Loading ...

Play interactive tourEdit tour

Analysis Report uqoYt8EFEWQXAne.exe

Overview

General Information

Sample Name:uqoYt8EFEWQXAne.exe
Analysis ID:356642
MD5:c415765ef678428f502b101039b7d495
SHA1:e5458ff58b98401d715a68a67afabdefaaf2edc3
SHA256:c024e649afaafd4d1a1ebc2c5a2c457eecd2b5994c2b78e32312eb5289b5c093
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • uqoYt8EFEWQXAne.exe (PID: 7160 cmdline: 'C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe' MD5: C415765EF678428F502B101039B7D495)
    • schtasks.exe (PID: 3984 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • uqoYt8EFEWQXAne.exe (PID: 3040 cmdline: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe MD5: C415765EF678428F502B101039B7D495)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x3f54d:$x1: NanoCore.ClientPluginHost
      • 0x7258d:$x1: NanoCore.ClientPluginHost
      • 0x3f58a:$x2: IClientNetworkHost
      • 0x725ca:$x2: IClientNetworkHost
      • 0x430bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x760fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0x3f2b5:$a: NanoCore
        • 0x3f2c5:$a: NanoCore
        • 0x3f4f9:$a: NanoCore
        • 0x3f50d:$a: NanoCore
        • 0x3f54d:$a: NanoCore
        • 0x722f5:$a: NanoCore
        • 0x72305:$a: NanoCore
        • 0x72539:$a: NanoCore
        • 0x7254d:$a: NanoCore
        • 0x7258d:$a: NanoCore
        • 0x3f314:$b: ClientPlugin
        • 0x3f516:$b: ClientPlugin
        • 0x3f556:$b: ClientPlugin
        • 0x72354:$b: ClientPlugin
        • 0x72556:$b: ClientPlugin
        • 0x72596:$b: ClientPlugin
        • 0x3f43b:$c: ProjectData
        • 0x7247b:$c: ProjectData
        • 0x3fe42:$d: DESCrypto
        • 0x72e82:$d: DESCrypto
        • 0x4780e:$e: KeepAlive
        Click to see the 4 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xe0f5:$a: NanoCore
          • 0xe105:$a: NanoCore
          • 0xe339:$a: NanoCore
          • 0xe34d:$a: NanoCore
          • 0xe38d:$a: NanoCore
          • 0xe154:$b: ClientPlugin
          • 0xe356:$b: ClientPlugin
          • 0xe396:$b: ClientPlugin
          • 0xe27b:$c: ProjectData
          • 0xec82:$d: DESCrypto
          • 0x1664e:$e: KeepAlive
          • 0x1463c:$g: LogClientMessage
          • 0x10837:$i: get_Connected
          • 0xefb8:$j: #=q
          • 0xefe8:$j: #=q
          • 0xf004:$j: #=q
          • 0xf034:$j: #=q
          • 0xf050:$j: #=q
          • 0xf06c:$j: #=q
          • 0xf09c:$j: #=q
          • 0xf0b8:$j: #=q
          0.2.uqoYt8EFEWQXAne.exe.2546bb0.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 4 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe, ProcessId: 3040, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
            Sigma detected: Scheduled temp file as task from temp locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe' , ParentImage: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe, ParentProcessId: 7160, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp', ProcessId: 3984

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\krPtdhRIieabB.exeReversingLabs: Detection: 31%
            Multi AV Scanner detection for submitted fileShow sources
            Source: uqoYt8EFEWQXAne.exeVirustotal: Detection: 42%Perma Link
            Source: uqoYt8EFEWQXAne.exeReversingLabs: Detection: 31%
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORY
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\krPtdhRIieabB.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: uqoYt8EFEWQXAne.exeJoe Sandbox ML: detected

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: uqoYt8EFEWQXAne.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: uqoYt8EFEWQXAne.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49747 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49750 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49751 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49759 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49764 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49775 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49776 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49783 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49784 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49785 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49786 -> 185.239.242.243:2010
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49787 -> 185.239.242.243:2010
            Source: global trafficTCP traffic: 192.168.2.4:49745 -> 185.239.242.243:2010
            Source: Joe Sandbox ViewASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: unknownTCP traffic detected without corresponding DNS query: 185.239.242.243
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.638312128.00000000054D5000.00000004.00000001.sdmpString found in binary or memory: http://en.wxK
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.642649855.000000000550D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlmq
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.660725626.00000000054D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.660725626.00000000054D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritaSOR
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.660725626.00000000054D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm=OD
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640101915.00000000054DE000.00000004.00000001.sdmp, uqoYt8EFEWQXAne.exe, 00000000.00000003.640686280.00000000054D8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640371685.00000000054D7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnL
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640183149.0000000000BAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnN
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640183149.0000000000BAD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnO
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640101915.00000000054DE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnmr_=
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.640371685.00000000054D7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.644430876.0000000005505000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.637920168.00000000054D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.637920168.00000000054D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comZ
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000003.637920168.00000000054D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmp, uqoYt8EFEWQXAne.exe, 00000000.00000003.639384165.00000000054EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORY
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            .NET source code contains very large stringsShow sources
            Source: uqoYt8EFEWQXAne.exe, LogIn.csLong String: Length: 13656
            Source: krPtdhRIieabB.exe.0.dr, LogIn.csLong String: Length: 13656
            Source: 0.2.uqoYt8EFEWQXAne.exe.150000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 0.0.uqoYt8EFEWQXAne.exe.150000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 4.0.uqoYt8EFEWQXAne.exe.700000.0.unpack, LogIn.csLong String: Length: 13656
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_00B9C5080_2_00B9C508
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_00B999900_2_00B99990
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D396F80_2_06D396F8
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D300400_2_06D30040
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D30D900_2_06D30D90
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D332780_2_06D33278
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D332690_2_06D33269
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D3301A0_2_06D3301A
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D330280_2_06D33028
            Source: uqoYt8EFEWQXAne.exeBinary or memory string: OriginalFilename vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000000.635181214.0000000000152000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIsolatedStorageFilePermissionAttribute.exe6 vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.673360016.0000000008E20000.00000002.00000001.sdmpBinary or memory string: originalfilename vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.673360016.0000000008E20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.673206890.0000000008D30000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.669486065.0000000006B40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.669605854.0000000006CC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exe, 00000004.00000000.659785837.0000000000702000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIsolatedStorageFilePermissionAttribute.exe6 vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exeBinary or memory string: OriginalFilenameIsolatedStorageFilePermissionAttribute.exe6 vs uqoYt8EFEWQXAne.exe
            Source: uqoYt8EFEWQXAne.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: uqoYt8EFEWQXAne.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: krPtdhRIieabB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: uqoYt8EFEWQXAne.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: krPtdhRIieabB.exe.0.dr, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 0.2.uqoYt8EFEWQXAne.exe.150000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 0.0.uqoYt8EFEWQXAne.exe.150000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 4.0.uqoYt8EFEWQXAne.exe.700000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@0/1
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile created: C:\Users\user\AppData\Roaming\krPtdhRIieabB.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4680:120:WilError_01
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeMutant created: \Sessions\1\BaseNamedObjects\KDtpJHnhkvnJksKbat
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{9e8dc517-1111-49c1-9ace-3da1a887c465}
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile created: C:\Users\user\AppData\Local\Temp\tmp975D.tmpJump to behavior
            Source: uqoYt8EFEWQXAne.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: uqoYt8EFEWQXAne.exeVirustotal: Detection: 42%
            Source: uqoYt8EFEWQXAne.exeReversingLabs: Detection: 31%
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile read: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe 'C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess created: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: uqoYt8EFEWQXAne.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: uqoYt8EFEWQXAne.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: uqoYt8EFEWQXAne.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: krPtdhRIieabB.exe.0.dr, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.uqoYt8EFEWQXAne.exe.150000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.uqoYt8EFEWQXAne.exe.150000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.uqoYt8EFEWQXAne.exe.700000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D365EC push eax; retf 0_2_06D365ED
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeCode function: 0_2_06D36DEC push eax; ret 0_2_06D36DED
            Source: initial sampleStatic PE information: section name: .text entropy: 7.49785747568
            Source: initial sampleStatic PE information: section name: .text entropy: 7.49785747568
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile created: C:\Users\user\AppData\Roaming\krPtdhRIieabB.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile opened: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM_3Show sources
            Source: Yara matchFile source: 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORY
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.2546bb0.1.raw.unpack, type: UNPACKEDPE
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWindow / User API: threadDelayed 4363Jump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWindow / User API: threadDelayed 5112Jump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWindow / User API: foregroundWindowGot 653Jump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWindow / User API: foregroundWindowGot 783Jump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe TID: 7164Thread sleep time: -103651s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe TID: 4660Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe TID: 5112Thread sleep time: -15679732462653109s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmpBinary or memory string: k%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmpBinary or memory string: k"SOFTWARE\VMware, Inc.\VMware T
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmpBinary or memory string: VMWARE
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmpBinary or memory string: k"SOFTWARE\VMware, Inc.\VMware T<
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmpBinary or memory string: k"SOFTWARE\VMware, Inc.\VMware Tools
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeMemory written: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeProcess created: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Users\user\Desktop\uqoYt8EFEWQXAne.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

