
                                                      0x00234fcf
                                                      0x00234fd0
                                                      0x00234fd3
                                                      0x00234fd4
                                                      0x00234fd4
                                                      0x00234fd6
                                                      0x00000000
                                                      0x00234fd8
                                                      0x00234fd8
                                                      0x00234fda
                                                      0x00234fdc
                                                      0x00234fdd
                                                      0x00234fde
                                                      0x00234fe4
                                                      0x00234fe6
                                                      0x00234fe6
                                                      0x00234fd6
                                                      0x00234fa2
                                                      0x00234fe8
                                                      0x00234fe8
                                                      0x00234fe9
                                                      0x00234feb
                                                      0x00234fed
                                                      0x00234fef
                                                      0x00234ff1
                                                      0x0023506d
                                                      0x0023506d
                                                      0x0023506f
                                                      0x00000000
                                                      0x00235071
                                                      0x00235071
                                                      0x00235075
                                                      0x00235076
                                                      0x00235079
                                                      0x0023507e
                                                      0x00235082
                                                      0x00235083
                                                      0x00235086
                                                      0x00235088
                                                      0x0023508b
                                                      0x0023508f
                                                      0x00235090
                                                      0x00235093
                                                      0x00000000
                                                      0x00235093
                                                      0x00234ff3
                                                      0x00234ff3
                                                      0x00234ff7
                                                      0x00234ffb
                                                      0x00234ffb
                                                      0x00234ffc
                                                      0x00234fff
                                                      0x00235000
                                                      0x00235002
                                                      0x00000000
                                                      0x00235004
                                                      0x00235004
                                                      0x00235006
                                                      0x00235008
                                                      0x00235009
                                                      0x00235009
                                                      0x0023500c
                                                      0x00235011
                                                      0x00235015
                                                      0x00235016
                                                      0x00235019
                                                      0x0023501e
                                                      0x00235022
                                                      0x00235023
                                                      0x00235026
                                                      0x00235028
                                                      0x0023502b
                                                      0x0023502f
                                                      0x00235030
                                                      0x00235033
                                                      0x00235034
                                                      0x00235034
                                                      0x00235036
                                                      0x00000000
                                                      0x00235038
                                                      0x00235038
                                                      0x0023503a
                                                      0x0023503c
                                                      0x0023503d
                                                      0x0023503e
                                                      0x00235044
                                                      0x00235046
                                                      0x00235048
                                                      0x00235049
                                                      0x0023504b
                                                      0x0023504d
                                                      0x0023504f
                                                      0x00235051
                                                      0x002350cd
                                                      0x002350cd
                                                      0x002350cf
                                                      0x00000000
                                                      0x002350d1
                                                      0x002350d1
                                                      0x002350d5
                                                      0x002350d6
                                                      0x002350d9
                                                      0x002350de
                                                      0x002350e2
                                                      0x002350e3
                                                      0x002350e6
                                                      0x002350eb
                                                      0x002350ef
                                                      0x002350f0
                                                      0x002350f3
                                                      0x002350f5
                                                      0x002350f5
                                                      0x002350f6
                                                      0x002350f6
                                                      0x00235094
                                                      0x00235094
                                                      0x00235096
                                                      0x00000000
                                                      0x00235098
                                                      0x00235098
                                                      0x0023509a
                                                      0x0023509c
                                                      0x0023509d
                                                      0x0023509e
                                                      0x002350a4
                                                      0x002350a6
                                                      0x002350a8
                                                      0x002350a9
                                                      0x002350ab
                                                      0x002350ad
                                                      0x002350af
                                                      0x002350b1
                                                      0x00000000
                                                      0x002350b3
                                                      0x002350b3
                                                      0x002350b5
                                                      0x002350b7
                                                      0x002350bc
                                                      0x002350bf
                                                      0x002350c0
                                                      0x002350c2
                                                      0x00000000
                                                      0x002350c4
                                                      0x002350c4
                                                      0x002350c8
                                                      0x002350c9
                                                      0x002350cc
                                                      0x00000000
                                                      0x002350cc
                                                      0x002350c2
                                                      0x002350b1
                                                      0x002350f8
                                                      0x002350f8
                                                      0x002350fa
                                                      0x002350fc
                                                      0x002350fd
                                                      0x002350fe
                                                      0x00235104
                                                      0x00235106
                                                      0x00235108
                                                      0x0023510b
                                                      0x0023510e
                                                      0x00235110
                                                      0x00235113
                                                      0x00235115
                                                      0x00235117
                                                      0x0023511a
                                                      0x0023511b
                                                      0x0023511e
                                                      0x00235120
                                                      0x00235123
                                                      0x00235125
                                                      0x00235126
                                                      0x00235128
                                                      0x00235129
                                                      0x0023512d
                                                      0x0023512d
                                                      0x00235130
                                                      0x00235133
                                                      0x00235135
                                                      0x00235137
                                                      0x0023513e
                                                      0x00235140
                                                      0x00235144
                                                      0x00235146
                                                      0x00235148
                                                      0x0023514a
                                                      0x0023514c
                                                      0x0023514e
                                                      0x00235150
                                                      0x00235153
                                                      0x00235157
                                                      0x0023515b
                                                      0x0023515e
                                                      0x00235160
                                                      0x00235162
                                                      0x00000000
                                                      0x00235164
                                                      0x00235164
                                                      0x00235168
                                                      0x0023516a
                                                      0x0023516c
                                                      0x0023516e
                                                      0x00235170
                                                      0x00235173
                                                      0x00235175
                                                      0x00235177
                                                      0x00235177
                                                      0x00235162
                                                      0x00235120
                                                      0x002350f6
                                                      0x00235053
                                                      0x00235053
                                                      0x00235057
                                                      0x0023505b
                                                      0x0023505b
                                                      0x0023505c
                                                      0x0023505f
                                                      0x00235060
                                                      0x00235062
                                                      0x00000000
                                                      0x00235064
                                                      0x00235064
                                                      0x00235066
                                                      0x00235068
                                                      0x00235069
                                                      0x00235069
                                                      0x0023506c
                                                      0x00000000
                                                      0x0023506c
                                                      0x00235062
                                                      0x00235051
                                                      0x00235036
                                                      0x00235002
                                                      0x00235179
                                                      0x0023517b
                                                      0x00235181
                                                      0x00235183
                                                      0x00235185
                                                      0x00235188
                                                      0x0023518a
                                                      0x0023518d
                                                      0x0023518f
                                                      0x00235190
                                                      0x00235190
                                                      0x00235193
                                                      0x00235195
                                                      0x00235198
                                                      0x0023519a
                                                      0x0023519c
                                                      0x0023519d
                                                      0x002351fe
                                                      0x002351fe
                                                      0x00235201
                                                      0x00235202
                                                      0x00235204
                                                      0x00235206
                                                      0x00235208
                                                      0x00235209
                                                      0x00235209
                                                      0x00235209
                                                      0x00235190
                                                      0x00234f3b

                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.669812755.0000000000232000.00000002.00020000.sdmp, Offset: 00230000, based on PE: true
                                                      • Associated: 00000000.00000002.669807511.0000000000230000.00000002.00020000.sdmp Download File
                                                      • Associated: 00000000.00000002.669871538.00000000002A6000.00000002.00020000.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b869ad6914c4f4d6523e7337c2be8469660e25b5946108020381d9b80b0a62d7
                                                      • Instruction ID: ff3fd375bdaaab260b602a6e476161711db5d572ba615b0a338d1c436d528959
                                                      • Opcode Fuzzy Hash: b869ad6914c4f4d6523e7337c2be8469660e25b5946108020381d9b80b0a62d7
                                                      • Instruction Fuzzy Hash: 3EE2EE9181EBD25FDB039BB85CB52A1BFB19E6721471E44C7C0C4CF0A3E109696EE726
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AFE570, Relevance: .3, Instructions: 315COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0030051e274ce5b748f9b70147e7424602ec4888c1af6cc8911f8784c534efac
                                                      • Instruction ID: 431bdbe643c6174d51603a6ef3deb5fc478fdd42ce8836c53666317ebf312242
                                                      • Opcode Fuzzy Hash: 0030051e274ce5b748f9b70147e7424602ec4888c1af6cc8911f8784c534efac
                                                      • Instruction Fuzzy Hash: 1D1262B1411B468AD710CFA5FD982893BA1B745328F904309D2A19BBF9D7F821DACF74
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AFC124, Relevance: .3, Instructions: 265COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 272ed1293c349481aa0bca8974345b036892554cfa81edc562c99b170b0a3187
                                                      • Instruction ID: a39b55b96f495e3485a914be167ad178aea81d22692d8b07ee16da3b5768690b
                                                      • Opcode Fuzzy Hash: 272ed1293c349481aa0bca8974345b036892554cfa81edc562c99b170b0a3187
                                                      • Instruction Fuzzy Hash: 04A17D32E0020E8FCF15DFE5C9445EEBBB2FF85310B15856AFA05AB261DB71A955CB80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00AFE561, Relevance: .2, Instructions: 220COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.670517506.0000000000AF0000.00000040.00000001.sdmp, Offset: 00AF0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3055fbf20ee574a77decff5e4c745635b9cbda2ac4eb853bd66c0c32125a57bc
                                                      • Instruction ID: 6205dc34d7e63678aedac67a14beb5f77e478c83a0e5cc722e2962d742b73fb8
                                                      • Opcode Fuzzy Hash: 3055fbf20ee574a77decff5e4c745635b9cbda2ac4eb853bd66c0c32125a57bc
                                                      • Instruction Fuzzy Hash: AAC1E7B1811B46CAD710CFA5FC882897BA1BB85328F514309D161ABBE8D7F421CACF74
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00235C2B, Relevance: .1, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      C-Code - Quality: 32%
                                                      			E00235C2B(signed char __eax, void* __ebx, void* __ecx, void* __edx, signed int* __edi, signed int* __esi, void* __eflags) {
				signed int _t20;
				signed int _t21;
				signed char _t22;
				signed char _t23;
				signed char _t24;
				signed char _t26;
				void* _t27;
				void* _t28;
				void* _t29;
				signed char _t30;
				signed char _t31;
				void* _t34;
				intOrPtr* _t35;
				signed int* _t37;
				signed int* _t38;
				void* _t39;
				void* _t40;

				_t40 = __eflags;
				_t38 = __esi;
				_t37 = __edi;
				_t34 = __edx;
				_t29 = __ecx;
				_t27 = __ebx;
				_t17 = __eax;
				_push(ss);
				if(__eflags >= 0) {
					asm("adc al, [eax]");
					_t17 = __eax + 9;
					asm("daa");
					asm("adc eax, 0x8f90012");
					asm("adc al, [eax]");
					asm("stc");
					 *__edi =  *__edi | _t17;
					asm("adc eax, 0x189c0012");
				}
				asm("adc al, [eax]");
				asm("pushfd");
				asm("sbb [edi], ah");
				asm("adc eax, 0x11610006");
				asm("out 0xe, al");
				asm("adc al, [eax]");
				asm("popfd");
				_push(cs);
				asm("daa");
				asm("adc eax, 0x306000a");
				if(_t40 >= 0) {
					asm("adc al, [eax]");
					asm("lodsb");
					_push(cs);
					asm("daa");
					asm("adc eax, 0x67c0012");
					asm("daa");
					asm("adc eax, 0xf840012");
				}
				asm("adc al, [eax]");
				asm("daa");
				asm("adc eax, 0x113b0006");
				asm("adc [ebx], al");
				_push(es);