            Stealing of Sensitive Information:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORY
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Detected Nanocore RatShow sources
            Source: uqoYt8EFEWQXAne.exe, 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: uqoYt8EFEWQXAne.exe PID: 7160, type: MEMORY
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.uqoYt8EFEWQXAne.exe.37c33c0.4.raw.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation11Scheduled Task/Job1Process Injection111Masquerading1OS Credential DumpingSecurity Software Discovery321Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion13LSASS MemoryVirtualization/Sandbox Evasion13Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information21Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            uqoYt8EFEWQXAne.exe43%VirustotalBrowse
            uqoYt8EFEWQXAne.exe32%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            uqoYt8EFEWQXAne.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\krPtdhRIieabB.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\krPtdhRIieabB.exe32%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://en.wxK0%Avira URL Cloudsafe
            http://www.founder.com.cn/cnO0%Avira URL Cloudsafe
            http://www.founder.com.cn/cnN0%Avira URL Cloudsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cnL0%Avira URL Cloudsafe
            http://www.fontbureau.comgritaSOR0%Avira URL Cloudsafe
            http://www.fontbureau.comm=OD0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cnmr_=0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.ascendercorp.com/typedesigners.htmlmq0%Avira URL Cloudsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.sajatypeworks.comZ0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sajatypeworks.come0%URL Reputationsafe
            http://www.sajatypeworks.come0%URL Reputationsafe
            http://www.sajatypeworks.come0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://en.wxKuqoYt8EFEWQXAne.exe, 00000000.00000003.638312128.00000000054D5000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.founder.com.cn/cnOuqoYt8EFEWQXAne.exe, 00000000.00000003.640183149.0000000000BAD000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.founder.com.cn/cnNuqoYt8EFEWQXAne.exe, 00000000.00000003.640183149.0000000000BAD000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.apache.org/licenses/LICENSE-2.0uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
              high
              http://www.fontbureau.comuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                high
                http://www.fontbureau.com/designersGuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                  high
                  http://www.fontbureau.comFuqoYt8EFEWQXAne.exe, 00000000.00000003.660725626.00000000054D0000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers/?uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                    high
                    http://www.founder.com.cn/cn/bTheuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.founder.com.cn/cnLuqoYt8EFEWQXAne.exe, 00000000.00000003.640371685.00000000054D7000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.fontbureau.comgritaSORuqoYt8EFEWQXAne.exe, 00000000.00000003.660725626.00000000054D0000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.fontbureau.com/designers?uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                      high
                      http://www.fontbureau.comm=ODuqoYt8EFEWQXAne.exe, 00000000.00000003.660725626.00000000054D0000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://www.tiro.comuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmp, uqoYt8EFEWQXAne.exe, 00000000.00000003.639384165.00000000054EB000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designersuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                        high
                        http://www.goodfont.co.kruqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssuqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpfalse
                          high
                          http://www.carterandcone.comluqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.founder.com.cn/cnmr_=uqoYt8EFEWQXAne.exe, 00000000.00000003.640101915.00000000054DE000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.sajatypeworks.comuqoYt8EFEWQXAne.exe, 00000000.00000003.637920168.00000000054D3000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.founder.com.cn/cn/uqoYt8EFEWQXAne.exe, 00000000.00000003.640101915.00000000054DE000.00000004.00000001.sdmp, uqoYt8EFEWQXAne.exe, 00000000.00000003.640686280.00000000054D8000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.typography.netDuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                            high
                            http://www.founder.com.cn/cn/cTheuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.founder.com.cn/cnnuqoYt8EFEWQXAne.exe, 00000000.00000003.640371685.00000000054D7000.00000004.00000001.sdmpfalse
                              unknown
                              http://www.galapagosdesign.com/staff/dennis.htmuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://fontfabrik.comuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.founder.com.cn/cnuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers/frere-user.htmluqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                high
                                http://www.ascendercorp.com/typedesigners.htmlmquqoYt8EFEWQXAne.exe, 00000000.00000003.642649855.000000000550D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.monotype.uqoYt8EFEWQXAne.exe, 00000000.00000003.644430876.0000000005505000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.sajatypeworks.comZuqoYt8EFEWQXAne.exe, 00000000.00000003.637920168.00000000054D3000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.jiyu-kobo.co.jp/uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.galapagosdesign.com/DPleaseuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers8uqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.fonts.comuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                    high
                                    http://www.sandoll.co.kruqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.urwpp.deDPleaseuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.zhongyicts.com.cnuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameuqoYt8EFEWQXAne.exe, 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.sajatypeworks.comeuqoYt8EFEWQXAne.exe, 00000000.00000003.637920168.00000000054D3000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.sakkal.comuqoYt8EFEWQXAne.exe, 00000000.00000002.667376898.0000000005640000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.239.242.243
                                      unknownMoldova Republic of
                                      55933CLOUDIE-AS-APCloudieLimitedHKtrue

                                      General Information

                                      Joe Sandbox Version:31.0.0 Emerald
                                      Analysis ID:356642
                                      Start date:23.02.2021
                                      Start time:13:53:10
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 6m 23s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:uqoYt8EFEWQXAne.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:16
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@6/8@0/1
                                      EGA Information:Failed
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 83%
                                      • Number of executed functions: 24
                                      • Number of non-executed functions: 7
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      Warnings:
                                      Show All
                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      13:54:00API Interceptor961x Sleep call for process: uqoYt8EFEWQXAne.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      CLOUDIE-AS-APCloudieLimitedHKNew Order 2021.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      SecuriteInfo.com.Variant.Bulz.361092.25830.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      drWcfynA5k.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      i5Z2XIR5k8.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      receipt.docGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      Purchase Order KVRQ-743012021.docGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      902178.rtfGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      22urmvdx0H.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      Vendor from.docGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      Proforma Invoice.docGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      order170221.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      SecuriteInfo.com.Variant.Bulz.361092.7175.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      SWIFT COPY $27,078.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      kellyx.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      SWIFT COPY 27078.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      Payment Advice 170221.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      ENQUIRY.docGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      SecuriteInfo.com.generic.ml.exeGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      Payment Receipt.jarGet hashmaliciousBrowse
                                      • 185.239.242.107
                                      Paymentadvise.docGet hashmaliciousBrowse
                                      • 185.239.242.107