				_t30 = _t29 + _t17;
				_push(cs);
				asm("adc [ebx], al");
				_push(es);
				_t37[3] = _t37[3] + _t17;
				asm("adc [ebx], al");
				if((_t17 |  *_t17) >= 0) {
					_push(es);
					_t34 = _t34 + _t34;
					_t30 = _t30 +  *((intOrPtr*)(_t39 + _t30));
					_push(es);
					 *((intOrPtr*)(_t27 + 0xf)) =  *((intOrPtr*)(_t27 + 0xf)) + _t34;
					asm("out 0xe, al");
				}
				_t37[0x180e806] = _t37[0x180e806] + _t27;
				_t35 = _t34 + _t30;
				_t31 = _t30 | 0x00000015;
				asm("sldt word [eax]");
				 *0x15 =  *0x15 + 0x15;
				 *_t35 = 0;
				 *0x15 =  *0x15 + 0x15;
				 *_t31 =  *_t31 + 0x15;
				 *_t31 =  *_t31 + 0x15;
				 *_t31 =  *_t31 + 0x15;
				 *0x15 =  *0x15 + _t35;
				_t28 = _t27 + 0x15;
				asm("adc eax, 0x410000");
				 *0x15 =  *0x15 + 0x15;
				 *0x15 =  *0x15 + 0x15;
				 *0x15 =  *0x15 + 0x15;
				asm("adc [eax], al");
				_t20 = 0x00000015 |  *_t38;
				asm("salc");
				asm("adc [ecx], al");
				es = ss;
				 *_t20 =  *_t20 + _t31;
				 *_t31 =  *_t31 + _t20;
				 *_t20 =  *_t20 + _t35;
				 *((intOrPtr*)(_t31 + 0xe)) =  *((intOrPtr*)(_t31 + 0xe)) + _t28;
				asm("salc");
				asm("adc [ecx], al");
				 *_t20 =  *_t20 | _t20;
				_t21 = _t20;
				 *_t21 =  *_t21 + 0x6f90010;
				asm("salc");
				asm("adc [ecx], al");
				 *_t21 =  *_t21 | _t21;
				_t22 = _t21 | 0x10000100;
				_push(es);
				asm("salc");
				asm("adc [eax+eax], dl");
				 *_t22 =  *_t22 | _t22;
				asm("sldt word [ecx]");
				 *_t22 =  *_t22 + _t35;
				 *((intOrPtr*)(_t37 + _t22 + 0x4110d6)) =  *((intOrPtr*)(_t37 + _t22 + 0x4110d6)) + _t28;
				_t23 = _t22 |  *_t22;
				asm("adc [eax], eax");
				 *_t23 =  *_t23 + _t23;
				asm("adc [eax], al");
				asm("loopne 0x17");
				asm("salc");
				asm("adc [ecx], al");
				asm("adc [eax], eax");
				asm("sbb al, 0x0");
				 *_t23 =  *_t23 + _t23;
				asm("adc [eax], al");
				 *_t35 =  *_t35 + _t35;
				asm("salc");
				asm("adc [ecx], al");
				asm("adc [eax], eax");
				asm("sbb eax, 0x10000100");
				_push(es);
				asm("salc");
				asm("adc [eax+eax], dl");
				asm("adc al, 0x0");
				_t24 = _t23 &  *_t23;
				 *((intOrPtr*)(_t31 + _t31 + _t28)) =  *((intOrPtr*)(_t31 + _t31 + _t28)) + _t24;
				 *_t24 =  *_t24 + _t24;
				 *0x2400 =  *0x2400 + _t35;
				 *_t24 =  *_t24 + _t35;
				asm("adc cl, ch");
				asm("adc al, [ecx]");
				_t26 = (_t24 ^  *_t24) & 0x00000000;
				 *_t26 =  *_t26 + _t26;
				asm("adc [eax], al");
				return _t26;
			}




















                                                      0x00235c2b
                                                      0x00235c2b
                                                      0x00235c2b
                                                      0x00235c2b
                                                      0x00235c2b
                                                      0x00235c2b
                                                      0x00235c2b
                                                      0x00235c2b
                                                      0x00235c2c
                                                      0x00235c2e
                                                      0x00235c30
                                                      0x00235c32
                                                      0x00235c33
                                                      0x00235c34
                                                      0x00235c36
                                                      0x00235c37
                                                      0x00235c39
                                                      0x00235c39
                                                      0x00235c3a
                                                      0x00235c3c
                                                      0x00235c3d
                                                      0x00235c3f
                                                      0x00235c44
                                                      0x00235c46
                                                      0x00235c48
                                                      0x00235c49
                                                      0x00235c4a
                                                      0x00235c4b
                                                      0x00235c50
                                                      0x00235c52
                                                      0x00235c54
                                                      0x00235c55
                                                      0x00235c56
                                                      0x00235c57
                                                      0x00235c5c
                                                      0x00235c5d
                                                      0x00235c5d
                                                      0x00235c5e
                                                      0x00235c62
                                                      0x00235c63
                                                      0x00235c68
                                                      0x00235c6a
                                                      0x00235c6b
                                                      0x00235c6d
                                                      0x00235c6e
                                                      0x00235c70
                                                      0x00235c71
                                                      0x00235c74
                                                      0x00235c7a
                                                      0x00235c7c
                                                      0x00235c7d
                                                      0x00235c7f
                                                      0x00235c82
                                                      0x00235c83
                                                      0x00235c86
                                                      0x00235c86
                                                      0x00235c89
                                                      0x00235c8f
                                                      0x00235c91
                                                      0x00235c93
                                                      0x00235c96
                                                      0x00235c98
                                                      0x00235c9b
                                                      0x00235c9d
                                                      0x00235c9f
                                                      0x00235ca1
                                                      0x00235ca3
                                                      0x00235ca5
                                                      0x00235ca7
                                                      0x00235cac
                                                      0x00235cae
                                                      0x00235cb0
                                                      0x00235cb2
                                                      0x00235cb4
                                                      0x00235cb6
                                                      0x00235cb7
                                                      0x00235cba
                                                      0x00235cbb
                                                      0x00235cbd
                                                      0x00235cbf
                                                      0x00235cc1
                                                      0x00235cc4
                                                      0x00235cc5
                                                      0x00235cc8
                                                      0x00235cca
                                                      0x00235ccc
                                                      0x00235cd2
                                                      0x00235cd3
                                                      0x00235cd6
                                                      0x00235cd8
                                                      0x00235cdf
                                                      0x00235ce0
                                                      0x00235ce1
                                                      0x00235ce4
                                                      0x00235ce6
                                                      0x00235ce9
                                                      0x00235ceb
                                                      0x00235cf2
                                                      0x00235cf4
                                                      0x00235cf6
                                                      0x00235cf8
                                                      0x00235cfa
                                                      0x00235cfc
                                                      0x00235cfd
                                                      0x00235d00
                                                      0x00235d02
                                                      0x00235d04
                                                      0x00235d06
                                                      0x00235d08
                                                      0x00235d0a
                                                      0x00235d0b
                                                      0x00235d0e
                                                      0x00235d10
                                                      0x00235d17
                                                      0x00235d18
                                                      0x00235d19
                                                      0x00235d1c
                                                      0x00235d1e
                                                      0x00235d20
                                                      0x00235d22
                                                      0x00235d29
                                                      0x00235d2f
                                                      0x00235d33
                                                      0x00235d35
                                                      0x00235d3a
                                                      0x00235d3c
                                                      0x00235d3e
                                                      0x00235d40

                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.669812755.0000000000232000.00000002.00020000.sdmp, Offset: 00230000, based on PE: true
                                                      • Associated: 00000000.00000002.669807511.0000000000230000.00000002.00020000.sdmp Download File
                                                      • Associated: 00000000.00000002.669871538.00000000002A6000.00000002.00020000.sdmp Download File
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3754c44db105550e0f518cd977f634f23f3084b444b0f3136f908f722c347727
                                                      • Instruction ID: eefe1b87b69662f892c0c79c36b6f75d6c219ed9df0dbb228315256247a3c34f
                                                      • Opcode Fuzzy Hash: 3754c44db105550e0f518cd977f634f23f3084b444b0f3136f908f722c347727
                                                      • Instruction Fuzzy Hash: 9541776541E7E14FEB4397B04C666D13FB2AE0B22871F45CBD4C49E473E20A492BD7A2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Analysis Process: NEW ORDER_8876630.exe PID: 5852 Parent PID: 6164 NEW ORDER_8876630.exeCOMMON

                                                      Executed Functions

                                                      Function 06522238, Relevance: .5, Instructions: 499COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923154364.0000000006520000.00000040.00000001.sdmp, Offset: 06510000, based on PE: true
                                                      • Associated: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7a02bd2c20b6399af7092e7ae5f214d16c94dc01e9ca4dd450579d0677813186
                                                      • Instruction ID: 09e3c029ea0f4f70f77bc9628c7d412c48307fee9ade9632f4db2116d3a4a2e2
                                                      • Opcode Fuzzy Hash: 7a02bd2c20b6399af7092e7ae5f214d16c94dc01e9ca4dd450579d0677813186
                                                      • Instruction Fuzzy Hash: D712E275E24222CFD794CF24C4956ADBBF2BF4A300F548929E416EB394DB34AA81CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06523730, Relevance: .3, Instructions: 320COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923154364.0000000006520000.00000040.00000001.sdmp, Offset: 06510000, based on PE: true
                                                      • Associated: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dd450aa3a6b469b2fce25fdaeba1fdbca0d2826d7836b748367dc1ef1f28c9c6
                                                      • Instruction ID: ad850d499b9f66fba429a0ee7ce0dd1748dbea404c55959a515f65d9bbc3bae2
                                                      • Opcode Fuzzy Hash: dd450aa3a6b469b2fce25fdaeba1fdbca0d2826d7836b748367dc1ef1f28c9c6
                                                      • Instruction Fuzzy Hash: 4EB1C171E05237DFDB54CF68C8405BEBBB1BF86200F18896AD5559B281DB39DA05CBD0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011CB6C0, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 011CB730
                                                      • GetCurrentThread.KERNEL32 ref: 011CB76D
                                                      • GetCurrentProcess.KERNEL32 ref: 011CB7AA
                                                      • GetCurrentThreadId.KERNEL32 ref: 011CB803
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.916691784.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: f241cbcb215c6f66c83fdab1b9b01fde73ac6da23cce09c1b71c09bbea6bab77
                                                      • Instruction ID: fde44cb37550405c41dd2431514d0b01f3e3d704ae988626ed7acfb2816f9e8d
                                                      • Opcode Fuzzy Hash: f241cbcb215c6f66c83fdab1b9b01fde73ac6da23cce09c1b71c09bbea6bab77
                                                      • Instruction Fuzzy Hash: B35172B4D046488FDB28CFA9D588BDEBBF0AF48318F24816AE409B3390C7759845CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011CB6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 011CB730
                                                      • GetCurrentThread.KERNEL32 ref: 011CB76D
                                                      • GetCurrentProcess.KERNEL32 ref: 011CB7AA
                                                      • GetCurrentThreadId.KERNEL32 ref: 011CB803
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.916691784.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 249f58947c9a50b0887ef2eedafe417f1f45c753c1d5b04b95a0d11d9d6ad120
                                                      • Instruction ID: 02c525ac39ff970b571e7de22968770d41d514af05805f593fcc8dae9bc9e669
                                                      • Opcode Fuzzy Hash: 249f58947c9a50b0887ef2eedafe417f1f45c753c1d5b04b95a0d11d9d6ad120
                                                      • Instruction Fuzzy Hash: 345164B49046088FDB28CFA9D588BDEBBF1EF48314F24852AE419B3390C7755844CF69
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011C93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.916691784.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 4a5d5fa736d2f3037d746231ac30ce4dc9eb50818191d54e3c225a5448e02a45
                                                      • Instruction ID: 2b26594d4f3c07edd4a81cce06ef2ee2806e5922a2024728d4f4fde87b4702b2
                                                      • Opcode Fuzzy Hash: 4a5d5fa736d2f3037d746231ac30ce4dc9eb50818191d54e3c225a5448e02a45
                                                      • Instruction Fuzzy Hash: 9F714570A00B098FD728CF69D58079ABBF1BF98718F008A2ED58AD7A50D774E845CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011CFB61, Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011CFD0A
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.916691784.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 6cf7a08cb187b503bfb7b37e5a6a7badb5a2f29f9c63081a9d9c29060fde331f
                                                      • Instruction ID: ac90ed7e51ff19cd4b28965c1a2db591a7550c3ac03a5292def48b78177940b5
                                                      • Opcode Fuzzy Hash: 6cf7a08cb187b503bfb7b37e5a6a7badb5a2f29f9c63081a9d9c29060fde331f
                                                      • Instruction Fuzzy Hash: 2D6102B1C04249AFDF15CFA9D884ADDBFB2BF58314F15816AE818AB221C7759845CF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011CFBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 011CFD0A
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.916691784.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 8496617eba99a0d02773b21cfdcf17bb17c2fd149fcceb06431d3319b6cb61ea
                                                      • Instruction ID: 585b46a4c28945ae5ebd007844a0ae538a164190d23e9bdcfbc17d75b7c616e2
                                                      • Opcode Fuzzy Hash: 8496617eba99a0d02773b21cfdcf17bb17c2fd149fcceb06431d3319b6cb61ea
                                                      • Instruction Fuzzy Hash: 9D41AFB1D003099FDB14CF99D884ADEBBB6FF48714F24852AE819AB210D774A946CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011CBCF9, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011CBD87
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.916691784.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 91135849b130ddaa6fd4eaa304e10e51a8fc1f422f7d53b68c49c04aec4f6882
                                                      • Instruction ID: fe27b2f54130e9a6d21d34cd973be0d9f6b22f73a7955795e97924958f5a67e9
                                                      • Opcode Fuzzy Hash: 91135849b130ddaa6fd4eaa304e10e51a8fc1f422f7d53b68c49c04aec4f6882
                                                      • Instruction Fuzzy Hash: 5F21F2B5900249AFDB10CFA9D484AEEFFF5EF48324F14841AE958A3211C378A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011CBD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011CBD87
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.916691784.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 70c87119576e2b12f8a1e200efa0386ac2cc53591806dfe87a5481b312283ba0
                                                      • Instruction ID: 71b910510c90b14985afcd9f21b2c9b9f6511b114ee1348be44f8cd3a080b092
                                                      • Opcode Fuzzy Hash: 70c87119576e2b12f8a1e200efa0386ac2cc53591806dfe87a5481b312283ba0
                                                      • Instruction Fuzzy Hash: 1F21C4B5D00248AFDB10CF99D984ADEFBF5EB48324F14841AE919A7310D374A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011C9849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,?,?), ref: 011C98BA
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.916691784.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: dd9ec355da56780039a719e1597746169a66740a0f0768e6ad1d6fc18dc86006
                                                      • Instruction ID: c5e3293bbf3652e3ebbec2b4ece78318ddc8a0ce74815dcd269dc7e7a42c0f53
                                                      • Opcode Fuzzy Hash: dd9ec355da56780039a719e1597746169a66740a0f0768e6ad1d6fc18dc86006
                                                      • Instruction Fuzzy Hash: E91124B6C002498FDB14CF9AD484ADEFBB4EB58324F05842ED419B7200C374A946CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011C9850, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(00000000,?,?), ref: 011C98BA
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.916691784.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: f89db2dde882a54c0e4ed5f375615a1fae068101b23b6ee97c30280950ee2c22
                                                      • Instruction ID: 31f622dd049e1e4882fe3b9709bd437b8b7ea185cba448faefc10b59251ab790
                                                      • Opcode Fuzzy Hash: f89db2dde882a54c0e4ed5f375615a1fae068101b23b6ee97c30280950ee2c22
                                                      • Instruction Fuzzy Hash: 331100B6C002099FDB14CF9AD844BDEFBF4EB88324F04842ED529A7600C3B4A545CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011C8704, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,011C93FB), ref: 011C962E
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.916691784.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: cb6d3165231f15f9a93b30f6fb7c7a36d2e25a0e7c5ba18a9ad22739e623a0d1
                                                      • Instruction ID: 83a6ddc0b5ab0ecdffd589cb71dfd6d795cadd48d902450bee0fb4d32cc3eda7
                                                      • Opcode Fuzzy Hash: cb6d3165231f15f9a93b30f6fb7c7a36d2e25a0e7c5ba18a9ad22739e623a0d1
                                                      • Instruction Fuzzy Hash: 2E1123B5C006488BCB14CF9AD444BDEFBF4EB48718F00842AD419A7240C374A546CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011CFE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?), ref: 011CFE9D