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uqoYt8EFEWQXAne.exe.log
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):1406
                                      Entropy (8bit):5.341099307467139
                                      Encrypted:false
                                      SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg
                                      MD5:E5FA1A53BA6D70E18192AF6AF7CFDBFA
                                      SHA1:1C076481F11366751B8DA795C98A54DE8D1D82D5
                                      SHA-256:1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
                                      SHA-512:77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4
                                      Malicious:true
                                      Reputation:moderate, very likely benign file
                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                      C:\Users\user\AppData\Local\Temp\tmp975D.tmp
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1646
                                      Entropy (8bit):5.174690949576107
                                      Encrypted:false
                                      SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGNtn:cbhK79lNQR/rydbz9I3YODOLNdq3W
                                      MD5:126E3B613474ECAA1D9907447AB29E73
                                      SHA1:484AA9F88B924751F236851738B17072A41FAB62
                                      SHA-256:6A3C2131197E5AF173FBE5A0211853F0E6AFED2B1ABDE4129151564B99E60A9F
                                      SHA-512:38C29CE66994092539C130FDF57548FB8B328612F904F59E66BFC120A49C0189B8DD7F600F74B7D2FAD1840440456D0E910382C91B31113ED23EEF06118EA893
                                      Malicious:true
                                      Reputation:low
                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):1624
                                      Entropy (8bit):7.024371743172393
                                      Encrypted:false
                                      SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC08
                                      MD5:0D79388CEC6619D612C2088173BB6741
                                      SHA1:8A312E3198009C545D0CF3254572189D29A03EA7
                                      SHA-256:D7D423B23D932E306F3CCB2F7A984B7036A042C007A43FD655C6B57B960BB8DF
                                      SHA-512:53BB3E9263DFD746E7E8159466E220E6EC9D81E9D3F0E1D191E09CD511B7EB93B0BA65D13CE0C97C652ECD0F69BB991E6B1840F961BC65003C4DD7AA93EEDA13
                                      Malicious:false
                                      Reputation:low
                                      Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):8
                                      Entropy (8bit):3.0
                                      Encrypted:false
                                      SSDEEP:3:qi:qi
                                      MD5:BF504F3876526A01296886A5B4AEE886
                                      SHA1:56FCA050A19081209B611D03FFC486A68B9C368F
                                      SHA-256:DE7C120694DBBFA99B23C197184A0EB2E427EB8934FAD9A699FFC25741118CCC
                                      SHA-512:8D33452D421AEDB9C81F051DAD52A6E1B807FF26779D77790CD57E93E7772CE3AEBCE8067F1F1124B9B7C6AD82CF89EDBDD3F1F37FBD0FA0C9637000FF493FDD
                                      Malicious:true
                                      Reputation:low
                                      Preview: 7......H
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):40
                                      Entropy (8bit):5.153055907333276
                                      Encrypted:false
                                      SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                      MD5:4E5E92E2369688041CC82EF9650EDED2
                                      SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                      SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                      SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):327432
                                      Entropy (8bit):7.99938831605763
                                      Encrypted:true
                                      SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                      MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                      SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                      SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                      SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                      C:\Users\user\AppData\Roaming\krPtdhRIieabB.exe
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):527872
                                      Entropy (8bit):7.482730571721643
                                      Encrypted:false
                                      SSDEEP:12288:r+3HmKMLTOvaFESR5s87FvE4N4zjtx0qm5eINJPvu:aH4L5dR5s87FvOjtxhm5eIrnu
                                      MD5:C415765EF678428F502B101039B7D495
                                      SHA1:E5458FF58B98401D715A68A67AFABDEFAAF2EDC3
                                      SHA-256:C024E649AFAAFD4D1A1EBC2C5A2C457EECD2B5994C2B78E32312EB5289B5C093
                                      SHA-512:859DEB240D2E8EE1B5CC057AA63B0F8D49FEC83619B4C346821B09EFA5B9FCA01FB85396045658860468107F9A19A8710DB85C2C7B299351F6225C64034F2D8C
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 32%
                                      Reputation:low
                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .4`..............P.................. ... ....@.. .......................`............@.................................h...O.... ..P....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H........x...S...............J...........................................0............(....(..........(.....o ....*.....................(!......("......(#......($......(%....*N..(....o....(&....*&..('....*.s(........s)........s*........s+........s,........*....0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....+..*.0......
                                      C:\Users\user\AppData\Roaming\krPtdhRIieabB.exe:Zone.Identifier
                                      Process:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Reputation:high, very likely benign file
                                      Preview: [ZoneTransfer]....ZoneId=0

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.482730571721643
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:uqoYt8EFEWQXAne.exe
                                      File size:527872
                                      MD5:c415765ef678428f502b101039b7d495
                                      SHA1:e5458ff58b98401d715a68a67afabdefaaf2edc3
                                      SHA256:c024e649afaafd4d1a1ebc2c5a2c457eecd2b5994c2b78e32312eb5289b5c093
                                      SHA512:859deb240d2e8ee1b5cc057aa63b0f8d49fec83619b4c346821b09efa5b9fca01fb85396045658860468107f9a19a8710db85c2c7b299351f6225c64034f2d8c
                                      SSDEEP:12288:r+3HmKMLTOvaFESR5s87FvE4N4zjtx0qm5eINJPvu:aH4L5dR5s87FvOjtxhm5eIrnu
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .4`..............P.................. ... ....@.. .......................`............@................................

                                      File Icon

                                      Icon Hash:00828e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x4816ba
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                      Time Stamp:0x60349B20 [Tue Feb 23 06:05:20 2021 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:v4.0.30319
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x816680x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x1050.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x7f6c00x7f800False0.772669653799data7.49785747568IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .rsrc0x820000x10500x1200False0.361979166667data4.73273150028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x840000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_VERSION0x820900x39cdata
                                      RT_MANIFEST0x8243c0xc0fXML 1.0 document, UTF-8 Unicode (with BOM) text

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Version Infos

                                      DescriptionData
                                      Translation0x0000 0x04b0
                                      LegalCopyrightCopyright 2018
                                      Assembly Version1.0.0.0
                                      InternalNameIsolatedStorageFilePermissionAttribute.exe
                                      FileVersion1.0.0.0
                                      CompanyName
                                      LegalTrademarks
                                      Comments
                                      ProductNameRegisterVB
                                      ProductVersion1.0.0.0
                                      FileDescriptionRegisterVB
                                      OriginalFilenameIsolatedStorageFilePermissionAttribute.exe

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      02/23/21-13:54:08.510703TCP2025019ET TROJAN Possible NanoCore C2 60B497452010192.168.2.4185.239.242.243
                                      02/23/21-13:54:15.977491TCP2025019ET TROJAN Possible NanoCore C2 60B497472010192.168.2.4185.239.242.243
                                      02/23/21-13:54:22.849012TCP2025019ET TROJAN Possible NanoCore C2 60B497502010192.168.2.4185.239.242.243
                                      02/23/21-13:54:28.855800TCP2025019ET TROJAN Possible NanoCore C2 60B497512010192.168.2.4185.239.242.243
                                      02/23/21-13:54:34.873087TCP2025019ET TROJAN Possible NanoCore C2 60B497592010192.168.2.4185.239.242.243
                                      02/23/21-13:54:41.879231TCP2025019ET TROJAN Possible NanoCore C2 60B497642010192.168.2.4185.239.242.243
                                      02/23/21-13:54:49.259735TCP2025019ET TROJAN Possible NanoCore C2 60B497662010192.168.2.4185.239.242.243
                                      02/23/21-13:54:55.260046TCP2025019ET TROJAN Possible NanoCore C2 60B497752010192.168.2.4185.239.242.243
                                      02/23/21-13:55:01.369094TCP2025019ET TROJAN Possible NanoCore C2 60B497762010192.168.2.4185.239.242.243
                                      02/23/21-13:55:07.366934TCP2025019ET TROJAN Possible NanoCore C2 60B497772010192.168.2.4185.239.242.243
                                      02/23/21-13:55:13.420841TCP2025019ET TROJAN Possible NanoCore C2 60B497782010192.168.2.4185.239.242.243
                                      02/23/21-13:55:20.360587TCP2025019ET TROJAN Possible NanoCore C2 60B497792010192.168.2.4185.239.242.243
                                      02/23/21-13:55:25.416649TCP2025019ET TROJAN Possible NanoCore C2 60B497802010192.168.2.4185.239.242.243
                                      02/23/21-13:55:30.452441TCP2025019ET TROJAN Possible NanoCore C2 60B497832010192.168.2.4185.239.242.243
                                      02/23/21-13:55:36.509869TCP2025019ET TROJAN Possible NanoCore C2 60B497842010192.168.2.4185.239.242.243
                                      02/23/21-13:55:43.477164TCP2025019ET TROJAN Possible NanoCore C2 60B497852010192.168.2.4185.239.242.243
                                      02/23/21-13:55:49.502138TCP2025019ET TROJAN Possible NanoCore C2 60B497862010192.168.2.4185.239.242.243
                                      02/23/21-13:55:56.520609TCP2025019ET TROJAN Possible NanoCore C2 60B497872010192.168.2.4185.239.242.243