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.916691784.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: ac743aa1bba07b668be81013d0d78ce45cd5e09b53c854595ef37342a6365377
                                                      • Instruction ID: f0de85e8a243e7fb79eafcefc68edaed321c62fc332b5b2e67cfb4f082529ed7
                                                      • Opcode Fuzzy Hash: ac743aa1bba07b668be81013d0d78ce45cd5e09b53c854595ef37342a6365377
                                                      • Instruction Fuzzy Hash: AD1122B5C002498FDB20CF99D489BDEFBF4EB48724F15841AD859B7201C3B4A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011CFE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?), ref: 011CFE9D
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.916691784.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: d41e3bbe33d8a60963d463d327ad6a59f71391cf9c5bc69fab4b548e8b2b226b
                                                      • Instruction ID: 34d70fcc4472b091221cdb2cc9b3e0c77dcdb13e8671ae269a6d99fd6d251382
                                                      • Opcode Fuzzy Hash: d41e3bbe33d8a60963d463d327ad6a59f71391cf9c5bc69fab4b548e8b2b226b
                                                      • Instruction Fuzzy Hash: AA1100B58002499FDB20CF99D588BDEFBF8EB48724F10841AE919A7200C3B4A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06523190, Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923154364.0000000006520000.00000040.00000001.sdmp, Offset: 06510000, based on PE: true
                                                      • Associated: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: f329c52a89af4e824f427f22a8cc786cc6ee2428d530884bbba72aed449d679e
                                                      • Instruction ID: e67df1314c4dcc37f13fec3b38721fd35069251de21f221b8d99bf615608be5e
                                                      • Opcode Fuzzy Hash: f329c52a89af4e824f427f22a8cc786cc6ee2428d530884bbba72aed449d679e
                                                      • Instruction Fuzzy Hash: 4F511371F041268FC754DBA8CC805AEB7A2FBC6214719887AD606CB395DB39EC068BC1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06520624, Relevance: .3, Instructions: 271COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923154364.0000000006520000.00000040.00000001.sdmp, Offset: 06510000, based on PE: true
                                                      • Associated: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 34e5ca1405998267670983e4418cce8b03f88261ed6c5119c418c27918304249
                                                      • Instruction ID: f82966566cef18eaf089216c9a7b2ea1c4e6ab0410e63b0dd126690f04970dd2
                                                      • Opcode Fuzzy Hash: 34e5ca1405998267670983e4418cce8b03f88261ed6c5119c418c27918304249
                                                      • Instruction Fuzzy Hash: 2FB15074B00216DFD794DF68D484A6EB7F2BF89314F148899E5169B3A6CB31E841CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06523C08, Relevance: .1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923154364.0000000006520000.00000040.00000001.sdmp, Offset: 06510000, based on PE: true
                                                      • Associated: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2ee327dedeb6177953b32082cfa09a25a3e4c7082b9286cd22b4c834941089d8
                                                      • Instruction ID: 9be88f41954bd5035ee8c20136e767b530d33961bf234f9faa61233ac5277528
                                                      • Opcode Fuzzy Hash: 2ee327dedeb6177953b32082cfa09a25a3e4c7082b9286cd22b4c834941089d8
                                                      • Instruction Fuzzy Hash: C941C271F10226DFDB98AFB5D85426EBBF2BF8A600F104429D416EB3D1DE359C428B90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06CA0710, Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923895175.0000000006CA0000.00000040.00000001.sdmp, Offset: 06C90000, based on PE: true
                                                      • Associated: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2749e8b3b23063c1198b9fb87f3dca9b69c59cef64cbd991cb7e353086a87e28
                                                      • Instruction ID: 9394dfd91a19e2f50537a3b95587f5c9c949bd7bf078e3a190df1c5d23bd52bf
                                                      • Opcode Fuzzy Hash: 2749e8b3b23063c1198b9fb87f3dca9b69c59cef64cbd991cb7e353086a87e28
                                                      • Instruction Fuzzy Hash: 10214331B04B214BC729DB68A81095B77E6AFC926C714C97EE50ACB391EF31ED0687D1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06523630, Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923154364.0000000006520000.00000040.00000001.sdmp, Offset: 06510000, based on PE: true
                                                      • Associated: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec26640a1a297d2fd7eeb922644193ecb736e011988f23a81b3f1f058879accc
                                                      • Instruction ID: 4c4817b91e8b8cf6f1f4fe6bde452edcaed42a01f61c2bf5f31ce62e1dc20e63
                                                      • Opcode Fuzzy Hash: ec26640a1a297d2fd7eeb922644193ecb736e011988f23a81b3f1f058879accc
                                                      • Instruction Fuzzy Hash: 3D21E775B401148F8788EB78D59492E37F2EFCA61471140A8EA0ACB3B1DE34DD04CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06520604, Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923154364.0000000006520000.00000040.00000001.sdmp, Offset: 06510000, based on PE: true
                                                      • Associated: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 82a6c9058b5ec85a2fabd86dba8cee7486662ad8263d271d2de65d0ca30c21f6
                                                      • Instruction ID: 4eb83b7a70470a15de5672b610c0e0cc574c32bcbdcb38c8f00c08231d3de359
                                                      • Opcode Fuzzy Hash: 82a6c9058b5ec85a2fabd86dba8cee7486662ad8263d271d2de65d0ca30c21f6
                                                      • Instruction Fuzzy Hash: B101C4317013229FD354AB69D894A6E37EAFFC9614B118529E206CB3E6CF71EC058B94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 065233F0, Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923154364.0000000006520000.00000040.00000001.sdmp, Offset: 06510000, based on PE: true
                                                      • Associated: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8e0b3be9f00f623355aaffba31a89925a57733e52eb9336c4a4da875cfb704d
                                                      • Instruction ID: 24eca4f8a00f1835cc14b6d327de207fbc684376fe6c665c8b6c453692703acc
                                                      • Opcode Fuzzy Hash: d8e0b3be9f00f623355aaffba31a89925a57733e52eb9336c4a4da875cfb704d
                                                      • Instruction Fuzzy Hash: 5F0117767001148F8788EB78D59491E37E6EFCE62435200A8E60ACB3B1DE24DC058BD1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06523590, Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923154364.0000000006520000.00000040.00000001.sdmp, Offset: 06510000, based on PE: true
                                                      • Associated: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 28326f9552fafa4cb1070dac9c76438d18c88d424074ce5eadf76245eda2273a
                                                      • Instruction ID: ac57db2044f2f841679089f710861fea36f643be84623c5bbdbb627a51812ba4
                                                      • Opcode Fuzzy Hash: 28326f9552fafa4cb1070dac9c76438d18c88d424074ce5eadf76245eda2273a
                                                      • Instruction Fuzzy Hash: B801D7B6B541148F8788EB78D9D592E37F6EBCA62431100A9E60ACB3B1DE65DC048B90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 065213C8, Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923154364.0000000006520000.00000040.00000001.sdmp, Offset: 06510000, based on PE: true
                                                      • Associated: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b2ea5ea9b1ab3398f16aa148705d769008aadd09a9a92dab2233ffbca44af736
                                                      • Instruction ID: 6c34d34d64c91fc2ca6830ec13cfa81681d71c266871761786b71ef6622071f4
                                                      • Opcode Fuzzy Hash: b2ea5ea9b1ab3398f16aa148705d769008aadd09a9a92dab2233ffbca44af736
                                                      • Instruction Fuzzy Hash: EDF02D103252646BC72063B8185127B75CF8FC6294F88886DE60B8B7C2CE989C0213F2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06521308, Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923154364.0000000006520000.00000040.00000001.sdmp, Offset: 06510000, based on PE: true
                                                      • Associated: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 887a5e616d5cd6a6501b7673acb627cca0473497e0b8dc162a618029cb717cca
                                                      • Instruction ID: df24591244717ff77999535464f953a7f1bbb53c9bfb0957db3a22cee105188a
                                                      • Opcode Fuzzy Hash: 887a5e616d5cd6a6501b7673acb627cca0473497e0b8dc162a618029cb717cca
                                                      • Instruction Fuzzy Hash: F9F02D20329164ABD3207379181437F74CF8FC62A4F48882DE10B9BBC2CE989D0623F2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06523508, Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923154364.0000000006520000.00000040.00000001.sdmp, Offset: 06510000, based on PE: true
                                                      • Associated: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b75efbcd301597037ddd0526043a63d2824d494d5bff6821e4cd175ff3d5cbec
                                                      • Instruction ID: 0b924d0e809b65962d701cbb10317cfcc4fa12dd1e98cdf42db39a6f7d5b73a7
                                                      • Opcode Fuzzy Hash: b75efbcd301597037ddd0526043a63d2824d494d5bff6821e4cd175ff3d5cbec
                                                      • Instruction Fuzzy Hash: 92F03C767505148F8384EB7CD59491E37E6EFCD52136240A8E60ACB371DE28DD058BD1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06CA0790, Relevance: .0, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923895175.0000000006CA0000.00000040.00000001.sdmp, Offset: 06C90000, based on PE: true
                                                      • Associated: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 341671584283b1da2087b024e5c31577603dc593169aa1daa21e7eac560e7cb9
                                                      • Instruction ID: 0ea72119df479e9fce39059e765ddc8bafeb57e41e5fdcbf699fe742509ac132
                                                      • Opcode Fuzzy Hash: 341671584283b1da2087b024e5c31577603dc593169aa1daa21e7eac560e7cb9
                                                      • Instruction Fuzzy Hash: 93F0B432B01F224BC775DE689C40A9B72EAAF89658704863ED546C7744EF31EC4687D4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06523498, Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923154364.0000000006520000.00000040.00000001.sdmp, Offset: 06510000, based on PE: true
                                                      • Associated: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9a6b00c374c2604034924ec3423c078731076a35aba5e516d43adffbcc967325
                                                      • Instruction ID: 88731e9006eb68a666f2d46d42418b199290d3df77920518350bd5811d2e0ec7
                                                      • Opcode Fuzzy Hash: 9a6b00c374c2604034924ec3423c078731076a35aba5e516d43adffbcc967325
                                                      • Instruction Fuzzy Hash: DDF05E36B000148F8784EB78E59891E37E6EBCD62131144A4EA0AC7371DF38DD018BD1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06CA0858, Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923895175.0000000006CA0000.00000040.00000001.sdmp, Offset: 06C90000, based on PE: true
                                                      • Associated: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 377bc869b02e5f40a8be990107f9f6d7db4c0ea1649ab0665bc95b595c82380c
                                                      • Instruction ID: 930302729d88bf178e77860649b244e954baacd3dbf8107e77d2bf41cf873d93
                                                      • Opcode Fuzzy Hash: 377bc869b02e5f40a8be990107f9f6d7db4c0ea1649ab0665bc95b595c82380c
                                                      • Instruction Fuzzy Hash: 0AE0C23A700B304B83545A95A8046AE73EB9B88575B004369EC0AC3780DE389E0596E1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06CA13C8, Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923895175.0000000006CA0000.00000040.00000001.sdmp, Offset: 06C90000, based on PE: true
                                                      • Associated: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 75a5eae43db034f7be6d3bef53e09065f8cad53ab7728c91aeb5f9919d05ad8a
                                                      • Instruction ID: 68e6fd58298684a8f156b23dfb81a5bb4731dd9cc5b08cb39b9188188887ed3c
                                                      • Opcode Fuzzy Hash: 75a5eae43db034f7be6d3bef53e09065f8cad53ab7728c91aeb5f9919d05ad8a
                                                      • Instruction Fuzzy Hash: F6E0E5B4D4030A9FDB84DFAAC544B6EBBF0BF08209F2084A9D006E7651D7749602CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06CA14B0, Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923895175.0000000006CA0000.00000040.00000001.sdmp, Offset: 06C90000, based on PE: true
                                                      • Associated: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e66765356b6ef4e9eced31334e4b2867480cdd35287747a62390aa66ecb7a9a1
                                                      • Instruction ID: ce098c65d554dbe292e5fb3a60834f2a38d89f605f0664f9a85b9ee55321b8ec
                                                      • Opcode Fuzzy Hash: e66765356b6ef4e9eced31334e4b2867480cdd35287747a62390aa66ecb7a9a1
                                                      • Instruction Fuzzy Hash: 39E0ECB0D4431A9FDB90EFADC40179EBBF0AB04208F10896AC015E7641E77456058F91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06521398, Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923154364.0000000006520000.00000040.00000001.sdmp, Offset: 06510000, based on PE: true
                                                      • Associated: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d1d70f45be0396c4151c0b727d1f7e05389fea485d31ada50d5ece652d552146
                                                      • Instruction ID: 58c322e95663326e7e2d7f253cad2e111d3c8bfd2ec906098fa3841efd987d1c
                                                      • Opcode Fuzzy Hash: d1d70f45be0396c4151c0b727d1f7e05389fea485d31ada50d5ece652d552146
                                                      • Instruction Fuzzy Hash: EEC08C32668209DBEB389715694992333ABB3C8700B15CA10B60E026C58A71780141D0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06CA06A0, Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923895175.0000000006CA0000.00000040.00000001.sdmp, Offset: 06C90000, based on PE: true
                                                      • Associated: 00000009.00000002.923865183.0000000006C90000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cd604a79e0985728e9a397b1d5d8c3d8addbd5e32c86c9f0ae76b833e3016421
                                                      • Instruction ID: f98f64978758d304dd6a9183bd799dd30a267a73f770d5081403e74fa1f6e497
                                                      • Opcode Fuzzy Hash: cd604a79e0985728e9a397b1d5d8c3d8addbd5e32c86c9f0ae76b833e3016421
                                                      • Instruction Fuzzy Hash: 1EC08C323A830D9BEB18EB16A84192633ABA3C870CF44C010B80E823458A71A84210C8
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06520634, Relevance: .0, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.923154364.0000000006520000.00000040.00000001.sdmp, Offset: 06510000, based on PE: true
                                                      • Associated: 00000009.00000002.923126375.0000000006510000.00000004.00000001.sdmp Download File
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 24e4de4563ff02faa06946d39cf80b3561551b7e459ed6af9515a0f59399afd8
                                                      • Instruction ID: 68497640685016d7c072d348ba1793751553e77bbc8412ae4f9e9ac8f6e35bfc
                                                      • Opcode Fuzzy Hash: 24e4de4563ff02faa06946d39cf80b3561551b7e459ed6af9515a0f59399afd8
                                                      • Instruction Fuzzy Hash: 16A002041DD4338529E0BB7498551B91495FBC392D3C12C415592901D9CE8995014397
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Analysis Process: NEW ORDER_8876630.exe PID: 6852 Parent PID: 968 NEW ORDER_8876630.exeCOMMON

                                                      Executed Functions

                                                      Function 014FDDCC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014FFE0A
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.699111538.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 568510e7882086a96cd059bfe872b8a26e2cb64ffa07c0d1e901fd7779f56d1c
                                                      • Instruction ID: fcdd8354fb1d8f388043683490ce6754eceefc2e7835677c5797f7372310d0a0
                                                      • Opcode Fuzzy Hash: 568510e7882086a96cd059bfe872b8a26e2cb64ffa07c0d1e901fd7779f56d1c
                                                      • Instruction Fuzzy Hash: D6519DB1D00309AFDB14CF99C884ADEBBB5BF48714F24812AE919AB350D774A945CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014FFCEE, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014FFE0A
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.699111538.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 965d36fea78f688808eba43daa017ab268da47077d42a8f7b2c02f6b18db14f3
                                                      • Instruction ID: 9d4af13e707d50323c772bfaa8b29f8a100fcd5a6dedfd06108dc5c26c6db714
                                                      • Opcode Fuzzy Hash: 965d36fea78f688808eba43daa017ab268da47077d42a8f7b2c02f6b18db14f3
                                                      • Instruction Fuzzy Hash: 7451C0B1D00309AFDB14CF99C884ADEBBB5FF48314F24852AE919AB310D770A945CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014F5364, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 014F5421
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.699111538.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: c9a6f947362a148ebac832cde97d20ca961dd1fc451f9eadb945c9299b3802af
                                                      • Instruction ID: 567d7dde324d7045c09b246f35dd263f2bbe764979ea9bc2e6cf2e88cc144b65
                                                      • Opcode Fuzzy Hash: c9a6f947362a148ebac832cde97d20ca961dd1fc451f9eadb945c9299b3802af
                                                      • Instruction Fuzzy Hash: 4841F171D0461CCBDB24CFA9C884BCEBBB5FF48308F25806AD508AB250DBB56946CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014F3DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 014F5421
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.699111538.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: aaf1ac80333aedd14eb32bf35291cd2928afeb9e4700b21569bdaf17846e959c
                                                      • Instruction ID: c9f6dc01a98848ab365fb52dcd2646c57d2a05309c655cfc1d9d442323a7ea8d
                                                      • Opcode Fuzzy Hash: aaf1ac80333aedd14eb32bf35291cd2928afeb9e4700b21569bdaf17846e959c
                                                      • Instruction Fuzzy Hash: 8541E271D0461CCBDB24DFA9C8847DEBBB5FF48308F21806AD508AB264DBB56946CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014F9800, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014FB87E,?,?,?,?,?), ref: 014FB93F
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.699111538.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 3e5f5555671288f43c271bdee255c50be86aa5995a3fa628719178560d72f484
                                                      • Instruction ID: 89923e90d0f4ecc3ce870ba8ad878bd402b3efb4f503a6a7c8cf84c888310ff8
                                                      • Opcode Fuzzy Hash: 3e5f5555671288f43c271bdee255c50be86aa5995a3fa628719178560d72f484
                                                      • Instruction Fuzzy Hash: 0C21E3B5904209AFDB10CFA9D884BDEFFF8EB48320F14842AE914A3310D374A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014FB8B2, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014FB87E,?,?,?,?,?), ref: 014FB93F
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.699111538.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 7eccb546f21dde2b55ee3691272a2d41477a700bde2bc69026f4440816ad0b2a
                                                      • Instruction ID: 4471b3db97227c7d35588603ba205d95f684b9de07a2a16ca6cdb2b83b586c56
                                                      • Opcode Fuzzy Hash: 7eccb546f21dde2b55ee3691272a2d41477a700bde2bc69026f4440816ad0b2a
                                                      • Instruction Fuzzy Hash: E721B0B5904219AFDB10CFA9D884BDEFFF8EB48324F14842AE954A3310D374A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014F9478, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014F9951,00000800,00000000,00000000), ref: 014F9B62