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Feb 23, 2021 13:54:08.235266924 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:08.401680946 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:08.401907921 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:08.510703087 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:08.689546108 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:08.701209068 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:08.864763975 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:08.917184114 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.171945095 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.381033897 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.381109953 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.419231892 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419270992 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419301987 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419316053 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.419328928 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419353008 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419373035 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.419378042 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419401884 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419403076 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.419426918 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419430017 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.419450045 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419464111 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.419475079 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.419506073 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.419536114 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582185984 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582245111 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582283974 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582321882 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582343102 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582360029 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582375050 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582410097 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582453966 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582468033 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582495928 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582535028 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582572937 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582604885 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582611084 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582628012 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582652092 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582690954 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582709074 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582740068 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582787991 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582824945 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582834959 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582865000 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582878113 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582906961 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582945108 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.582957983 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.582986116 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.583064079 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.745871067 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.745958090 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746004105 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746042967 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746038914 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746082067 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746083975 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746124983 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746161938 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746172905 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746202946 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746243000 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746289015 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746292114 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746330976 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746335983 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746378899 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746417046 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746450901 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746454954 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746490002 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746495008 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746535063 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746573925 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746611118 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746620893 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746656895 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746665001 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746702909 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746750116 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746788025 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746788979 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746824026 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746826887 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746866941 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746906042 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746942043 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746953964 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.746992111 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.746998072 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.747036934 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.747076035 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.747111082 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.747114897 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.747150898 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.747153997 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.747193098 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.747232914 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.747267962 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.747281075 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.747318029 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.747324944 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.747363091 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.747400999 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.747437954 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.747438908 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.747472048 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.747478008 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.747518063 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.748733997 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.913163900 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913230896 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913264990 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913295031 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913355112 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913414955 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.913434982 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913460970 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.913481951 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913484097 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.913525105 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913567066 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913606882 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913611889 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.913647890 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.913655043 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913697958 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913736105 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913774967 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913778067 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.913811922 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913815975 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.913851023 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913889885 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913930893 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.913935900 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.913975000 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.913980007 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914024115 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914061069 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914098978 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914102077 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.914136887 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914139986 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.914175987 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914215088 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914252996 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914258003 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.914298058 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.914302111 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914345980 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914383888 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914422989 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914427996 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.914463043 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914467096 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.914500952 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914539099 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914580107 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.914617062 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914654970 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914668083 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.914694071 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914740086 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914782047 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.914791107 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914833069 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.914834023 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914872885 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914915085 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914952993 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914963961 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.914993048 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.914993048 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.915034056 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.915071964 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.915117979 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.915119886 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.915162086 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.915163040 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:09.915201902 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:09.919004917 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.079411983 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.079473019 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.079513073 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.079552889 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.079591036 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.079603910 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.079634905 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.079658031 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.079675913 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.079685926 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.079725027 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.079768896 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.079807997 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.079822063 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.079847097 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.079854965 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.079888105 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.079926014 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.079963923 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.079969883 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.080003023 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080007076 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.080051899 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080094099 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080132961 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080171108 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080183029 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.080210924 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080248117 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080259085 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.080287933 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080327034 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080374002 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080379009 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.080416918 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080455065 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080456018 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.080495119 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080533981 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080558062 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.080571890 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080578089 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.080612898 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080651045 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080672026 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.080699921 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080743074 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080754042 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.080781937 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080820084 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080857992 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080868959 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.080895901 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080899000 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.080938101 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.080976963 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.081017971 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.081022978 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.081065893 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.081068039 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.081105947 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.081144094 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.081182003 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.081186056 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.081218958 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.081223011 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.081258059 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.082428932 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.082473040 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.082530975 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.082585096 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.245985985 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246046066 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246087074 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246130943 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246165991 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246193886 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246208906 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.246229887 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.246231079 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246248960 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.246268988 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246304989 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246340036 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246345997 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.246376991 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246377945 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.246413946 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246457100 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246495962 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246499062 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.246531963 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246535063 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.246623039 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246660948 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246696949 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246711016 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.246733904 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246756077 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.246781111 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246820927 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246856928 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246866941 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.246893883 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246921062 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.246946096 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.246980906 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.247016907 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.247028112 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.247052908 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.247057915 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.247097969 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.247137070 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.247173071 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.247184992 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.247210026 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.247226954 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.247247934 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.247282982 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.247319937 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.247330904 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.247355938 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.247371912 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.292285919 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.637494087 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.656565905 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.800403118 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.800461054 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.800499916 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.800538063 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.800550938 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.800573111 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.800576925 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.800581932 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.800618887 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.800621986 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.800661087 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.800676107 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.800697088 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.800721884 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.800740004 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.800755024 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.800779104 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.800791025 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.800813913 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.800847054 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.800851107 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.800868988 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.800887108 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.800899029 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.800931931 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.800977945 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.800988913 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801013947 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801022053 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801052094 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801057100 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801089048 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801110029 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801126003 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801139116 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801163912 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801168919 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801199913 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801214933 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801245928 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801259041 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801286936 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801295042 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801322937 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801335096 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801359892 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801371098 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801418066 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801425934 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801465988 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801500082 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801502943 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801516056 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801537037 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801539898 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801573038 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801598072 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801616907 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801629066 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801656961 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801665068 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801693916 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801729918 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801729918 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801764965 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801772118 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801799059 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801800966 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801832914 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801837921 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801875114 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801918030 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801951885 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801959038 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.801974058 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.801997900 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.802017927 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.802036047 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.802048922 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.802073956 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.802090883 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.802109957 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.802126884 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.802148104 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.802160978 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.802184105 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.802227020 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.802251101 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.802268028 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.802309036 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.802463055 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.863271952 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.965688944 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.965751886 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.965791941 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.965831041 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.965869904 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.965908051 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.965910912 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.965945959 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.965948105 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.965967894 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.965991020 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.966038942 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.966080904 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.966084003 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.966120005 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.966124058 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.966160059 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.966197968 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.966204882 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.966237068 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.966275930 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.966315031 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.966319084 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.966355085 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:10.966363907 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.966408968 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.966445923 CET201049745185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:10.966495991 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:11.732888937 CET497452010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:15.810425997 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:15.976615906 CET201049747185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:15.976800919 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:15.977490902 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:16.158289909 CET201049747185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:16.158742905 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:16.321866035 CET201049747185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:16.323055983 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:16.549125910 CET201049747185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:16.683912992 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:16.755769968 CET201049747185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:16.808425903 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:16.848364115 CET201049747185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:16.848474979 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:17.051039934 CET201049747185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:17.051142931 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:17.214591026 CET201049747185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:17.261617899 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:17.328572035 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:17.426146984 CET201049747185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:17.480375051 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:17.537431002 CET201049747185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:17.537568092 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:17.744294882 CET201049747185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:17.785660982 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:17.993863106 CET201049747185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:17.994647026 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:18.197137117 CET201049747185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:18.680510998 CET497472010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:22.685023069 CET497502010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:22.848138094 CET201049750185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:22.848259926 CET497502010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:22.849011898 CET497502010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:23.034111023 CET201049750185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:23.034370899 CET497502010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:23.200613976 CET201049750185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:23.207963943 CET497502010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:23.411294937 CET201049750185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:23.686619997 CET497502010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:23.754199982 CET201049750185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:23.809231043 CET497502010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:23.850589037 CET201049750185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:23.850809097 CET497502010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:24.054430962 CET201049750185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:24.054728031 CET497502010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:24.218554020 CET201049750185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:24.263272047 CET497502010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:24.426949024 CET201049750185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:24.484180927 CET497502010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:24.669403076 CET497502010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:28.685653925 CET497512010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:28.851267099 CET201049751185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:28.855333090 CET497512010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:28.855799913 CET497512010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:29.040810108 CET201049751185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:29.041064978 CET497512010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:29.207505941 CET201049751185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:29.211389065 CET497512010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:29.422267914 CET201049751185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:29.644238949 CET201049751185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:29.645298004 CET497512010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:29.809638023 CET201049751185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:29.809921980 CET497512010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:30.015218019 CET201049751185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:30.015491962 CET497512010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:30.180634975 CET201049751185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:30.231431961 CET497512010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:30.396317959 CET201049751185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:30.450210094 CET497512010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:30.669572115 CET497512010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:34.686048031 CET497592010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:34.872294903 CET201049759185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:34.872435093 CET497592010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:34.873086929 CET497592010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:35.060211897 CET201049759185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:35.060542107 CET497592010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:35.249448061 CET201049759185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:35.251523018 CET497592010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:35.460777044 CET201049759185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:35.667747974 CET201049759185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:35.668781042 CET497592010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:35.831418991 CET201049759185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:35.831819057 CET497592010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:36.036761045 CET201049759185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:36.036883116 CET497592010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:36.200562954 CET201049759185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:36.247631073 CET497592010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:36.424155951 CET201049759185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:36.466358900 CET497592010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:36.686816931 CET497592010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:36.890773058 CET201049759185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:37.685868979 CET497592010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:41.706126928 CET497642010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:41.878086090 CET201049764185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:41.878279924 CET497642010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:41.879230976 CET497642010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:42.083384991 CET201049764185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:42.083748102 CET497642010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:42.252368927 CET201049764185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:42.253637075 CET497642010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:42.461122036 CET201049764185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:42.681694984 CET201049764185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:42.697776079 CET497642010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:42.860893011 CET201049764185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:42.861177921 CET497642010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:43.069880962 CET201049764185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:43.069957018 CET497642010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:43.232822895 CET201049764185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:43.279494047 CET497642010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:43.443311930 CET201049764185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:43.499912024 CET497642010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:44.429539919 CET497642010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:44.647197008 CET201049764185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:45.077225924 CET497642010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:49.093868971 CET497662010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:49.258137941 CET201049766185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:49.258384943 CET497662010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:49.259735107 CET497662010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:49.444813013 CET201049766185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:49.445252895 CET497662010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:49.625507116 CET201049766185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:49.627044916 CET497662010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:49.832050085 CET201049766185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:50.021789074 CET201049766185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:50.022804022 CET497662010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:50.189043045 CET201049766185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:50.189172983 CET497662010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:50.396214008 CET201049766185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:50.396362066 CET497662010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:50.560992956 CET201049766185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:50.608117104 CET497662010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:50.772780895 CET201049766185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:50.826926947 CET497662010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:51.077627897 CET497662010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:55.094453096 CET497752010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:55.258371115 CET201049775185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:55.258514881 CET497752010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:55.260046005 CET497752010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:55.441144943 CET201049775185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:55.441551924 CET497752010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:55.607892990 CET201049775185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:55.610049963 CET497752010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:55.813414097 CET201049775185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:56.036890984 CET201049775185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:56.049880981 CET497752010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:56.212753057 CET201049775185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:56.212847948 CET497752010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:56.416414022 CET201049775185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:56.416774035 CET497752010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:56.582155943 CET201049775185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:56.624347925 CET497752010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:56.787134886 CET201049775185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:54:56.843298912 CET497752010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:54:57.186846972 CET497752010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:01.203969955 CET497762010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:01.368153095 CET201049776185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:01.369066000 CET497762010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:01.369093895 CET497762010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:01.543734074 CET201049776185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:01.547710896 CET497762010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:01.731451035 CET201049776185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:01.733371019 CET497762010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:01.936225891 CET201049776185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:02.144244909 CET201049776185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:02.146465063 CET497762010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:02.308902025 CET201049776185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:02.309428930 CET497762010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:02.514210939 CET201049776185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:02.514874935 CET497762010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:02.539657116 CET201049776185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:02.593931913 CET497762010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:02.719080925 CET201049776185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:02.757622004 CET201049776185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:02.812819004 CET497762010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:03.172924995 CET497762010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:07.196212053 CET497772010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:07.359493971 CET201049777185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:07.359778881 CET497772010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:07.366934061 CET497772010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:07.552839994 CET201049777185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:07.558509111 CET497772010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:07.722738981 CET201049777185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:07.725910902 CET497772010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:07.931282997 CET201049777185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:08.146059990 CET201049777185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:08.148507118 CET497772010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:08.311168909 CET201049777185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:08.311501980 CET497772010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:08.516020060 CET201049777185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:08.516134024 CET497772010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:08.681785107 CET201049777185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:08.734635115 CET497772010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:08.982965946 CET201049777185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:08.983318090 CET497772010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:09.188920975 CET497772010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:13.206538916 CET497782010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:13.369210958 CET201049778185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:13.369337082 CET497782010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:13.420840979 CET497782010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:13.609957933 CET201049778185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:13.610714912 CET497782010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:13.773756981 CET201049778185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:13.776175976 CET497782010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:13.978760004 CET201049778185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:14.181904078 CET201049778185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:14.235140085 CET497782010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:14.368058920 CET497782010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:14.399142981 CET201049778185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:14.399482965 CET497782010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:14.563771009 CET201049778185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:14.563844919 CET497782010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:14.728326082 CET201049778185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:14.782085896 CET497782010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:14.948374033 CET201049778185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:15.000948906 CET497782010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:15.195650101 CET497782010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:15.399444103 CET201049778185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:16.179851055 CET497782010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:20.191427946 CET497792010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:20.359671116 CET201049779185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:20.359883070 CET497792010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:20.360586882 CET497792010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:20.532648087 CET201049779185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:20.579447985 CET497792010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:20.743527889 CET201049779185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:20.749521971 CET497792010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:20.940855026 CET201049779185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:20.947187901 CET497792010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:21.153331041 CET201049779185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:21.236496925 CET497792010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:25.252919912 CET497802010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:25.415865898 CET201049780185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:25.416085958 CET497802010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:25.416649103 CET497802010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:25.581650972 CET201049780185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:25.626714945 CET497802010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:25.791918039 CET201049780185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:25.800775051 CET497802010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:25.967003107 CET201049780185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:25.968208075 CET497802010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:26.173696995 CET201049780185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:26.268085003 CET497802010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:30.288259983 CET497832010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:30.451128006 CET201049783185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:30.451323032 CET497832010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:30.452440977 CET497832010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:30.634643078 CET201049783185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:30.636323929 CET497832010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:30.803469896 CET201049783185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:30.824909925 CET497832010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:31.030383110 CET201049783185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:31.255284071 CET201049783185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:31.257539988 CET497832010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:31.421472073 CET201049783185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:31.421766043 CET497832010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:31.626213074 CET201049783185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:31.626481056 CET497832010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:31.791466951 CET201049783185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:31.846021891 CET497832010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:32.008636951 CET201049783185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:32.049169064 CET497832010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:32.277978897 CET497832010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:36.333142042 CET497842010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:36.506804943 CET201049784185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:36.506937981 CET497842010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:36.509869099 CET497842010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:36.688261032 CET201049784185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:36.700660944 CET497842010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:36.865864992 CET201049784185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:36.868555069 CET497842010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:37.088985920 CET201049784185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:37.310750961 CET497842010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:37.514697075 CET201049784185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:37.519840002 CET201049784185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:37.521321058 CET497842010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:37.686743021 CET201049784185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:37.703299046 CET497842010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:37.866302967 CET201049784185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:37.866398096 CET497842010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:38.030775070 CET201049784185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:38.080871105 CET497842010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:38.306664944 CET497842010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:38.511347055 CET201049784185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:39.289906025 CET497842010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:43.312376022 CET497852010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:43.475737095 CET201049785185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:43.475924015 CET497852010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:43.477164030 CET497852010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:43.659507990 CET201049785185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:43.660347939 CET497852010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:43.823278904 CET201049785185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:43.824415922 CET497852010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:44.030361891 CET201049785185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:44.239887953 CET201049785185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:44.241925001 CET497852010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:44.407073975 CET201049785185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:44.407195091 CET497852010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:44.613610983 CET201049785185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:44.615272999 CET497852010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:44.778479099 CET201049785185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:44.831473112 CET497852010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:44.995904922 CET201049785185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:45.050201893 CET497852010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:45.309077978 CET497852010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:45.371823072 CET201049785185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:45.373537064 CET497852010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:49.319154024 CET497862010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:49.487262964 CET201049786185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:49.487490892 CET497862010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:49.502137899 CET497862010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:49.678723097 CET201049786185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:49.738107920 CET497862010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:50.254395962 CET497862010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:50.420955896 CET201049786185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:50.421169996 CET497862010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:50.625021935 CET201049786185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:50.625199080 CET497862010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:50.827964067 CET201049786185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:51.036526918 CET201049786185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:51.037955999 CET497862010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:51.201050997 CET201049786185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:51.203557014 CET497862010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:51.367057085 CET201049786185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:51.367348909 CET497862010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:51.533485889 CET201049786185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:51.582206964 CET497862010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:52.333306074 CET497862010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:56.354091883 CET497872010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:56.517050028 CET201049787185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:56.519495964 CET497872010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:56.520608902 CET497872010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:56.699038982 CET201049787185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:56.701020956 CET497872010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:56.863995075 CET201049787185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:56.865137100 CET497872010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:57.068087101 CET201049787185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:57.269239902 CET201049787185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:57.270541906 CET497872010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:57.433166027 CET201049787185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:57.433244944 CET497872010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:57.642014027 CET201049787185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:57.643672943 CET497872010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:57.806595087 CET201049787185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:57.848121881 CET497872010192.168.2.4185.239.242.243
                                      Feb 23, 2021 13:55:58.010920048 CET201049787185.239.242.243192.168.2.4
                                      Feb 23, 2021 13:55:58.051259041 CET497872010192.168.2.4185.239.242.243

                                      Code Manipulations

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Start time:13:53:52
                                      Start date:23/02/2021
                                      Path:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe'
                                      Imagebase:0x150000
                                      File size:527872 bytes
                                      MD5 hash:C415765EF678428F502B101039B7D495
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.661591930.0000000002511000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.661683281.0000000002599000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, Author: Florian Roth
                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.662828873.0000000003794000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                      Reputation:low

                                      General

                                      Start time:13:54:03
                                      Start date:23/02/2021
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\krPtdhRIieabB' /XML 'C:\Users\user\AppData\Local\Temp\tmp975D.tmp'
                                      Imagebase:0xa00000
                                      File size:185856 bytes
                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Start time:13:54:03
                                      Start date:23/02/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff724c50000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Start time:13:54:04
                                      Start date:23/02/2021
                                      Path:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\uqoYt8EFEWQXAne.exe
                                      Imagebase:0x700000
                                      File size:527872 bytes
                                      MD5 hash:C415765EF678428F502B101039B7D495
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:low

                                      Disassembly

                                      Code Analysis

                                      Reset < >

                                        Executed Functions

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.669924744.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9302801bb2206bbd0acc763140858a7b2bd23eae3dc529c491766dd29c313d6e
                                        • Instruction ID: 38e2a79879b5a8da88a33b5ac5eb78fcdb4f9a8c3dee7f0ec8d9df695a946acb
                                        • Opcode Fuzzy Hash: 9302801bb2206bbd0acc763140858a7b2bd23eae3dc529c491766dd29c313d6e
                                        • Instruction Fuzzy Hash: 0B725E71A001299FDB54DFA9C884AAEBBF6FF88304F158069E805DB355DB34DD42CB91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.669924744.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 73e99d14a1b1fc328da3e445d797b14b7110d01e2edbb9a82daa6c0188e1a553
                                        • Instruction ID: b466788340907da98fddb41932ac2ce1c278acdae2d1ea16d11f61c9652dd49e
                                        • Opcode Fuzzy Hash: 73e99d14a1b1fc328da3e445d797b14b7110d01e2edbb9a82daa6c0188e1a553
                                        • Instruction Fuzzy Hash: 36912670E042688FDB44DFA9C5946AEBBF2FF88314F15C12AD458AB345E7749941CFA0
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D3B386
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.669924744.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 2c11657bfd7e5692efc97797035b8efe3b2a85456a2188e1964fc1911cbdf002
                                        • Instruction ID: 0c14756e291906ae2fa61f0335f1db3a903ac356ff57b21f0ef923116e670a13
                                        • Opcode Fuzzy Hash: 2c11657bfd7e5692efc97797035b8efe3b2a85456a2188e1964fc1911cbdf002
                                        • Instruction Fuzzy Hash: E9917B71D00229CFDF60CFA8C9817EDBBB2BF58314F14856AE819A7250DB749985CF91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661501803.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 53f6c109a70be30d60b412b272d5292c690d3f76baf1b718b65ce60c18a57c55
                                        • Instruction ID: b3c6d3adef96092f722e4643fb89b5d5398d1d1667c827e5cfb313362454b3f4
                                        • Opcode Fuzzy Hash: 53f6c109a70be30d60b412b272d5292c690d3f76baf1b718b65ce60c18a57c55
                                        • Instruction Fuzzy Hash: 87712470A00B059FDB24DF2AE141B5AB7F1FF88304F108A6DD55ADBA50DB75E8098F91
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B9DD8A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661501803.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: 4585ba02a7cb7dd9a8bc618e61cb8445410a8c927799a56a748ebc054809fd90
                                        • Instruction ID: 0f46cd4c0afe46a9dc483640434c8e30d22ec507169edcff0760aaf681b0b617
                                        • Opcode Fuzzy Hash: 4585ba02a7cb7dd9a8bc618e61cb8445410a8c927799a56a748ebc054809fd90
                                        • Instruction Fuzzy Hash: EE519FB1D002099FDF14CFAAC884ADEBBF5FF48314F24816AE819AB211D7749945CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B9DD8A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661501803.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: 498fa782d1ab31e39c78185de2259d893bb62ab8fae7fa6721e42b1c16a1201d
                                        • Instruction ID: 529edc82396bbf0f6f216f8bc2101554fab620b2125427515e9b9f85d951099d
                                        • Opcode Fuzzy Hash: 498fa782d1ab31e39c78185de2259d893bb62ab8fae7fa6721e42b1c16a1201d
                                        • Instruction Fuzzy Hash: 9E519FB1D002099FDF14CFAAD884ADEBBB5FF48314F24856AE419AB210D7749985CF90
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D3AF58
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.669924744.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 6350dd449a5b10f00f51decc8eab05d101872a47274e28b199942a61b66a51d1
                                        • Instruction ID: 421036927037c4050e454502e3c19bf28a482aceaa782d4fe6c374d6a2a5cf3d
                                        • Opcode Fuzzy Hash: 6350dd449a5b10f00f51decc8eab05d101872a47274e28b199942a61b66a51d1
                                        • Instruction Fuzzy Hash: E72127B19003599FCF50CFA9C884BEEBBF5FF48314F14842AE958A7250C778A954CBA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B96D86,?,?,?,?,?), ref: 00B96E47
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661501803.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 1582a318391127f624d708a32e709875cf8457aa0631ca42171dce35074e3b37
                                        • Instruction ID: 16e7ea7c594a62777a335508bc976f63f39aa9e7ada0ac2d7e951fd124aea531
                                        • Opcode Fuzzy Hash: 1582a318391127f624d708a32e709875cf8457aa0631ca42171dce35074e3b37
                                        • Instruction Fuzzy Hash: 0921B5B59042489FDF10CF9AD884ADEBBF4EB48324F14846AE914B7310D374A954CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B96D86,?,?,?,?,?), ref: 00B96E47
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661501803.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 80bcc0c8287d3b28c7df6398b1a1fbacb2e470e2e5c1d367a72bf4b103220f5f
                                        • Instruction ID: a5599012666f22203f8e74dd0293b487898570177a00facf9377a4249d2540b3
                                        • Opcode Fuzzy Hash: 80bcc0c8287d3b28c7df6398b1a1fbacb2e470e2e5c1d367a72bf4b103220f5f
                                        • Instruction Fuzzy Hash: 1221E4B5D00208EFDF10CFAAD884ADEBBF4EB48324F14842AE914A7310C374A945CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D3B038
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.669924744.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 48561985302ec4cae3e974aadd4d86dc5f6c391e6cfb8cd247d529e50afb3f30
                                        • Instruction ID: 14c0d7c41b44a82b20dd3d8434e53b489b754bfe4edd61b86226a88a9da9634f
                                        • Opcode Fuzzy Hash: 48561985302ec4cae3e974aadd4d86dc5f6c391e6cfb8cd247d529e50afb3f30
                                        • Instruction Fuzzy Hash: 052128718002599FCB10CFAAC880BEEBBF5FF48314F50842AE528A7250C7789945CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 06D3ADAE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.669924744.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false
                                        Similarity
                                        • API ID: ContextThread
                                        • String ID:
                                        • API String ID: 1591575202-0
                                        • Opcode ID: aaea5ef1b9fdbf6317434f03f2f972cafafe800f83232ecbc1a2dcfebeed37cb
                                        • Instruction ID: c938bedd8c27072092284cf6d133addacdafbda6ba459ae4d52f9057d2ad2469
                                        • Opcode Fuzzy Hash: aaea5ef1b9fdbf6317434f03f2f972cafafe800f83232ecbc1a2dcfebeed37cb
                                        • Instruction Fuzzy Hash: B1213571D042188FDB50CFAAC4847EEBBF4EF88224F14842AD959A7240DB78A945CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B9BE89,00000800,00000000,00000000), ref: 00B9C09A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661501803.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 0dbe1db50659f2f1b2be269cfc9416ba7414b9b0884926d9d7cf7d7444fcd006
                                        • Instruction ID: e5148d632e2af64ddca96ee8d1d5bfb89e1e90aa783bc3cc19a27f191f8e0da5
                                        • Opcode Fuzzy Hash: 0dbe1db50659f2f1b2be269cfc9416ba7414b9b0884926d9d7cf7d7444fcd006
                                        • Instruction Fuzzy Hash: A71103B6904208DFDB10CF9AD444BDEBBF4EB48364F14846ED415B7610C375A945CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B9BE89,00000800,00000000,00000000), ref: 00B9C09A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661501803.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                        Similarity
                                        • API ID: LibraryLoad
                                        • String ID:
                                        • API String ID: 1029625771-0
                                        • Opcode ID: 2661ce000251a6f78f22a43830a6b8577c7afc28a64a2a6f0cf81a75a8783c5e
                                        • Instruction ID: dad95f1191f734d96ea593a285993e5eaadf6f1740be643e1f50999a4a21b044
                                        • Opcode Fuzzy Hash: 2661ce000251a6f78f22a43830a6b8577c7afc28a64a2a6f0cf81a75a8783c5e
                                        • Instruction Fuzzy Hash: 741114B6800209DFDB10CFAAD884BDEFBF4EB88324F14852AD415A7610C775A946CFA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D3AE76
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.669924744.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 33bed7c5f4e559d2f15dda08257ad0577064f4a01890eaae4f36dcec159e2a8d
                                        • Instruction ID: 7ef6459c032a51dbc89afdebf2da6715cc85236d2273cd50a800f8b7e059a169
                                        • Opcode Fuzzy Hash: 33bed7c5f4e559d2f15dda08257ad0577064f4a01890eaae4f36dcec159e2a8d
                                        • Instruction Fuzzy Hash: 931137729042589FCF10DFAAC844BEFBBF5EF88324F148419E525A7250C779A944CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,00B9BBDB), ref: 00B9BE0E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661501803.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 0fdc233882ca54942345b87973071a067e0a3afd8025035a9d679df8bd6836a8
                                        • Instruction ID: 498994940c28dde43b7712721284a5a0cd924b14311cafff9c3ea9024dba4303
                                        • Opcode Fuzzy Hash: 0fdc233882ca54942345b87973071a067e0a3afd8025035a9d679df8bd6836a8
                                        • Instruction Fuzzy Hash: 5F11F0B68046498FDB10CF9AD544BDEBBF4EF88324F14846AD919A7600C374A945CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.669924744.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 6a687876e3a12ae97c83d55a8347f15d350699ca0ba56b59937912b88684d3ca
                                        • Instruction ID: 3e41f715e7e29cc697ff1044384b0aaadea7aed6e9849e298581a0e2c370524e
                                        • Opcode Fuzzy Hash: 6a687876e3a12ae97c83d55a8347f15d350699ca0ba56b59937912b88684d3ca
                                        • Instruction Fuzzy Hash: 74113671D042588FDB10DFAAC8447EEFBF4AB88224F14842AD529A7250CB79A944CFA1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661346573.000000000088D000.00000040.00000001.sdmp, Offset: 0088D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a2a9076ad6d0d1e830bf36ec30a3235b05e2dd5724850e01cd096f785e07d039
                                        • Instruction ID: 3a7ebe3d98bbd83ec83594cf12988aa637a1cfaef2feea5ffb3bafb80b5e78b6
                                        • Opcode Fuzzy Hash: a2a9076ad6d0d1e830bf36ec30a3235b05e2dd5724850e01cd096f785e07d039
                                        • Instruction Fuzzy Hash: 952137B1504344EFCF05EF50D9C0B26BB65FB98324F24C569E9098B286C336E856C7A1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661364870.000000000089D000.00000040.00000001.sdmp, Offset: 0089D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: df3d78e33182b50b041d2aff49cace402380653ebe717e7359377bb42119e500
                                        • Instruction ID: a0f2a3abeb41697d0efc40577db99182182e527afb610111b8c074eefb3c7491
                                        • Opcode Fuzzy Hash: df3d78e33182b50b041d2aff49cace402380653ebe717e7359377bb42119e500
                                        • Instruction Fuzzy Hash: DB21F571604744DFDF14EF14D8C4B26BB65FB88318F28C569D80A8B346C73AD847CA61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661364870.000000000089D000.00000040.00000001.sdmp, Offset: 0089D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 896e12f3fe7325362b565ee4ea3a6019e131471818a917d6176b8c10729ede31
                                        • Instruction ID: 9aba18f33f82738c4e106007066e336658243e4c7a409b7c8252ea1ba4bfee8b
                                        • Opcode Fuzzy Hash: 896e12f3fe7325362b565ee4ea3a6019e131471818a917d6176b8c10729ede31
                                        • Instruction Fuzzy Hash: 90210771504344EFDF05EF90D9C0B26BB65FB88318F28C56DE8098B346C736E846CA61
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661346573.000000000088D000.00000040.00000001.sdmp, Offset: 0088D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                        • Instruction ID: f8090836d065dd5843ac59b9ecb093872e08050e5af3f0b6918ba3ed2ce0bfa9
                                        • Opcode Fuzzy Hash: 15e00ab0180662b097a36b170ee5e0122ef9b813bbc53ef17b167e6fd8fb8d96
                                        • Instruction Fuzzy Hash: E411B176404380DFCB01DF10D5C4B16BF72FB94320F24C6A9D8494B656C33AE856CBA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661364870.000000000089D000.00000040.00000001.sdmp, Offset: 0089D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
                                        • Instruction ID: a3232d02de43d08255742225f5df74a745448928bbcf6fb3878e969f8c2bfd7b
                                        • Opcode Fuzzy Hash: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
                                        • Instruction Fuzzy Hash: 82118B75904380DFCF11DF50D5C4B15BBB1FB84324F28C6AAD8498B696C33AE84ACB62
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661364870.000000000089D000.00000040.00000001.sdmp, Offset: 0089D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
                                        • Instruction ID: a72a1e519a608131e3ba4d82a299c81f47f41a2f818f60e8ce068915b7fa549a
                                        • Opcode Fuzzy Hash: 7d36124553d90c539148c45a8a93ecca56ad8a74831c1bc612bfc5b4ddcdf7be
                                        • Instruction Fuzzy Hash: 70118B75508780DFDF11DF14D5C4B15BBA1FB84324F28C6AAD8498B656C33AD84ACBA2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661346573.000000000088D000.00000040.00000001.sdmp, Offset: 0088D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b9656aa18cacaec63a8177b55bf0975ca1254f9e38827160a9e89b0e543f394
                                        • Instruction ID: b6c0f8c20642973b64e96799d0b0434f7db614454fb3735be001eca5d789a36a
                                        • Opcode Fuzzy Hash: 7b9656aa18cacaec63a8177b55bf0975ca1254f9e38827160a9e89b0e543f394
                                        • Instruction Fuzzy Hash: BE012671008344AEE720BE12DD80B66FBD8FF55728F18C81AED048B2C6C7789844C7B2
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661346573.000000000088D000.00000040.00000001.sdmp, Offset: 0088D000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 906aa358f4f882fbf2b648e02714bbd51bbcbc80a8ac50ebc76780bf7a91f84e
                                        • Instruction ID: 1077a30f57c1f6d914962026893606a342b5b16a7afff8dfc325c250b1bbbc8a
                                        • Opcode Fuzzy Hash: 906aa358f4f882fbf2b648e02714bbd51bbcbc80a8ac50ebc76780bf7a91f84e
                                        • Instruction Fuzzy Hash: 8DF062714043849EEB209A16CC84B62FBA8EB51734F18C95AED189B286C3799C45CBB1
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Non-executed Functions

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.669924744.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3ea4eb17e58cc42e3bed9f411ca35cadec3048d185d481d708b43a54565f2d5d
                                        • Instruction ID: a9bc5453a57eed5f36f6121c58af278d1b2f8797e585e6edf81de519970ff5c0
                                        • Opcode Fuzzy Hash: 3ea4eb17e58cc42e3bed9f411ca35cadec3048d185d481d708b43a54565f2d5d
                                        • Instruction Fuzzy Hash: 4D824930A0022A9FDB94CF68C984AAEBBF2FF49314F158559E455DB3A1C730ED41CBA5
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661501803.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8a6ede1d97123df76105b294e688c351387d0f5ba3428da6fb6970f47135d67b
                                        • Instruction ID: f26646efdf9fba90a10fbb48eef3b08ebf4dc7c943d10c8011dfe8926cc54258
                                        • Opcode Fuzzy Hash: 8a6ede1d97123df76105b294e688c351387d0f5ba3428da6fb6970f47135d67b
                                        • Instruction Fuzzy Hash: C7A14E32E006198FCF15DFA5D9849DDBBF2FF89300B1585BAE905BB221EB35A945CB40
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.661501803.0000000000B90000.00000040.00000001.sdmp, Offset: 00B90000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e990731619a8d6868e1637aa57520e802adcb27e9acc5a623563b81c34aac9b5
                                        • Instruction ID: 27b53b7a6c01c81e68df9b2969efba4546ce37c5ecbe87caab6a5561acf5c936
                                        • Opcode Fuzzy Hash: e990731619a8d6868e1637aa57520e802adcb27e9acc5a623563b81c34aac9b5
                                        • Instruction Fuzzy Hash: 80C109B141A766ABD710CF66E8881897F71FB94338F924228D1616B6E1D7BC384ACF44
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.669924744.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 51d631a608a18dced367a9e88266255dcf079eebbe056774eba1c6df2601624d
                                        • Instruction ID: f291fb53f9f28b4d649cff5904a4fcb2ee78d6fdbdd7bd17fe52bbd4c6aca358
                                        • Opcode Fuzzy Hash: 51d631a608a18dced367a9e88266255dcf079eebbe056774eba1c6df2601624d
                                        • Instruction Fuzzy Hash: 27514170D012499FDB44EF79E451A9E7BF2EB8D308F05C52AD0149B368EB74690ACB82
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.669924744.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ec96d548bc9e1a12e2e854701db36f07330a8c879d88318e2c9a757f646eb233
                                        • Instruction ID: 63efbd692f7c38b1da6e989ff9ffebd0f2773ce83bfe832c43421d465b10b213
                                        • Opcode Fuzzy Hash: ec96d548bc9e1a12e2e854701db36f07330a8c879d88318e2c9a757f646eb233
                                        • Instruction Fuzzy Hash: 4F5131709012499FDB44EF79E451A9E7BF2EF8D308F05C529D0049B368EB786D0ACB81
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.669924744.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f06eb890a7984c722afe467b5fa77ca44cfb17b64b2334696e386d1e9acd0956
                                        • Instruction ID: 0fe58f61d76d899e4756501f7901c399c27fcf450946fd77c455bfc4253ebdff
                                        • Opcode Fuzzy Hash: f06eb890a7984c722afe467b5fa77ca44cfb17b64b2334696e386d1e9acd0956
                                        • Instruction Fuzzy Hash: 3841F0B1E056688BEB5CCF6BCD4078EFAF7AFC9200F14C5BA854DAA255DB3005868F15
                                        Uniqueness

                                        Uniqueness Score: -1.00%

                                        Memory Dump Source
                                        • Source File: 00000000.00000002.669924744.0000000006D30000.00000040.00000001.sdmp, Offset: 06D30000, based on PE: false
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fe86ee8cdc4883c9dc9444222ecbb98a6277fac5de025aa89437ca83ef048c21
                                        • Instruction ID: ee589626405126c203a551eb7882e6d2e2b7d5469b1a9c10f6361bab106a2d6a
                                        • Opcode Fuzzy Hash: fe86ee8cdc4883c9dc9444222ecbb98a6277fac5de025aa89437ca83ef048c21
                                        • Instruction Fuzzy Hash: 644102B1E056588BEB5CCF678D4068EFAF7AFC9200F14C5BA894D6A255EF3005468F15
                                        Uniqueness

                                        Uniqueness Score: -1.00%