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.699111538.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 6d147dbb1f4159595330372284449de6e229e4d460eb592a11c2441d5cfe2be6
                                                      • Instruction ID: 17ad3686e4556674386846d9801e275f5201baf3db5966a215a0d26f50f4e864
                                                      • Opcode Fuzzy Hash: 6d147dbb1f4159595330372284449de6e229e4d460eb592a11c2441d5cfe2be6
                                                      • Instruction Fuzzy Hash: 4211F2B6D042499BDB14CF9AD484BDEFBF4EB88324F04842EE515A7310C3B4A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014F9AF0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014F9951,00000800,00000000,00000000), ref: 014F9B62
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.699111538.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 1c6c62e8dc6de71341efa88e98a6e409b7fed173c00cac7f5b4198ac3cf6245c
                                                      • Instruction ID: 0f9601f749ac53416458861d367f8f511bdcc1b24ce3146b158e75d599ff6e46
                                                      • Opcode Fuzzy Hash: 1c6c62e8dc6de71341efa88e98a6e409b7fed173c00cac7f5b4198ac3cf6245c
                                                      • Instruction Fuzzy Hash: F011F2B68002099BDB14CFAAD484BDFFBF4EB88324F14852AE519A7310C3B5A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014F9868, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 014F98D6
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.699111538.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 16d059e1129fa5b9cebc796b0aa08e5584f9eb5ec9cc75935a4e6208459b2083
                                                      • Instruction ID: 7c9781fd7a099ed3bc5bfb1832133ba163d2a4e07fdf8abd66eca4eb883f2108
                                                      • Opcode Fuzzy Hash: 16d059e1129fa5b9cebc796b0aa08e5584f9eb5ec9cc75935a4e6208459b2083
                                                      • Instruction Fuzzy Hash: 90111FB6C00609CBDB20CF9AD444BDEFBF4AB48324F14842AD529B7710C374A549CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014F9870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 014F98D6
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.699111538.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: f54a4bf60e323dfa9a7af4a5881fe4506340164cac21f9d3a1bbb18d43d710fc
                                                      • Instruction ID: 45ae363a9a1e389683dcf4c732987628d67ace006085385b048cf4701331f1de
                                                      • Opcode Fuzzy Hash: f54a4bf60e323dfa9a7af4a5881fe4506340164cac21f9d3a1bbb18d43d710fc
                                                      • Instruction Fuzzy Hash: 9911CDB6C002499BDB24CF9AD444BDEFBF4EB88324F14842AD929A7710C3B5A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014FDE04, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,014FFF28,?,?,?,?), ref: 014FFF9D
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.699111538.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: d65c254e5a2015177a509cab41ef7aef623042cf24fe94cdab3f7a3fdfc68a4d
                                                      • Instruction ID: b42d07dc7fa5c5f78915f8b3aa74d91d111a04d2f44aeba1133f09e7b11ac456
                                                      • Opcode Fuzzy Hash: d65c254e5a2015177a509cab41ef7aef623042cf24fe94cdab3f7a3fdfc68a4d
                                                      • Instruction Fuzzy Hash: CB11F5B58042099FDB20CF99D884BDEFBF8EB48324F14841AE915A7740C3B4A944CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 014FFF38, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,014FFF28,?,?,?,?), ref: 014FFF9D
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.699111538.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: ce554d5ac195c9aeb7313bd9e150d3e65b4fc31f10dabfdb69b771dfc3994efd
                                                      • Instruction ID: 67a7285c828129e37d1ab1c66f204ff8241af67d0dd4d828ca1004d06ef17fcb
                                                      • Opcode Fuzzy Hash: ce554d5ac195c9aeb7313bd9e150d3e65b4fc31f10dabfdb69b771dfc3994efd
                                                      • Instruction Fuzzy Hash: 4311F2B69042499FDB10CF99D589BDEFBF8EB48324F14841AD954B7740C3B4A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0145D4C4, Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.698891907.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2fdacfd4093a438215e394110dace0654bdccb6e5ada799238f1ab28ce051dfb
                                                      • Instruction ID: c7136924c98836e79788a934d5fe14749b035c0fe0482c87483507a130a04ace
                                                      • Opcode Fuzzy Hash: 2fdacfd4093a438215e394110dace0654bdccb6e5ada799238f1ab28ce051dfb
                                                      • Instruction Fuzzy Hash: 8C21F4B1904244DFDB55DF54D8C0B27BF65FF8831CF24856ADD054A227C336D846CAA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0146D1D4, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.698921582.000000000146D000.00000040.00000001.sdmp, Offset: 0146D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: adcd773cb87349c8e905e4505e3df14136f76df078852c1952e7872b588d196b
                                                      • Instruction ID: 5d021e4f9e93992f912f4b6bd2f4a48041f7f461eccec7adbbde74f40f492a9d
                                                      • Opcode Fuzzy Hash: adcd773cb87349c8e905e4505e3df14136f76df078852c1952e7872b588d196b
                                                      • Instruction Fuzzy Hash: BF210AB5E04240DFDB11CF94D9C0B26BBA9FB84328F24C57ED9494B366C376D846CA62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0146D01C, Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.698921582.000000000146D000.00000040.00000001.sdmp, Offset: 0146D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4ca2c7237c8818e0061aa61a9810294409d62e959199f01b24e7ff1346f59059
                                                      • Instruction ID: fffe5803e5c74bf8b0b86c459d0b0a5bc67f315ce98cf6980a1977fbb1a4c65f
                                                      • Opcode Fuzzy Hash: 4ca2c7237c8818e0061aa61a9810294409d62e959199f01b24e7ff1346f59059
                                                      • Instruction Fuzzy Hash: 0A2106B5A08240DFCB15CF54D8C0B26BBA9FB8435CF24C56AD9494B356C376D807CA62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0146D006, Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.698921582.000000000146D000.00000040.00000001.sdmp, Offset: 0146D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bc3b916b94c69bcb2c71abf7754b03cdebdb26a2cd2b71ff1ee7e32c9e404994
                                                      • Instruction ID: 915447206d4dbf52cd2b4fc98d60ecec02b32ea0c098c85f67828efb1bc0c529
                                                      • Opcode Fuzzy Hash: bc3b916b94c69bcb2c71abf7754b03cdebdb26a2cd2b71ff1ee7e32c9e404994
                                                      • Instruction Fuzzy Hash: B82165755093808FDB13CF24D594716BF71EF46218F28C5EBD8858B667C33A984ACB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0145D4BF, Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.698891907.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 76d66a488a8e2eb4ea502f692b6080f8959fcb036056923dacca0f9efaf34805
                                                      • Instruction ID: fa98457f8b6b06637a75a9b6dc3c072d921882e3407f376b3a77c1d418d84fc1
                                                      • Opcode Fuzzy Hash: 76d66a488a8e2eb4ea502f692b6080f8959fcb036056923dacca0f9efaf34805
                                                      • Instruction Fuzzy Hash: 7411AF76804284CFCB12CF54D9C4B16BF71FB84328F2486AADC450B627C336D45ACBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0146D1CF, Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.698921582.000000000146D000.00000040.00000001.sdmp, Offset: 0146D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 950d924f8a873d9ddf14c36ba7e309aa77c9ccc93364ff4276970397c34955e3
                                                      • Instruction ID: 813127c505cc02e7e78dbd18325cc5fe336c46e6b7b94aae781d0802c866e446
                                                      • Opcode Fuzzy Hash: 950d924f8a873d9ddf14c36ba7e309aa77c9ccc93364ff4276970397c34955e3
                                                      • Instruction Fuzzy Hash: 1C118E75904280DFDB12CF54D5C4B16FB71FB84228F28C6AAD8494B766C33AD44ACB52
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0145D781, Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.698891907.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8898c4bb94094a40514b40acee8f3a36b37f731a892aaceb5e00bc04a929ea85
                                                      • Instruction ID: a41dadb73779abf208c6d63cc82391179fbde3b78961e2be586ee091209f45c9
                                                      • Opcode Fuzzy Hash: 8898c4bb94094a40514b40acee8f3a36b37f731a892aaceb5e00bc04a929ea85
                                                      • Instruction Fuzzy Hash: 7D01F77180C3C4AAF7608A69CCC4767FFD8EF41234F08845BEE055A257C3B89844CAB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0145D780, Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000E.00000002.698891907.000000000145D000.00000040.00000001.sdmp, Offset: 0145D000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 807de5f3c60939aa5c9e66687fc0591b7d3030a7ad5f29cfa354c0f9df906d78
                                                      • Instruction ID: 86a3a28b73280a566f12cc3ddc94e7c7ae94909244701ddafb1f9698c9d30190
                                                      • Opcode Fuzzy Hash: 807de5f3c60939aa5c9e66687fc0591b7d3030a7ad5f29cfa354c0f9df906d78
                                                      • Instruction Fuzzy Hash: ECF0C271408284AEE7618A19CCC4B63FF98EF41734F18C56AED080B287C3B89844CAB1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Analysis Process: dhcpmon.exe PID: 6900 Parent PID: 968 dhcpmon.exeCOMMON

                                                      Executed Functions

                                                      Function 00E7B681, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 00E7B6F0
                                                      • GetCurrentThread.KERNEL32 ref: 00E7B72D
                                                      • GetCurrentProcess.KERNEL32 ref: 00E7B76A
                                                      • GetCurrentThreadId.KERNEL32 ref: 00E7B7C3
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.693244208.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: a7856e34a00b918c9d1971715ca7c86b03a063213642dae9aa9f6829d41d4610
                                                      • Instruction ID: c46568e6271993ea3f72f79965c6111538a36ceeebffc80af93b04fd46da3b19
                                                      • Opcode Fuzzy Hash: a7856e34a00b918c9d1971715ca7c86b03a063213642dae9aa9f6829d41d4610
                                                      • Instruction Fuzzy Hash: 435178B09043488FDB28CFA9D588BDEBBF0EF88308F24816AE419B7264C7755844CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E7B690, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 00E7B6F0
                                                      • GetCurrentThread.KERNEL32 ref: 00E7B72D
                                                      • GetCurrentProcess.KERNEL32 ref: 00E7B76A
                                                      • GetCurrentThreadId.KERNEL32 ref: 00E7B7C3
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.693244208.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 4b3c44f232f7779911d60cd4e060e7711e61890d7b8b7dde952db5a70b5c898f
                                                      • Instruction ID: b07ba3b27a9250d6b798c0348c659ba62d621e51aa1af74e54e2042d3b38234e
                                                      • Opcode Fuzzy Hash: 4b3c44f232f7779911d60cd4e060e7711e61890d7b8b7dde952db5a70b5c898f
                                                      • Instruction Fuzzy Hash: 5A5157B49002488FDB28CFA9D588BDEBBF4EF88318F24856AE419B7354C7B55844CF65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E7FCEE, Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E7FE0A
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.693244208.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: aa8abeb4901b67f329e6642879ee70903694712c5fc0239b394b79fc4aa86557
                                                      • Instruction ID: eda2f7418d6e0d35eb18e2e2598d56b05ccd211515097673989cab14240e6579
                                                      • Opcode Fuzzy Hash: aa8abeb4901b67f329e6642879ee70903694712c5fc0239b394b79fc4aa86557
                                                      • Instruction Fuzzy Hash: F451C0B1D003099FDF14CF99D884ADEBBB5FF48314F25812AE819AB214D775A945CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E7FCF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00E7FE0A
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.693244208.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 245f3692894d048bacb0ff4ea81887630e42c9388d72259d5f9c57b62333daec
                                                      • Instruction ID: 7bb1f4f3c4fbeb1a0df780e36acfb5ade6871184fccef5a22780e3264844b37d
                                                      • Opcode Fuzzy Hash: 245f3692894d048bacb0ff4ea81887630e42c9388d72259d5f9c57b62333daec
                                                      • Instruction Fuzzy Hash: 6541CFB1D003099FDB14CF99C884ADEBBB5FF48314F24812AE819AB214D7B4A945CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E73DE8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 00E75421
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.693244208.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 8cf4bc316eaaa95911cb2991ac12d21a5039c5225157bed60aaafef3b3fdc494
                                                      • Instruction ID: 1e06b05f3a61aee4798059e7dc4f4e175c91d2b3f4f6709564a4010a7649f0f3
                                                      • Opcode Fuzzy Hash: 8cf4bc316eaaa95911cb2991ac12d21a5039c5225157bed60aaafef3b3fdc494
                                                      • Instruction Fuzzy Hash: 3641F171C0461CCBDB24CFA9C844B8EBBB5FF48308F208069D519BB254DBB56986CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E7536E, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 00E75421
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.693244208.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 8185ec39c7c01a52a426548cc66f41ff6313e4768580562b2d259f1fc97a48a7
                                                      • Instruction ID: 06c21ff57f7885a61d815c0b3bb088e41ef5104df164c38b8b6102c5d232bb95
                                                      • Opcode Fuzzy Hash: 8185ec39c7c01a52a426548cc66f41ff6313e4768580562b2d259f1fc97a48a7
                                                      • Instruction Fuzzy Hash: 6141C171C0461CCEDB24CFA9C844BDEBBB5BF88308F21806AD519BB255DBB55986CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E7B8B2, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E7B93F
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.693244208.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 6eaf9b4783480900fbf2941114e0a372345157c986abcc81931248b2e248cfc0
                                                      • Instruction ID: 4af636b7dc502c4e42402b113e7bf29e5b832d4ecc8b3616ff18a8133debdfda
                                                      • Opcode Fuzzy Hash: 6eaf9b4783480900fbf2941114e0a372345157c986abcc81931248b2e248cfc0
                                                      • Instruction Fuzzy Hash: 9F21D2B5D00209AFDB10CFA9D984BEEFBF4EB48324F14802AE914B3210D375A955CF61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E7B8B8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E7B93F
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.693244208.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 03b5e0a928bf739ad806c90da5768947e60ff42b05bdc17abb4acf3a0b748d7d
                                                      • Instruction ID: 23fa1b78ec82e2109f42ce4ea944de28013306bf35ff0758859d2f3ab2e17279
                                                      • Opcode Fuzzy Hash: 03b5e0a928bf739ad806c90da5768947e60ff42b05bdc17abb4acf3a0b748d7d
                                                      • Instruction Fuzzy Hash: E521B3B5900249AFDB10CF99D984BDEFBF8EB48324F14841AE954A7250D374A954CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E79AF0, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E79951,00000800,00000000,00000000), ref: 00E79B62
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.693244208.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: be5ec8041dd53b6eb53ae0073d853a77acebd30f12280a45d1ec864d84992e42
                                                      • Instruction ID: 471bdb274418d1ab4a1b4f8ac4b90bca69c23329dbe021d22a095cc4f74c5060
                                                      • Opcode Fuzzy Hash: be5ec8041dd53b6eb53ae0073d853a77acebd30f12280a45d1ec864d84992e42
                                                      • Instruction Fuzzy Hash: 4111C4B6D002499FCB10CFA9D484BDEFBF4AB88324F15852AD419B7210C3B5A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E79478, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E79951,00000800,00000000,00000000), ref: 00E79B62
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.693244208.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 3c93b13316e661490951fa3723246bec05539b7c1d526e0942b57a508766bc7f
                                                      • Instruction ID: cf1c752eb7e23432c23ae816c025418e7083b7ac96287cce66b6ee1259cf5599
                                                      • Opcode Fuzzy Hash: 3c93b13316e661490951fa3723246bec05539b7c1d526e0942b57a508766bc7f
                                                      • Instruction Fuzzy Hash: 0911F2B69042499BCB10CF9AD444BDEFBF5EB88324F14852AD819B7200C3B5A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E79868, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00E798D6
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.693244208.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: c1451595e310509999ffc9f3bb47b1e5dde3cef1a9e0505254594ebbd3f58129
                                                      • Instruction ID: 469b4919001abbb9d34a980a45a0c405979241d4025af6f47e3e8f3ccb055bf9
                                                      • Opcode Fuzzy Hash: c1451595e310509999ffc9f3bb47b1e5dde3cef1a9e0505254594ebbd3f58129
                                                      • Instruction Fuzzy Hash: 4511FFB6C002498FDB24CF9AD444BDEBBF4AF89314F14856AD419B7211C3B5A946CFA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E79870, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00E798D6
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.693244208.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 75a58d9cfa28012faa19d75a4f15310e666569092a9692a01a117f3ca34695d6
                                                      • Instruction ID: 5038f3ef91dd0df815aee8b4deecc8ad4b135b3bee69a9027dd8f0ca06c1f137
                                                      • Opcode Fuzzy Hash: 75a58d9cfa28012faa19d75a4f15310e666569092a9692a01a117f3ca34695d6
                                                      • Instruction Fuzzy Hash: 8411C0B5C002498BDB24CF9AD444BDEFBF4EF89324F15842AD819B7610C3B5A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E7FF38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?), ref: 00E7FF9D
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.693244208.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: 31371764e53dcd97b5c49b47bc41aa31d924b448fbe238d35502f09bd6bd33aa
                                                      • Instruction ID: 089133c84719ba8cb6b61997941eddae692de3629c53c354f9f88cda7f352e77
                                                      • Opcode Fuzzy Hash: 31371764e53dcd97b5c49b47bc41aa31d924b448fbe238d35502f09bd6bd33aa
                                                      • Instruction Fuzzy Hash: B41145B59002088FDB20CF99D484BDEFBF4EB48324F10841AD868B3300C3B4A945CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00E7FF40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,?,?), ref: 00E7FF9D
                                                      Memory Dump Source
                                                      • Source File: 0000000F.00000002.693244208.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                                      Similarity
                                                      • API ID: LongWindow
                                                      • String ID:
                                                      • API String ID: 1378638983-0
                                                      • Opcode ID: ef2e3a819857a47fcfae63fbaf31963ee1d66613d8147f4775c0ed8b72a6dd79
                                                      • Instruction ID: 99e3fdc73bebef096b253990ed53804c3b7cd68951cd10fe0b6a242b2569bfd9
                                                      • Opcode Fuzzy Hash: ef2e3a819857a47fcfae63fbaf31963ee1d66613d8147f4775c0ed8b72a6dd79
                                                      • Instruction Fuzzy Hash: F711D3B59002099FDB20CF99D585BDEFBF8EB48324F14841AD959B7640C3B5A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions