Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report V33QokMrIv.exe

Overview

General Information

Sample Name:V33QokMrIv.exe
Analysis ID:357184
MD5:e18dbe57194dd717d54a907ba8e6d3e1
SHA1:76bacc8c5fbbf675399c39c42565dfc3d77be98b
SHA256:b5d510179ab07f09c10cfa2ea9d95346fb696afd3f642af2882b3f4cd16d3ff5
Tags:exeGuLoader
Infos:

Most interesting Screenshot:

Detection

Nanocore GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Yara detected Nanocore RAT
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • V33QokMrIv.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\V33QokMrIv.exe' MD5: E18DBE57194DD717D54A907BA8E6D3E1)
    • taskhostw.exe (PID: 6556 cmdline: taskhostw.exe None MD5: CE95E236FC9FE2D6F16C926C75B18BAF)
      • conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5496 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5516 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp801C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegAsm.exe (PID: 6556 cmdline: 'C:\Users\user\Desktop\V33QokMrIv.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
  • RegAsm.exe (PID: 768 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 2936 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 4244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • filename1.exe (PID: 6092 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: E18DBE57194DD717D54A907BA8E6D3E1)
  • dhcpmon.exe (PID: 6896 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
    • conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • filename1.exe (PID: 6980 cmdline: 'C:\Users\user\subfolder1\filename1.exe' MD5: E18DBE57194DD717D54A907BA8E6D3E1)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "92421eeb-c456-44c2-ab8d-5a66d7e5ab97", "Group": "Company", "Domain1": "194.5.98.202", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Process Memory Space: RegAsm.exe PID: 6556JoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Process Memory Space: RegAsm.exe PID: 6556JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
          Process Memory Space: RegAsm.exe PID: 6556NanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0x92f9:$a: NanoCore
          • 0x9326:$a: NanoCore
          • 0x937f:$a: NanoCore
          • 0x10b8e:$a: NanoCore
          • 0x10ba1:$a: NanoCore
          • 0x10bd3:$a: NanoCore
          • 0x1a664:$a: NanoCore
          • 0x1a691:$a: NanoCore
          • 0x1a6ea:$a: NanoCore
          • 0x21ef9:$a: NanoCore
          • 0x21f0c:$a: NanoCore
          • 0x21f3e:$a: NanoCore
          • 0x959c8:$a: NanoCore
          • 0x95bf2:$a: NanoCore
          • 0xcbe10:$a: NanoCore
          • 0x147046:$a: NanoCore
          • 0x147270:$a: NanoCore
          • 0x17720b:$a: NanoCore
          • 0x1772ac:$a: NanoCore
          • 0x177319:$a: NanoCore
          • 0x1773da:$a: NanoCore

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          15.2.RegAsm.exe.1dd712f8.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe75:$x1: NanoCore.ClientPluginHost
          • 0xe8f:$x2: IClientNetworkHost
          15.2.RegAsm.exe.1dd712f8.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xe75:$x2: NanoCore.ClientPluginHost
          • 0x1261:$s3: PipeExists
          • 0x1136:$s4: PipeCreated
          • 0xeb0:$s5: IClientLoggingHost
          15.2.RegAsm.exe.1edc7a58.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xf7ad:$x1: NanoCore.ClientPluginHost
          • 0xf7da:$x2: IClientNetworkHost
          15.2.RegAsm.exe.1edc7a58.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xf7ad:$x2: NanoCore.ClientPluginHost
          • 0x10888:$s4: PipeCreated
          • 0xf7c7:$s5: IClientLoggingHost
          15.2.RegAsm.exe.1edc7a58.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
            Click to see the 6 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 6556, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
            Sigma detected: Scheduled temp file as task from temp locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: taskhostw.exe None, ParentImage: C:\Windows\System32\taskhostw.exe, ParentProcessId: 6556, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp', ProcessId: 5496

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "92421eeb-c456-44c2-ab8d-5a66d7e5ab97", "Group": "Company", "Domain1": "194.5.98.202", "Domain2": "", "Port": 4488, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY
            Source: Yara matchFile source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: V33QokMrIv.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Uses new MSVCR DllsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbxe2b source: RegAsm.exe, 0000000F.00000003.1174003449.0000000001554000.00000004.00000001.sdmp
            Source: Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.pdb source: RegAsm.exe, 0000000F.00000003.1174003449.0000000001554000.00000004.00000001.sdmp
            Source: Binary string: C:\Windows\dll\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.15.dr
            Source: Binary string: indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: \??\C:\Windows\System.pdb source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp
            Source: Binary string: indows\System.pdbpdbtem.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: C:\Windows\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49766 -> 194.5.98.202:4488
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49767 -> 194.5.98.202:4488
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49768 -> 194.5.98.202:4488
            Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 194.5.98.202:4488
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs:
            Source: Malware configuration extractorURLs: 194.5.98.202
            Source: global trafficTCP traffic: 192.168.2.4:49766 -> 194.5.98.202:4488
            Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.202
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmpString found in binary or memory: https://ibkebw.dm.files.1drv.com/
            Source: RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmpString found in binary or memory: https://ibkebw.dm.files.1drv.com/Jep
            Source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp, RegAsm.exe, 0000000F.00000002.1191919663.00000000014FB000.00000004.00000020.sdmpString found in binary or memory: https://ibkebw.dm.files.1drv.com/y4m_7vjlVAP2dktIZ7ToWB_X8Tx5mpxc0CHqB4Dc4Xc8QJNrWia8ZAB0h8vRJGCEryL
            Source: RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: RegAsm.exe, RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=802AC8A73EEC8C8E&resid=802AC8A73EEC8C8E%21110&authkey=AK1w6-P
            Source: RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/zZm
            Source: RegAsm.exe, 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY
            Source: Yara matchFile source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 15.2.RegAsm.exe.1dd712f8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: C:\Users\user\Desktop\V33QokMrIv.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\subfolder1\filename1.exeProcess Stats: CPU usage > 98%
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_0100723F NtProtectVirtualMemory,15_2_0100723F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 22_2_049101B722_2_049101B7
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 24_2_050101B724_2_050101B7
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 27_2_049A01C827_2_049A01C8
            Source: V33QokMrIv.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: V33QokMrIv.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: V33QokMrIv.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: filename1.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: filename1.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: filename1.exe.15.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: V33QokMrIv.exe, 00000000.00000000.646684744.0000000000417000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKARAKTERISTIKONS.exe vs V33QokMrIv.exe
            Source: V33QokMrIv.exeBinary or memory string: OriginalFilenameKARAKTERISTIKONS.exe vs V33QokMrIv.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: V33QokMrIv.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 15.2.RegAsm.exe.1dd712f8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.RegAsm.exe.1dd712f8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: classification engineClassification label: mal100.troj.evad.winEXE@19/12@2/1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\subfolder1Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5500:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4244:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{92421eeb-c456-44c2-ab8d-5a66d7e5ab97}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_01
            Source: C:\Users\user\Desktop\V33QokMrIv.exeFile created: C:\Users\user\AppData\Local\Temp\~DF65C51E8A0EADE8B5.TMPJump to behavior
            Source: V33QokMrIv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\V33QokMrIv.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\subfolder1\filename1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\subfolder1\filename1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Users\user\Desktop\V33QokMrIv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\V33QokMrIv.exe 'C:\Users\user\Desktop\V33QokMrIv.exe'
            Source: unknownProcess created: C:\Windows\System32\taskhostw.exe taskhostw.exe None
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\V33QokMrIv.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp801C.tmp'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
            Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\subfolder1\filename1.exe 'C:\Users\user\subfolder1\filename1.exe'
            Source: C:\Users\user\Desktop\V33QokMrIv.exeProcess created: C:\Windows\System32\taskhostw.exe taskhostw.exe NoneJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp'Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp801C.tmp'Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbxe2b source: RegAsm.exe, 0000000F.00000003.1174003449.0000000001554000.00000004.00000001.sdmp
            Source: Binary string: C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: \??\C:\Windows\dll\System.pdb source: RegAsm.exe, 0000000F.00000003.1174003449.0000000001554000.00000004.00000001.sdmp
            Source: Binary string: C:\Windows\dll\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: RegAsm.pdb source: dhcpmon.exe, dhcpmon.exe.15.dr
            Source: Binary string: indows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: \??\C:\Windows\System.pdb source: RegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp
            Source: Binary string: indows\System.pdbpdbtem.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp
            Source: Binary string: C:\Windows\System.pdb source: RegAsm.exe, 0000000F.00000002.1212756395.000000001DD55000.00000004.00000040.sdmp

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01007101 push cs; ret 15_2_01007104
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01006105 push cs; ret 15_2_01006108
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01004109 push cs; ret 15_2_0100410C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01003109 push cs; ret 15_2_0100310C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01007111 push cs; ret 15_2_01007114
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01007125 push cs; ret 15_2_01007128
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_0100612D push cs; ret 15_2_01006130
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01004135 push cs; ret 15_2_01004138
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_0100713D push cs; ret 15_2_01007140
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01006141 push cs; ret 15_2_01006144
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_0100614F push cs; ret 15_2_01006150
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01006159 push cs; ret 15_2_0100615C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01007171 push cs; ret 15_2_01007174
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01006175 push cs; ret 15_2_01006178
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01003179 push cs; ret 15_2_0100317C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01006185 push cs; ret 15_2_01006188
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_0100718D push cs; ret 15_2_01007190
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01006199 push cs; ret 15_2_0100619C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_010061A9 push cs; ret 15_2_010061AC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_010031B5 push cs; ret 15_2_010031B8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_010061B5 push cs; ret 15_2_010061B8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_010071B5 push cs; ret 15_2_010071B8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_010071D1 push cs; ret 15_2_010071D4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_010061D5 push cs; ret 15_2_010061D8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_010031E5 push cs; ret 15_2_010031E8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_010041ED push cs; ret 15_2_010041F0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_010041F1 push FFFFFF84h; ret 15_2_010041F7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_010071F5 push cs; ret 15_2_010071F8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_010041FD push cs; ret 15_2_01004200
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_010061FF push cs; ret 15_2_01006200
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01006001 push cs; ret 15_2_01006004
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\subfolder1\filename1.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp'
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\V33QokMrIv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\V33QokMrIv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\V33QokMrIv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\subfolder1\filename1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\V33QokMrIv.exeRDTSC instruction interceptor: First address: 0000000000626160 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007FCC9C394612h 0x0000000c fnop 0x0000000e jmp 00007FCC9C394612h 0x00000010 test dl, FFFFFF9Ch 0x00000013 jmp 00007FCC9C394612h 0x00000015 test bl, bl 0x00000017 jmp 00007FCC9C394612h 0x00000019 pushad 0x0000001a mov bl, ACh 0x0000001c cmp bl, FFFFFFACh 0x0000001f jne 00007FCC9C391E83h 0x00000025 popad 0x00000026 mov eax, 00000539h 0x0000002b jmp 00007FCC9C394612h 0x0000002d cmp bx, F525h 0x00000032 mov ecx, dword ptr [ebp+1Ch] 0x00000035 mov edx, 8802EDACh 0x0000003a call 00007FCC9C393F5Fh 0x0000003f push esi 0x00000040 push edx 0x00000041 push ecx 0x00000042 jmp 00007FCC9C394612h 0x00000044 pushad 0x00000045 lfence 0x00000048 rdtsc
            Source: C:\Users\user\Desktop\V33QokMrIv.exeRDTSC instruction interceptor: First address: 0000000000623B7D second address: 0000000000623C11 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c test bx, ax 0x0000000f mov ecx, 00A95F60h 0x00000014 push ecx 0x00000015 jmp 00007FCC9CA33912h 0x00000017 pushad 0x00000018 mov al, 1Eh 0x0000001a cmp al, 1Eh 0x0000001c jne 00007FCC9CA33799h 0x00000022 popad 0x00000023 call 00007FCC9CA33959h 0x00000028 call 00007FCC9CA33918h 0x0000002d lfence 0x00000030 mov edx, dword ptr [7FFE0014h] 0x00000036 lfence 0x00000039 ret 0x0000003a mov esi, edx 0x0000003c pushad 0x0000003d rdtsc
            Source: C:\Users\user\Desktop\V33QokMrIv.exeRDTSC instruction interceptor: First address: 0000000000623C11 second address: 0000000000623C11 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FCC9C394608h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FCC9C394612h 0x00000020 test dx, cx 0x00000023 add edi, edx 0x00000025 jmp 00007FCC9C394612h 0x00000027 test bh, ah 0x00000029 dec ecx 0x0000002a cmp eax, ecx 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007FCC9C3945AAh 0x00000031 push ecx 0x00000032 jmp 00007FCC9C394612h 0x00000034 pushad 0x00000035 mov al, 1Eh 0x00000037 cmp al, 1Eh 0x00000039 jne 00007FCC9C394499h 0x0000003f popad 0x00000040 call 00007FCC9C394659h 0x00000045 call 00007FCC9C394618h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
            Source: C:\Users\user\Desktop\V33QokMrIv.exeRDTSC instruction interceptor: First address: 0000000000624994 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+1Ch] 0x0000000d jmp 00007FCC9C394612h 0x0000000f test ecx, 0CA7638Eh 0x00000015 mov edx, 8B8E133Dh 0x0000001a test ebx, eax 0x0000001c call 00007FCC9C395789h 0x00000021 push esi 0x00000022 push edx 0x00000023 push ecx 0x00000024 jmp 00007FCC9C394612h 0x00000026 pushad 0x00000027 lfence 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\V33QokMrIv.exeRDTSC instruction interceptor: First address: 0000000000624C68 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FCC9CA347D7h 0x0000000f push esi 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007FCC9CA33912h 0x00000014 pushad 0x00000015 lfence 0x00000018 rdtsc
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\V33QokMrIv.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\V33QokMrIv.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: RegAsm.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\V33QokMrIv.exeRDTSC instruction interceptor: First address: 0000000000626160 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007FCC9C394612h 0x0000000c fnop 0x0000000e jmp 00007FCC9C394612h 0x00000010 test dl, FFFFFF9Ch 0x00000013 jmp 00007FCC9C394612h 0x00000015 test bl, bl 0x00000017 jmp 00007FCC9C394612h 0x00000019 pushad 0x0000001a mov bl, ACh 0x0000001c cmp bl, FFFFFFACh 0x0000001f jne 00007FCC9C391E83h 0x00000025 popad 0x00000026 mov eax, 00000539h 0x0000002b jmp 00007FCC9C394612h 0x0000002d cmp bx, F525h 0x00000032 mov ecx, dword ptr [ebp+1Ch] 0x00000035 mov edx, 8802EDACh 0x0000003a call 00007FCC9C393F5Fh 0x0000003f push esi 0x00000040 push edx 0x00000041 push ecx 0x00000042 jmp 00007FCC9C394612h 0x00000044 pushad 0x00000045 lfence 0x00000048 rdtsc
            Source: C:\Users\user\Desktop\V33QokMrIv.exeRDTSC instruction interceptor: First address: 0000000000623B7D second address: 0000000000623C11 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c test bx, ax 0x0000000f mov ecx, 00A95F60h 0x00000014 push ecx 0x00000015 jmp 00007FCC9CA33912h 0x00000017 pushad 0x00000018 mov al, 1Eh 0x0000001a cmp al, 1Eh 0x0000001c jne 00007FCC9CA33799h 0x00000022 popad 0x00000023 call 00007FCC9CA33959h 0x00000028 call 00007FCC9CA33918h 0x0000002d lfence 0x00000030 mov edx, dword ptr [7FFE0014h] 0x00000036 lfence 0x00000039 ret 0x0000003a mov esi, edx 0x0000003c pushad 0x0000003d rdtsc
            Source: C:\Users\user\Desktop\V33QokMrIv.exeRDTSC instruction interceptor: First address: 0000000000623C11 second address: 0000000000623C11 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FCC9C394608h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007FCC9C394612h 0x00000020 test dx, cx 0x00000023 add edi, edx 0x00000025 jmp 00007FCC9C394612h 0x00000027 test bh, ah 0x00000029 dec ecx 0x0000002a cmp eax, ecx 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007FCC9C3945AAh 0x00000031 push ecx 0x00000032 jmp 00007FCC9C394612h 0x00000034 pushad 0x00000035 mov al, 1Eh 0x00000037 cmp al, 1Eh 0x00000039 jne 00007FCC9C394499h 0x0000003f popad 0x00000040 call 00007FCC9C394659h 0x00000045 call 00007FCC9C394618h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
            Source: C:\Users\user\Desktop\V33QokMrIv.exeRDTSC instruction interceptor: First address: 0000000000623EAA second address: 0000000000623EAA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FCC9CA35FE6h 0x0000001d popad 0x0000001e call 00007FCC9CA33971h 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\V33QokMrIv.exeRDTSC instruction interceptor: First address: 0000000000624994 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, dword ptr [ebp+1Ch] 0x0000000d jmp 00007FCC9C394612h 0x0000000f test ecx, 0CA7638Eh 0x00000015 mov edx, 8B8E133Dh 0x0000001a test ebx, eax 0x0000001c call 00007FCC9C395789h 0x00000021 push esi 0x00000022 push edx 0x00000023 push ecx 0x00000024 jmp 00007FCC9C394612h 0x00000026 pushad 0x00000027 lfence 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\V33QokMrIv.exeRDTSC instruction interceptor: First address: 0000000000624C68 second address: 0000000000625B62 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FCC9CA347D7h 0x0000000f push esi 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007FCC9CA33912h 0x00000014 pushad 0x00000015 lfence 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\V33QokMrIv.exeRDTSC instruction interceptor: First address: 0000000000625860 second address: 00000000006259B9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007FCC9C394612h 0x0000000e test edx, eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push dword ptr [ebp+00000110h] 0x00000018 call 00007FCC9C394713h 0x0000001d mov ecx, dword ptr [esp+0Ch] 0x00000021 mov edx, dword ptr [esp+08h] 0x00000025 jmp 00007FCC9C394612h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001003EAA second address: 0000000001003EAA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FCC9CA35FE6h 0x0000001d popad 0x0000001e call 00007FCC9CA33971h 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000001001FFF second address: 00000000010059B9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [edi+00000818h], eax 0x00000011 jmp 00007FCC9C394612h 0x00000013 test bh, dh 0x00000015 mov ebx, dword ptr [edi+3Ch] 0x00000018 add ebx, 000000F8h 0x0000001e mov dword ptr [edi+00000810h], ebx 0x00000024 mov esi, edi 0x00000026 jmp 00007FCC9C394612h 0x00000028 cmp cx, AB77h 0x0000002d add esi, 00001000h 0x00000033 xor edx, edx 0x00000035 push edx 0x00000036 push ebx 0x00000037 push 00000028h 0x00000039 jmp 00007FCC9C394612h 0x0000003b cmp bl, al 0x0000003d mov eax, dword ptr [ebp+20h] 0x00000040 add eax, ebx 0x00000042 push eax 0x00000043 test ax, cx 0x00000046 push esi 0x00000047 call 00007FCC9C397F25h 0x0000004c mov ecx, dword ptr [esp+0Ch] 0x00000050 mov edx, dword ptr [esp+08h] 0x00000054 jmp 00007FCC9C394612h 0x00000056 pushad 0x00000057 lfence 0x0000005a rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 00000000010022AC second address: 00000000010059B9 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+10h], 00000000h 0x0000000a mov dword ptr [ebp+14h], 00000000h 0x00000011 cmp dword ptr [edi+00000814h], 00000000h 0x00000018 je 00007FCC9CA33B5Eh 0x0000001e jmp 00007FCC9CA33912h 0x00000020 cmp bl, al 0x00000022 test ax, cx 0x00000025 jmp 00007FCC9CA33912h 0x00000027 pushad 0x00000028 mov bx, 1417h 0x0000002c cmp bx, 1417h 0x00000031 jne 00007FCC9CA31BADh 0x00000037 popad 0x00000038 test dh, ch 0x0000003a push ecx 0x0000003b cmp edx, edx 0x0000003d mov esi, dword ptr [edi+00000814h] 0x00000043 mov eax, dword ptr [edi+00000800h] 0x00000049 add eax, esi 0x0000004b add eax, ecx 0x0000004d push 00000014h 0x0000004f push eax 0x00000050 mov ebx, edi 0x00000052 add ebx, 00000C00h 0x00000058 push ebx 0x00000059 call 00007FCC9CA36F76h 0x0000005e mov ecx, dword ptr [esp+0Ch] 0x00000062 mov edx, dword ptr [esp+08h] 0x00000066 jmp 00007FCC9CA33912h 0x00000068 pushad 0x00000069 lfence 0x0000006c rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01002990 rdtsc 15_2_01002990
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: foregroundWindowGot 556Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5808Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5804Thread sleep time: -120000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6148Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6376Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6820Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: RegAsm.exe, 0000000F.00000002.1191919663.00000000014FB000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: RegAsm.exe, 0000000F.00000002.1191908435.00000000014F0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWen-USn
            Source: RegAsm.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\V33QokMrIv.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\V33QokMrIv.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01002990 rdtsc 15_2_01002990
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01004DA1 LdrInitializeThunk,15_2_01004DA1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01006010 mov eax, dword ptr fs:[00000030h]15_2_01006010
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_010039D3 mov eax, dword ptr fs:[00000030h]15_2_010039D3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_010039F5 mov eax, dword ptr fs:[00000030h]15_2_010039F5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01006B11 mov eax, dword ptr fs:[00000030h]15_2_01006B11
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01006B25 mov eax, dword ptr fs:[00000030h]15_2_01006B25
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01005A40 mov eax, dword ptr fs:[00000030h]15_2_01005A40
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01006AB7 mov eax, dword ptr fs:[00000030h]15_2_01006AB7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01006AC9 mov eax, dword ptr fs:[00000030h]15_2_01006AC9
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_01006AF1 mov eax, dword ptr fs:[00000030h]15_2_01006AF1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\V33QokMrIv.exeMemory written: C:\Windows\System32\taskhostw.exe base: 1000000Jump to behavior
            Source: C:\Users\user\Desktop\V33QokMrIv.exeProcess created: C:\Windows\System32\taskhostw.exe taskhostw.exe NoneJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp'Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp801C.tmp'Jump to behavior
            Source: RegAsm.exe, 0000000F.00000002.1192015059.0000000001930000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: RegAsm.exe, 0000000F.00000002.1192015059.0000000001930000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: RegAsm.exe, 0000000F.00000002.1192015059.0000000001930000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: RegAsm.exe, 0000000F.00000002.1192015059.0000000001930000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: RegAsm.exe, 0000000F.00000002.1191997352.000000000158D000.00000004.00000001.sdmpBinary or memory string: Program Manager (x86)\DHCP Monitor\dhcpmon.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 15_2_010029AD cpuid 15_2_010029AD
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY
            Source: Yara matchFile source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Detected Nanocore RatShow sources
            Source: RegAsm.exe, 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
            Source: RegAsm.exe, 0000000F.00000002.1213259233.000000001DD61000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6556, type: MEMORY
            Source: Yara matchFile source: 15.2.RegAsm.exe.1edc7a58.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.RegAsm.exe.1edc7a58.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.RegAsm.exe.1edcc081.3.raw.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading2Input Capture11Security Software Discovery521Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder1Scheduled Task/Job1Virtualization/Sandbox Evasion23LSASS MemoryVirtualization/Sandbox Evasion23Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)DLL Side-Loading1Registry Run Keys / Startup Folder1Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)DLL Side-Loading1Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Information Discovery212VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 357184 Sample: V33QokMrIv.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 8 other signatures 2->63 8 V33QokMrIv.exe 1 2->8         started        11 RegAsm.exe 4 2->11         started        14 dhcpmon.exe 4 2->14         started        16 3 other processes 2->16 process3 file4 73 Writes to foreign memory regions 8->73 75 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 8->75 77 Tries to detect Any.run 8->77 79 2 other signatures 8->79 18 RegAsm.exe 2 23 8->18         started        23 taskhostw.exe 8->23         started        49 C:\Users\user\AppData\...\RegAsm.exe.log, ASCII 11->49 dropped 25 conhost.exe 11->25         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        signatures5 process6 dnsIp7 51 194.5.98.202, 4488, 49766, 49767 DANILENKODE Netherlands 18->51 53 onedrive.live.com 18->53 55 2 other IPs or domains 18->55 41 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->41 dropped 43 C:\Users\user\AppData\Local\...\tmp7CFF.tmp, XML 18->43 dropped 45 C:\Users\user\subfolder1\filename1.exe, PE32 18->45 dropped 47 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->47 dropped 65 Tries to detect Any.run 18->65 67 Tries to detect virtualization through RDTSC time measurements 18->67 69 Hides threads from debuggers 18->69 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->71 31 schtasks.exe 1 23->31         started        33 schtasks.exe 1 23->33         started        35 conhost.exe 23->35         started        file8 signatures9 process10 process11 37 conhost.exe 31->37         started        39 conhost.exe 33->39         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            V33QokMrIv.exe9%ReversingLabsWin32.Trojan.Generic

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
            C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
            C:\Users\user\subfolder1\filename1.exe9%ReversingLabsWin32.Trojan.Generic

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            0%Avira URL Cloudsafe
            194.5.98.2020%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            onedrive.live.com
            		unknown
            		unknownfalse
              		high
              ibkebw.dm.files.1drv.com
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                true
                • Avira URL Cloud: safe
                		low
                194.5.98.202true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://ibkebw.dm.files.1drv.com/RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmpfalse
                  		high
                  https://onedrive.live.com/download?cid=802AC8A73EEC8C8E&resid=802AC8A73EEC8C8E%21110&authkey=AK1w6-PRegAsm.exe, RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmpfalse
                    		high
                    https://onedrive.live.com/zZmRegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmpfalse
                      		high
                      https://ibkebw.dm.files.1drv.com/y4m_7vjlVAP2dktIZ7ToWB_X8Tx5mpxc0CHqB4Dc4Xc8QJNrWia8ZAB0h8vRJGCEryLRegAsm.exe, 0000000F.00000003.1173973223.000000000150D000.00000004.00000001.sdmp, RegAsm.exe, 0000000F.00000002.1191919663.00000000014FB000.00000004.00000020.sdmpfalse
                        		high
                        https://onedrive.live.com/RegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmpfalse
                          		high
                          https://ibkebw.dm.files.1drv.com/JepRegAsm.exe, 0000000F.00000002.1191880037.00000000014AB000.00000004.00000020.sdmpfalse
                            		high

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            194.5.98.202
                            		unknownNetherlands
                            		208476DANILENKODEtrue

                            General Information

                            Joe Sandbox Version:31.0.0 Emerald
                            Analysis ID:357184
                            Start date:24.02.2021
                            Start time:09:23:21
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 11m 23s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:V33QokMrIv.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:30
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@19/12@2/1
                            EGA Information:Failed
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 93%
                            • Number of executed functions: 137
                            • Number of non-executed functions: 8
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240s for sample files taking high CPU consumption
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 52.113.196.254, 13.107.3.254, 13.64.90.137, 52.255.188.83, 13.88.21.125, 51.104.139.180, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 13.107.43.13, 13.107.43.12, 20.190.160.6, 20.190.160.75, 20.190.160.69, 20.190.160.134, 20.190.160.132, 20.190.160.71, 20.190.160.73, 20.190.160.136, 51.11.168.232
                            • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, odc-dm-files-geo.onedrive.akadns.net, arc.msn.com.nsatc.net, s-ring.msedge.net, www.tm.lg.prod.aadmsa.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, l-0004.dc-msedge.net, www.tm.a.prd.aadg.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-dm-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, ams2.next.a.prd.aadg.trafficmanager.net, login.live.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, odc-dm-files-brs.onedrive.akadns.net, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, l-0003.dc-msedge.net, settings-win.data.microsoft.com, s-ring.s-9999.s-msedge.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, s-9999.s-msedge.net, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/357184/sample/V33QokMrIv.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            09:26:25AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe
                            09:26:29Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" s>$(Arg0)
                            09:26:29API Interceptor666x Sleep call for process: RegAsm.exe modified
                            09:26:30Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                            09:26:33AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                            09:26:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\subfolder1\filename1.exe

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            194.5.98.202DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.docGet hashmaliciousBrowse

                              Domains

                              No context

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              DANILENKODE3Fv4j323nj.exeGet hashmaliciousBrowse
                              • 194.5.98.182
                              scan09e8902093922023ce.exeGet hashmaliciousBrowse
                              • 194.5.98.46
                              PO AAN2102002-V020.docGet hashmaliciousBrowse
                              • 194.5.98.182
                              DHL88700456XXXX_CONFIRMATION_BOOKING_REFERENCE_BJC400618092909_RAW.docGet hashmaliciousBrowse
                              • 194.5.98.202
                              neue bestellung.PDF.exeGet hashmaliciousBrowse
                              • 194.5.97.48
                              Orderoffer.exeGet hashmaliciousBrowse
                              • 194.5.98.66
                              neue bestellung.PDF.exeGet hashmaliciousBrowse
                              • 194.5.97.48
                              OrderSuppliesQuote0817916.exeGet hashmaliciousBrowse
                              • 194.5.97.248
                              DHL_6368638172 documento de recibo,pdf.exeGet hashmaliciousBrowse
                              • 194.5.97.244
                              QuotationInvoices.exeGet hashmaliciousBrowse
                              • 194.5.97.248
                              PAYMENT_.EXEGet hashmaliciousBrowse
                              • 194.5.98.211
                              payment.exeGet hashmaliciousBrowse
                              • 194.5.98.66
                              RFQ_1101983736366355 1101938377388.exeGet hashmaliciousBrowse
                              • 194.5.98.21
                              Slip copy .xls.exeGet hashmaliciousBrowse
                              • 194.5.97.116
                              Scan0059.pdf.exeGet hashmaliciousBrowse
                              • 194.5.97.34
                              DHL AWB # 6008824216.png.exeGet hashmaliciousBrowse
                              • 194.5.97.48
                              Scan0019.exeGet hashmaliciousBrowse
                              • 194.5.97.34
                              PurchaseOrdersCSTtyres004786587.exeGet hashmaliciousBrowse
                              • 194.5.97.248
                              Invoice467972.jarGet hashmaliciousBrowse
                              • 194.5.97.18
                              Invoice467972.jarGet hashmaliciousBrowse
                              • 194.5.97.18

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe3Fv4j323nj.exeGet hashmaliciousBrowse
                                SecuriteInfo.com.Variant.Razy.845229.13077.exeGet hashmaliciousBrowse
                                  document.exeGet hashmaliciousBrowse
                                    w0JlVAbpIT.exeGet hashmaliciousBrowse
                                      Bjdl7RO0K8.exeGet hashmaliciousBrowse
                                        4hW0TZqN01.exeGet hashmaliciousBrowse
                                          d4e475d7d17a16be8b9eeac6e10b25af.exeGet hashmaliciousBrowse
                                            e5bd3238d220c97cd4d6969abb3b33e0.exeGet hashmaliciousBrowse
                                              1c2dec9cbfcd95afe13bf71910fdf95f.exeGet hashmaliciousBrowse
                                                Xf6v0G2wIM.exeGet hashmaliciousBrowse
                                                  jztWD1iKrC.exeGet hashmaliciousBrowse
                                                    wH22vdkhhU.exeGet hashmaliciousBrowse
                                                      AqpOn6nwXS.exeGet hashmaliciousBrowse
                                                        CklrD7MYX2.exeGet hashmaliciousBrowse
                                                          FahZG6Pdc4.exeGet hashmaliciousBrowse
                                                            61WlCsQR9Q.exeGet hashmaliciousBrowse
                                                              U7DiqWP9qu.exeGet hashmaliciousBrowse
                                                                d4x5rI09A7.exeGet hashmaliciousBrowse
                                                                  1WW425NrsA.exeGet hashmaliciousBrowse
                                                                    Kyd6mztyQ5.exeGet hashmaliciousBrowse

                                                                      Created / dropped Files

                                                                      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):53248
                                                                      Entropy (8bit):4.490095782293901
                                                                      Encrypted:false
                                                                      SSDEEP:768:0P2Bbv+VazyoD2z9TU//1mz1+M9GnLEu+2wTFRJS8Ulg:HJv46yoD2BTNz1+M9GLfOw8UO
                                                                      MD5:529695608EAFBED00ACA9E61EF333A7C
                                                                      SHA1:68CA8B6D8E74FA4F4EE603EB862E36F2A73BC1E5
                                                                      SHA-256:44F129DE312409D8A2DF55F655695E1D48D0DB6F20C5C7803EB0032D8E6B53D0
                                                                      SHA-512:8FE476E0185B2B0C66F34E51899B932CB35600C753D36FE102BDA5894CDAA58410044E0A30FDBEF76A285C2C75018D7C5A9BA0763D45EC605C2BBD1EBB9ED674
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Joe Sandbox View:
                                                                      • Filename: 3Fv4j323nj.exe, Detection: malicious, Browse
                                                                      • Filename: SecuriteInfo.com.Variant.Razy.845229.13077.exe, Detection: malicious, Browse
                                                                      • Filename: document.exe, Detection: malicious, Browse
                                                                      • Filename: w0JlVAbpIT.exe, Detection: malicious, Browse
                                                                      • Filename: Bjdl7RO0K8.exe, Detection: malicious, Browse
                                                                      • Filename: 4hW0TZqN01.exe, Detection: malicious, Browse
                                                                      • Filename: d4e475d7d17a16be8b9eeac6e10b25af.exe, Detection: malicious, Browse
                                                                      • Filename: e5bd3238d220c97cd4d6969abb3b33e0.exe, Detection: malicious, Browse
                                                                      • Filename: 1c2dec9cbfcd95afe13bf71910fdf95f.exe, Detection: malicious, Browse
                                                                      • Filename: Xf6v0G2wIM.exe, Detection: malicious, Browse
                                                                      • Filename: jztWD1iKrC.exe, Detection: malicious, Browse
                                                                      • Filename: wH22vdkhhU.exe, Detection: malicious, Browse
                                                                      • Filename: AqpOn6nwXS.exe, Detection: malicious, Browse
                                                                      • Filename: CklrD7MYX2.exe, Detection: malicious, Browse
                                                                      • Filename: FahZG6Pdc4.exe, Detection: malicious, Browse
                                                                      • Filename: 61WlCsQR9Q.exe, Detection: malicious, Browse
                                                                      • Filename: U7DiqWP9qu.exe, Detection: malicious, Browse
                                                                      • Filename: d4x5rI09A7.exe, Detection: malicious, Browse
                                                                      • Filename: 1WW425NrsA.exe, Detection: malicious, Browse
                                                                      • Filename: Kyd6mztyQ5.exe, Detection: malicious, Browse
                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z..................... .......... ........@.. ..............................N.....@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:modified
                                                                      Size (bytes):20
                                                                      Entropy (8bit):3.6841837197791887
                                                                      Encrypted:false
                                                                      SSDEEP:3:QHXMKas:Q3Las
                                                                      MD5:B3AC9D09E3A47D5FD00C37E075A70ECB
                                                                      SHA1:AD14E6D0E07B00BD10D77A06D68841B20675680B
                                                                      SHA-256:7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
                                                                      SHA-512:09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
                                                                      Malicious:true
                                                                      Preview: 1,"fusion","GAC",0..
                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
                                                                      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:modified
                                                                      Size (bytes):20
                                                                      Entropy (8bit):3.6841837197791887
                                                                      Encrypted:false
                                                                      SSDEEP:3:QHXMKas:Q3Las
                                                                      MD5:B3AC9D09E3A47D5FD00C37E075A70ECB
                                                                      SHA1:AD14E6D0E07B00BD10D77A06D68841B20675680B
                                                                      SHA-256:7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
                                                                      SHA-512:09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
                                                                      Malicious:false
                                                                      Preview: 1,"fusion","GAC",0..
                                                                      C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1319
                                                                      Entropy (8bit):5.133606110275315
                                                                      Encrypted:false
                                                                      SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mne5xtn:cbk4oL600QydbQxIYODOLedq3Ze5j
                                                                      MD5:C6F0625BF4C1CDFB699980C9243D3B22
                                                                      SHA1:43DE1FE580576935516327F17B5DA0C656C72851
                                                                      SHA-256:8DFC4E937F0B2374E3CED25FCE344B0731CF44B8854625B318D50ECE2DA8F576
                                                                      SHA-512:9EF2DBD4142AD0E1E6006929376ECB8011E7FFC801EE2101E906787D70325AD82752DF65839DE9972391FA52E1E5974EC1A5C7465A88AA56257633EBB7D70969
                                                                      Malicious:true
                                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                      C:\Users\user\AppData\Local\Temp\tmp801C.tmp
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1310
                                                                      Entropy (8bit):5.109425792877704
                                                                      Encrypted:false
                                                                      SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                      MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                      SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                      SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                      SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                      Malicious:false
                                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):928
                                                                      Entropy (8bit):7.024371743172393
                                                                      Encrypted:false
                                                                      SSDEEP:24:IQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtw:Ik/lCrwfk/lCrwfk/lCrwfk/lCrw8
                                                                      MD5:CCB690520E68EE385ACC0ACFE759AFFC
                                                                      SHA1:33F0DA3F55E5B3C5AC19B61D31471CB60BCD5C96
                                                                      SHA-256:166154225DAB5FCB79C1CA97D371B159D37B83FBC0ADABCD8EBA98FA113A7A3B
                                                                      SHA-512:AC4F3CF1F8F460745D37E6350861C2FBCDDCC1BBDE0A48FB361BFBF5B1EBF10A05F798A72CE413FCA073FF8108955353DDBCBD9D50CED6CDAE231C67A28FDDA3
                                                                      Malicious:false
                                                                      Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                      File Type:Non-ISO extended-ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):8
                                                                      Entropy (8bit):2.75
                                                                      Encrypted:false
                                                                      SSDEEP:3:zTn:zTn
                                                                      MD5:92E49A758034CCCB53F7E0C2540D8D1F
                                                                      SHA1:A110CF375A1151871163162E42572DB30665F4DD
                                                                      SHA-256:C7CB3AE57F1E7A86EDD4CBBB313AB5E1BDF253C6205AB1B2188DD27F44C6D11C
                                                                      SHA-512:376B05470948B965687BD787F2FF2A81B62F2D3157FD9213DD2D885453FE05FBFB0E6B4EF3F71774B6CA1A9AEE215DA5756F3E679C075B89D112E9225D055128
                                                                      Malicious:true
                                                                      Preview: 3YR...H
                                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):56
                                                                      Entropy (8bit):4.787365359936823
                                                                      Encrypted:false
                                                                      SSDEEP:3:oMty8WbSXgL4A:oMLWuQL4A
                                                                      MD5:EFD1636CFC3CC38FD7BABAE5CAC9EDE0
                                                                      SHA1:4D7D378ABEB682EEFBD039930C0EA996FBF54178
                                                                      SHA-256:F827D5B11C1EB3902D601C3E0B59BA32FE11C0B573FBF22FB2AF86BFD4651BBA
                                                                      SHA-512:69B2B0AB1A6E13395EF52DCB903B8E17D842E6D0D44F801FF2659CFD5EC343C8CC57928B02961FC7099AD43FF05633BAF5AC39042A00C8676D4FA8F6F8C2A5D7
                                                                      Malicious:false
                                                                      Preview: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                      C:\Users\user\subfolder1\filename1.exe
                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):131072
                                                                      Entropy (8bit):4.886067635976852
                                                                      Encrypted:false
                                                                      SSDEEP:1536:uWWTwV4fVhuoUaaAAwT4uv65YEWDTkIlmak5AEivuxVQwV4MjW:2wVUPOpUlviYEWnkIlmak5zivQqwV
                                                                      MD5:E18DBE57194DD717D54A907BA8E6D3E1
                                                                      SHA1:76BACC8C5FBBF675399C39C42565DFC3D77BE98B
                                                                      SHA-256:B5D510179AB07F09C10CFA2EA9D95346FB696AFD3F642AF2882B3F4CD16D3FF5
                                                                      SHA-512:B5B4064FB475590E7EBFA51857117E5C8DAC0C98402809856CD17CF40EDBF455A28ECAB9BD4B431997C50AC1767AB7724F79ED356C33690AA9CB2DCDF38F7968
                                                                      Malicious:false
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 9%
                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L....bW.................P...................`....@.........................................................................tY..(....p......................................................................(... ....................................text....M.......P.................. ..`.data........`.......`..............@....rsrc........p.......p..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      \Device\ConDrv
                                                                      Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1010
                                                                      Entropy (8bit):4.298581893109255
                                                                      Encrypted:false
                                                                      SSDEEP:24:zKTDwL/0XZd3Wo3opQ5ZKBQFYVgt7ovrNOYlK:zKTDwAXZxo4ABV+SrUYE
                                                                      MD5:367EEEC425FE7E80B723298C447E2F22
                                                                      SHA1:3873DFC88AF504FF79231FE2BF0E3CD93CE45195
                                                                      SHA-256:481A7A3CA0DD32DA4772718BA4C1EF3F01E8D184FE82CF6E9C5386FD343264BC
                                                                      SHA-512:F7101541D87F045E9DBC45941CDC5A7F97F3EFC29AC0AF2710FC24FA64F0163F9463DE373A5D2BE1270126829DE81006FB8E764186374966E8D0E9BB35B7D7D6
                                                                      Malicious:false
                                                                      Preview: Microsoft (R) .NET Framework Assembly Registration Utility 2.0.50727.8922..Copyright (C) Microsoft Corporation 1998-2004. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information.. /? or /help Display this usage

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):4.886067635976852
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.15%
                                                                      • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:V33QokMrIv.exe
                                                                      File size:131072
                                                                      MD5:e18dbe57194dd717d54a907ba8e6d3e1
                                                                      SHA1:76bacc8c5fbbf675399c39c42565dfc3d77be98b
                                                                      SHA256:b5d510179ab07f09c10cfa2ea9d95346fb696afd3f642af2882b3f4cd16d3ff5
                                                                      SHA512:b5b4064fb475590e7ebfa51857117e5c8dac0c98402809856cd17cf40edbf455a28ecab9bd4b431997c50ac1767ab7724f79ed356c33690aa9cb2dcdf38f7968
                                                                      SSDEEP:1536:uWWTwV4fVhuoUaaAAwT4uv65YEWDTkIlmak5AEivuxVQwV4MjW:2wVUPOpUlviYEWnkIlmak5zivQqwV
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L.....bW.................P...................`....@................

                                                                      File Icon

                                                                      Icon Hash:01d292796dda0080

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x4013dc
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                      DLL Characteristics:
                                                                      Time Stamp:0x57629AC2 [Thu Jun 16 12:25:38 2016 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:cc882d101998a701353b40b0cd8c341a

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      push 00412778h
                                                                      call 00007FCC9CB3C453h
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      xor byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      cmp byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      cdq
                                                                      push edx
                                                                      movsd
                                                                      inc esp
                                                                      pop edi
                                                                      test al, 15h
                                                                      inc esp
                                                                      cdq
                                                                      das
                                                                      xchg eax, ecx
                                                                      mov al, byte ptr [1610F6ADh]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add dword ptr [eax], eax
                                                                      add byte ptr [eax], al
                                                                      xor cl, byte ptr [7061430Ah]
                                                                      push esi
                                                                      inc ecx
                                                                      push edx
                                                                      inc ebp
                                                                      push esp
                                                                      dec edi
                                                                      inc edi
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add bh, bh
                                                                      int3
                                                                      xor dword ptr [eax], eax
                                                                      add al, 8Fh
                                                                      outsd
                                                                      mov edx, 7A63B091h
                                                                      inc edi
                                                                      sbb dword ptr [eax+2FFB4570h], FFFFFFC3h
                                                                      int 7Bh
                                                                      cdq
                                                                      adc ch, 00000022h
                                                                      xchg dword ptr [edx+4Fh], esi
                                                                      mov bl, 6Ch
                                                                      out dx, al
                                                                      xor byte ptr [ecx], al
                                                                      push es
                                                                      jle 00007FCC9CB3C3EDh
                                                                      cmp cl, byte ptr [edi-53h]
                                                                      xor ebx, dword ptr [ecx-48EE309Ah]
                                                                      or al, 00h
                                                                      stosb
                                                                      add byte ptr [eax-2Dh], ah
                                                                      xchg eax, ebx
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      mov eax, dword ptr [A5000112h]
                                                                      jnle 00007FCC9CB3C462h
                                                                      add byte ptr [eax], al
                                                                      adc al, byte ptr [eax]
                                                                      push esp
                                                                      push ebp
                                                                      inc edx
                                                                      inc ebp
                                                                      push edx
                                                                      inc ebx
                                                                      push ebp
                                                                      dec esp
                                                                      inc ecx
                                                                      push esp
                                                                      dec edi
                                                                      push ebx
                                                                      push eax
                                                                      dec ecx
                                                                      dec esi
                                                                      dec edi
                                                                      push ebp
                                                                      push ebx
                                                                      add byte ptr [42000A01h], cl
                                                                      jne 00007FCC9CB3C4D0h
                                                                      add byte ptr fs:[eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x159740x28.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x170000x83f6.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x10000xe0.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x14da40x15000False0.404203869048data5.57673610906IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      .data0x160000xa180x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x170000x83f60x9000False0.340494791667data3.53320400461IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_ICON0x1f2ce0x128GLS_BINARY_LSB_FIRST
                                                                      RT_ICON0x1dca60x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4608, next free block index 40, next free block 0, next used block 0
                                                                      RT_ICON0x1bffe0x1ca8data
                                                                      RT_ICON0x1b3560xca8data
                                                                      RT_ICON0x1afee0x368GLS_BINARY_LSB_FIRST
                                                                      RT_ICON0x18a460x25a8data
                                                                      RT_ICON0x1799e0x10a8data
                                                                      RT_ICON0x175360x468GLS_BINARY_LSB_FIRST
                                                                      RT_GROUP_ICON0x174c00x76data
                                                                      RT_VERSION0x172400x280data

                                                                      Imports

                                                                      DLLImport
                                                                      MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                                                                      Version Infos

                                                                      DescriptionData
                                                                      Translation0x0000 0x04b0
                                                                      InternalNameKARAKTERISTIKONS
                                                                      FileVersion1.00
                                                                      CompanyNameSinth Radio
                                                                      ProductNameSinth Radio
                                                                      ProductVersion1.00
                                                                      FileDescriptionSinth Radio
                                                                      OriginalFilenameKARAKTERISTIKONS.exe

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      02/24/21-09:26:30.194652TCP2025019ET TROJAN Possible NanoCore C2 60B497664488192.168.2.4194.5.98.202
                                                                      02/24/21-09:26:36.466553TCP2025019ET TROJAN Possible NanoCore C2 60B497674488192.168.2.4194.5.98.202
                                                                      02/24/21-09:26:42.713931TCP2025019ET TROJAN Possible NanoCore C2 60B497684488192.168.2.4194.5.98.202
                                                                      02/24/21-09:26:49.051394TCP2025019ET TROJAN Possible NanoCore C2 60B497694488192.168.2.4194.5.98.202

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Feb 24, 2021 09:26:29.759485960 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:30.072976112 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:30.073151112 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:30.194652081 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:30.519912004 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:30.520106077 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:30.579900026 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:30.621732950 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:30.817673922 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:30.817770004 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:31.072177887 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:31.072329998 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:31.379748106 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:31.379842043 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:31.865875959 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:31.865948915 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:31.897878885 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:31.897898912 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:31.897965908 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:31.898910046 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:31.898935080 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:31.898964882 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:31.898991108 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:31.900007010 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:31.900026083 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:31.900054932 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:31.900068998 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:31.900100946 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:31.900779963 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:31.900842905 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:31.900964975 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:31.900985003 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:31.901024103 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:31.901043892 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.147021055 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.147356033 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.148334980 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.148435116 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.155035973 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.155081987 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.155155897 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.155174017 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.157094955 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.157135010 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.157166004 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.157191038 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.157259941 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.157358885 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.158186913 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.158226013 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.158242941 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.158289909 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.158941984 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.158981085 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.158999920 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.159012079 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.159029007 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.159085035 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.159105062 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.159154892 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.160456896 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.160502911 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.160518885 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.160587072 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.160630941 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.160686016 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.161052942 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.161092043 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.161123991 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.161134958 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.163206100 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.163245916 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.163291931 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.163326979 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.186757088 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.428322077 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.428378105 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.428481102 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.428503990 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.428936958 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.429208994 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.429279089 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.430398941 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.430552959 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.430603981 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.430718899 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.431397915 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.431442976 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.431495905 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.432112932 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.432153940 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.432179928 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.432225943 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.434156895 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.434190035 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.434241056 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.434262037 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.434284925 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.434326887 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.434345007 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.434783936 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.434894085 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.434957981 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.434973955 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.435019970 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.436042070 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.436083078 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.436156034 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.436162949 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.436197996 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.436201096 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.436235905 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.438071012 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.438114882 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.438160896 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.438199997 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.438222885 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.438232899 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.438235044 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.438280106 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.439985991 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.440027952 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.440047979 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.440083027 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.440124035 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.440979004 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.441240072 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.441309929 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:32.442059040 CET448849766194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:32.442799091 CET497664488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:36.201488018 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:36.447149992 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:36.448434114 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:36.466552973 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:36.779777050 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:36.781270027 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:36.831882000 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:36.887857914 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:37.080342054 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:37.080495119 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:37.315675974 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:37.315772057 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:37.613584042 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:37.613714933 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:37.903466940 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:37.903491020 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:37.903501987 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:37.903516054 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:37.903716087 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:37.913103104 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:37.913129091 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:37.913172007 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:37.914205074 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:37.914223909 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:37.914241076 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:37.914257050 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:37.914259911 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:37.914294004 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.143291950 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.143333912 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.144046068 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.144083977 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.144151926 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.144202948 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.145329952 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.145363092 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.145409107 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.145433903 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.145488024 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.145531893 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.146617889 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.147025108 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.147053003 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.147103071 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.147140026 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.147181988 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.147223949 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.148293972 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.149350882 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.149904966 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.149982929 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.150082111 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.150211096 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.150237083 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.150258064 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.150279999 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.151067972 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.151118994 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.153230906 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.153264999 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.153435946 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.378283024 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.378319025 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.379298925 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.379354954 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.379407883 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.381941080 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.381979942 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.382113934 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.382992983 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.383265972 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.383296013 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.383382082 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.384139061 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.384838104 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.384869099 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.384924889 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.384954929 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.384999990 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.385042906 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.385998964 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.386034966 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.386111021 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.386162996 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.388200998 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.388256073 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.388297081 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.388334990 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.388346910 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.388374090 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.388418913 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.389065027 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.389425039 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.389450073 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.389522076 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.390989065 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.391288996 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.391319036 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.391341925 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.391362906 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.391408920 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.391438007 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.392237902 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.392271042 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.392328978 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.392365932 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.393229961 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.393261909 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.393316031 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.393358946 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.394005060 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.394037008 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.394098043 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.394169092 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.395216942 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.395246983 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.395287991 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.395312071 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.397068024 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.397102118 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.397145033 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.397165060 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.397211075 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.397253036 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.397269964 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.403321981 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.471093893 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.618407011 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.618446112 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.618583918 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.619136095 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.619168043 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.619194984 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.619220018 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.619262934 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.619862080 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.619893074 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.620073080 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.620140076 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.620901108 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.621138096 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.622243881 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.622278929 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.622394085 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.622817993 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.622843981 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.622891903 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.622942924 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.624209881 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.624237061 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.624301910 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.624308109 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.624361038 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.624387026 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.624428034 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.634399891 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.634442091 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.634465933 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.634541035 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.634572029 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.634959936 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.634989977 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.635056019 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.636009932 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.636044025 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.636126041 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.636199951 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.636265039 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.637017965 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.637094975 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.637224913 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.637274027 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.637433052 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.637495041 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.637866974 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.637895107 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.637965918 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.637994051 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.638041973 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.638066053 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.638111115 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.638284922 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.638320923 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.638381004 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.640964985 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.641000986 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.641113997 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.641182899 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.641208887 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.641232014 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.641263962 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.641295910 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.641338110 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.641429901 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.641455889 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.641480923 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.641535997 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.649075031 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.649113894 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.649139881 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.649244070 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.649286032 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.649349928 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.649444103 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.649492979 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.649559975 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:38.653003931 CET448849767194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:38.655400038 CET497674488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:42.484137058 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:42.713157892 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:42.713798046 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:42.713931084 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:42.992846966 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:42.992947102 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:43.114825010 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:43.114923000 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:43.264942884 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:43.265072107 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:43.407872915 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:43.407979965 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:43.503271103 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:43.503575087 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:43.695806026 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:43.696070910 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:43.797987938 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:43.798080921 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.003273010 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.003452063 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.079848051 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.082793951 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.124043941 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.124074936 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.124322891 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.132165909 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.132205963 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.132230043 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.132312059 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.132337093 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.132365942 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.132390976 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.132493019 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.132527113 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.132550955 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.132625103 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.136224031 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.136643887 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.284903049 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.285182953 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.364018917 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.364062071 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.364326000 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.372378111 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.372421980 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.372442007 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.372462034 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.372550964 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.372598886 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.372639894 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.372667074 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.372668982 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.373411894 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.376996040 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.377036095 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.378132105 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.378170013 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.378191948 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.378907919 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.378937006 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.387217045 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.387262106 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.387285948 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.387394905 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.387417078 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.387868881 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.387903929 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.387973070 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.387981892 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.388093948 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.388307095 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.388540983 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.582878113 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.586194992 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.613164902 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.613192081 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.613204956 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.613317013 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.613452911 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.613483906 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.614033937 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.614211082 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.614228010 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.614269972 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.614425898 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.615075111 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.615113974 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.615596056 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.615837097 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.616070032 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.616105080 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.617685080 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.617789984 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.617979050 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.618005991 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.619151115 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.619169950 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.619183064 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.619277000 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.620850086 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.620994091 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.621877909 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.621958971 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.621977091 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.623043060 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.623061895 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.623153925 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.623188972 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.623214960 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.623219013 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.623311043 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.623353004 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.623914957 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.623950005 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.624625921 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.624644041 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.624649048 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.634946108 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.634967089 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.634983063 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.635147095 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.635159969 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.635205030 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.635247946 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.635260105 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.635984898 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.636079073 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.636239052 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.636909008 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.636928082 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.637840986 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.637881994 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.637908936 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.638067007 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.638086081 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.638154984 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.638178110 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.797708035 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.860968113 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.861005068 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.861643076 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.861855984 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.861999989 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.862052917 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.862195969 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.863071918 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.863099098 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.863864899 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.863888979 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.864044905 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.866240025 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.866270065 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.866287947 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.866444111 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.866462946 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.866470098 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.866559029 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.867230892 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.867377043 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.867402077 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.867475033 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.868429899 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.868453979 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.868519068 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.868537903 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.869060040 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.869082928 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.869173050 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.869184971 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.870238066 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.870379925 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.870938063 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.871115923 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.871814966 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.871839046 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.872241020 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.872265100 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.872396946 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.872448921 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.872618914 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.873833895 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.873897076 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.873917103 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.873934031 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.874021053 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.874032974 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.875128984 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.875155926 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.875758886 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.875921965 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.876023054 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.876120090 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.876220942 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.877846003 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.877873898 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.877890110 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.877906084 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.877988100 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.878005981 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.878593922 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.878995895 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.879087925 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.879853964 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.879873991 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.879944086 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.879957914 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.881264925 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.881290913 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.881402016 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.882004976 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.882030964 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.882200003 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.882215023 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.883223057 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.883246899 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.883327007 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.883976936 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.884037018 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.884072065 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.884155989 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.884881020 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.884993076 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.884991884 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.885138035 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.886980057 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.887048006 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.887101889 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.887118101 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:44.887294054 CET448849768194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:44.887516022 CET497684488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:48.813455105 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:49.049899101 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:49.050398111 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:49.051393986 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:49.349899054 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:49.350019932 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:49.412816048 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:49.412899017 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:49.637979984 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:49.638055086 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:49.699019909 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:49.699146032 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:49.892867088 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:49.892966032 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:49.995062113 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:49.995218039 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.180355072 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.183617115 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.297940969 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.300882101 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.302933931 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.303000927 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.303030014 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.303112984 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.304121971 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.304202080 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.304243088 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.304502964 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.304970026 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.305023909 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.305120945 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.305361986 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.305398941 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.305480957 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.305815935 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.305845022 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.305875063 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.305917025 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.306938887 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.307004929 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.485064983 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.485146046 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.550981998 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.551023960 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.551062107 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.551089048 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.553059101 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.553082943 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.553163052 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.553194046 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.553356886 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.553378105 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.553420067 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.553430080 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.553438902 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.553443909 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.553471088 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.553483009 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.553489923 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.553530931 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.553550959 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.553554058 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.555778980 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.555866003 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.555870056 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.555931091 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.556859016 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.556921959 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.556942940 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.556977034 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.557148933 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.557167053 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.557188988 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.557205915 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.557224035 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.557271957 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.557277918 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.557332993 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.557368994 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.557401896 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.557429075 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.778862953 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.784554958 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.799928904 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.800076962 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.800127029 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.800149918 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.800179958 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.800195932 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.800223112 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.800239086 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.800263882 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.801454067 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.809890985 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.809966087 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.810008049 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.810019970 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.810075045 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.810081005 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.810098886 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.810127974 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.810151100 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.810205936 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.812493086 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.812619925 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.812623024 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.812655926 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.812679052 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.812733889 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.812756062 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.812767029 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.812796116 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.812822104 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.812827110 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.812851906 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.812856913 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.812881947 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.812901020 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.812903881 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.813051939 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.813081980 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.813112020 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.813138962 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.813141108 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.813277006 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.813288927 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.814090014 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.814215899 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.814250946 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.814363956 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.815965891 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.816004038 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.816076994 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.816123962 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.818025112 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.818053961 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.818100929 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.818128109 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.818188906 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.818214893 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.818244934 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.818295956 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:50.818330050 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.818419933 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:50.984381914 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.043328047 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.043365955 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.043490887 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.044086933 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.044142008 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.044187069 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.044218063 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.044217110 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.044246912 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.044308901 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.046919107 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.046984911 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.047064066 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.048537016 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.048590899 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.048655033 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.050060034 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.050121069 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.050208092 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.051228046 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.051342010 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.051404953 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.051436901 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.052207947 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.052243948 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.052283049 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.052288055 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.052299976 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.052352905 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.054219007 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.054325104 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.054357052 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.054383993 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.054400921 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.054404974 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.054450035 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.056287050 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.056320906 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.056410074 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.056920052 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.057071924 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.057128906 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.057187080 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.057274103 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.057328939 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.057965994 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.058037996 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.058095932 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.059360027 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.059395075 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.059457064 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.060118914 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.060153961 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.060209036 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.062114000 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.062155008 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.062194109 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.062227964 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:51.062402010 CET448849769194.5.98.202192.168.2.4
                                                                      Feb 24, 2021 09:26:51.067311049 CET497694488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:55.000211954 CET497704488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:26:58.014576912 CET497704488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:27:04.093281984 CET497704488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:27:17.808957100 CET497714488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:27:20.891541004 CET497714488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:27:26.892064095 CET497714488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:27:42.912355900 CET497724488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:27:46.003035069 CET497724488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:27:52.003530025 CET497724488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:28:08.382661104 CET497734488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:28:11.397291899 CET497734488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:28:17.396344900 CET497734488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:28:33.445811033 CET497744488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:28:36.507263899 CET497744488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:28:42.507808924 CET497744488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:28:56.185740948 CET497754488192.168.2.4194.5.98.202
                                                                      Feb 24, 2021 09:28:59.290426970 CET497754488192.168.2.4194.5.98.202

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Feb 24, 2021 09:24:01.168829918 CET4971453192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:01.217495918 CET53497148.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:01.496834040 CET5802853192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:01.545589924 CET53580288.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:02.737222910 CET5309753192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:02.789077044 CET53530978.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:03.904197931 CET4925753192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:03.954843998 CET53492578.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:04.748075962 CET6238953192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:04.799927950 CET53623898.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:06.179506063 CET4991053192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:06.228266954 CET53499108.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:07.560776949 CET5585453192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:07.622188091 CET53558548.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:08.894939899 CET6454953192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:08.949863911 CET53645498.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:11.116444111 CET6315353192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:11.166915894 CET53631538.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:17.570039988 CET5299153192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:17.618900061 CET53529918.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:28.313499928 CET5370053192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:28.365087986 CET53537008.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:29.132186890 CET5172653192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:29.184046984 CET53517268.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:30.045975924 CET5679453192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:30.095005989 CET53567948.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:30.917124033 CET5653453192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:30.967005968 CET53565348.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:32.215751886 CET5662753192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:32.267752886 CET53566278.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:32.378673077 CET5662153192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:32.427474976 CET53566218.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:33.902875900 CET6311653192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:33.951662064 CET53631168.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:35.413022995 CET6407853192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:35.465909004 CET53640788.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:41.079289913 CET6480153192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:41.127976894 CET53648018.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:42.642734051 CET6172153192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:42.692765951 CET53617218.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:46.903964043 CET5125553192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:46.955904961 CET53512558.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:24:59.856170893 CET6152253192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:24:59.931910038 CET53615228.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:25:00.631495953 CET5233753192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:25:00.732729912 CET53523378.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:25:01.512803078 CET5504653192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:25:01.581609964 CET53550468.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:25:02.044190884 CET4961253192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:25:02.101701021 CET53496128.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:25:02.605772972 CET4928553192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:25:02.663177967 CET53492858.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:25:03.188625097 CET5060153192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:25:03.251790047 CET53506018.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:25:03.889224052 CET6087553192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:25:03.937957048 CET53608758.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:25:04.678129911 CET5644853192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:25:04.744019032 CET53564488.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:25:05.883210897 CET5917253192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:25:05.946980000 CET53591728.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:25:06.425657034 CET6242053192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:25:06.499449968 CET53624208.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:25:06.626337051 CET6057953192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:25:06.692455053 CET53605798.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:25:14.779095888 CET5018353192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:25:14.838089943 CET53501838.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:25:42.622454882 CET6153153192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:25:42.673011065 CET53615318.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:25:46.251863003 CET4922853192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:25:46.320204020 CET53492288.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:26:25.442338943 CET5979453192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:26:25.502111912 CET53597948.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:26:26.115159035 CET5591653192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:26:26.206942081 CET53559168.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:28:59.089103937 CET5275253192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:28:59.142637968 CET53527528.8.8.8192.168.2.4
                                                                      Feb 24, 2021 09:29:00.463768959 CET6054253192.168.2.48.8.8.8
                                                                      Feb 24, 2021 09:29:00.531222105 CET53605428.8.8.8192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Feb 24, 2021 09:26:25.442338943 CET192.168.2.48.8.8.80x20d9Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                      Feb 24, 2021 09:26:26.115159035 CET192.168.2.48.8.8.80x936Standard query (0)ibkebw.dm.files.1drv.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Feb 24, 2021 09:26:25.502111912 CET8.8.8.8192.168.2.40x20d9No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                      Feb 24, 2021 09:26:26.206942081 CET8.8.8.8192.168.2.40x936No error (0)ibkebw.dm.files.1drv.comdm-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                      Feb 24, 2021 09:26:26.206942081 CET8.8.8.8192.168.2.40x936No error (0)dm-files.fe.1drv.comodc-dm-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                      Feb 24, 2021 09:28:59.142637968 CET8.8.8.8192.168.2.40xf14eNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)

                                                                      Code Manipulations

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: V33QokMrIv.exe PID: 6352 Parent PID: 5976

                                                                      General

                                                                      Start time:09:24:09
                                                                      Start date:24/02/2021
                                                                      Path:C:\Users\user\Desktop\V33QokMrIv.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\V33QokMrIv.exe'
                                                                      Imagebase:0x400000
                                                                      File size:131072 bytes
                                                                      MD5 hash:E18DBE57194DD717D54A907BA8E6D3E1
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Visual Basic
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: taskhostw.exe PID: 6556 Parent PID: 968

                                                                      General

                                                                      Start time:09:24:47
                                                                      Start date:24/02/2021
                                                                      Path:C:\Windows\System32\taskhostw.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:taskhostw.exe None
                                                                      Imagebase:0x7ff73c340000
                                                                      File size:87904 bytes
                                                                      MD5 hash:CE95E236FC9FE2D6F16C926C75B18BAF
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate

                                                                      Chronological Activities

                                                                      Analysis Process: RegAsm.exe PID: 6556 Parent PID: 6352

                                                                      General

                                                                      Start time:09:26:10
                                                                      Start date:24/02/2021
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\V33QokMrIv.exe'
                                                                      Imagebase:0xc00000
                                                                      File size:53248 bytes
                                                                      MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.1253583807.000000001EDB3000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: conhost.exe PID: 5664 Parent PID: 6556

                                                                      General

                                                                      Start time:09:26:11
                                                                      Start date:24/02/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff724c50000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: schtasks.exe PID: 5496 Parent PID: 6556

                                                                      General

                                                                      Start time:09:26:27
                                                                      Start date:24/02/2021
                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7CFF.tmp'
                                                                      Imagebase:0x920000
                                                                      File size:185856 bytes
                                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: conhost.exe PID: 5500 Parent PID: 5496

                                                                      General

                                                                      Start time:09:26:27
                                                                      Start date:24/02/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff724c50000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: schtasks.exe PID: 5516 Parent PID: 6556

                                                                      General

                                                                      Start time:09:26:28
                                                                      Start date:24/02/2021
                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp801C.tmp'
                                                                      Imagebase:0x920000
                                                                      File size:185856 bytes
                                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: conhost.exe PID: 6520 Parent PID: 5516

                                                                      General

                                                                      Start time:09:26:28
                                                                      Start date:24/02/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff724c50000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: RegAsm.exe PID: 768 Parent PID: 968

                                                                      General

                                                                      Start time:09:26:29
                                                                      Start date:24/02/2021
                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 0
                                                                      Imagebase:0x150000
                                                                      File size:53248 bytes
                                                                      MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: conhost.exe PID: 6012 Parent PID: 768

                                                                      General

                                                                      Start time:09:26:30
                                                                      Start date:24/02/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff724c50000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: dhcpmon.exe PID: 2936 Parent PID: 968

                                                                      General

                                                                      Start time:09:26:30
                                                                      Start date:24/02/2021
                                                                      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                      Imagebase:0x740000
                                                                      File size:53248 bytes
                                                                      MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Antivirus matches:
                                                                      • Detection: 0%, Metadefender, Browse
                                                                      • Detection: 0%, ReversingLabs
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: conhost.exe PID: 4244 Parent PID: 2936

                                                                      General

                                                                      Start time:09:26:30
                                                                      Start date:24/02/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff724c50000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: filename1.exe PID: 6092 Parent PID: 3424

                                                                      General

                                                                      Start time:09:26:33
                                                                      Start date:24/02/2021
                                                                      Path:C:\Users\user\subfolder1\filename1.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\subfolder1\filename1.exe'
                                                                      Imagebase:0x400000
                                                                      File size:131072 bytes
                                                                      MD5 hash:E18DBE57194DD717D54A907BA8E6D3E1
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Visual Basic
                                                                      Antivirus matches:
                                                                      • Detection: 9%, ReversingLabs
                                                                      Reputation:low

                                                                      Chronological Activities

                                                                      Analysis Process: dhcpmon.exe PID: 6896 Parent PID: 3424

                                                                      General

                                                                      Start time:09:26:41
                                                                      Start date:24/02/2021
                                                                      Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                      Imagebase:0x1f0000
                                                                      File size:53248 bytes
                                                                      MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Reputation:high

                                                                      Chronological Activities

                                                                      Analysis Process: conhost.exe PID: 6864 Parent PID: 6896

                                                                      General

                                                                      Start time:09:26:42
                                                                      Start date:24/02/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff724c50000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language

                                                                      Chronological Activities

                                                                      Analysis Process: filename1.exe PID: 6980 Parent PID: 3424

                                                                      General

                                                                      Start time:09:26:50
                                                                      Start date:24/02/2021
                                                                      Path:C:\Users\user\subfolder1\filename1.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\subfolder1\filename1.exe'
                                                                      Imagebase:0x400000
                                                                      File size:131072 bytes
                                                                      MD5 hash:E18DBE57194DD717D54A907BA8E6D3E1
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Visual Basic

                                                                      Chronological Activities

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >

                                                                        Analysis Process: RegAsm.exe PID: 6556 Parent PID: 6352 RegAsm.exeCOMMON

                                                                        Executed Functions

                                                                        Function 01004DA1, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InitializeThunk
                                                                        • String ID: W
                                                                        • API String ID: 2994545307-655174618
                                                                        • Opcode ID: 55b75d3a5dd4238e700f0823ef8f9449d8da6cc5c009fd3033b04828e5486ace
                                                                        • Instruction ID: 94d6df4743f49e8e4178f08238ce593bae59322e8630449d07b05578faa5e4a3
                                                                        • Opcode Fuzzy Hash: 55b75d3a5dd4238e700f0823ef8f9449d8da6cc5c009fd3033b04828e5486ace
                                                                        • Instruction Fuzzy Hash: 95B092B23800196AF26232A59C04F9F110557D0352FA8C019E5805F2CACA4A8AA6BBE1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01002990, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TerminateThread.KERNEL32(000000FE,00000000), ref: 010029E1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: TerminateThread
                                                                        • String ID:
                                                                        • API String ID: 1852365436-0
                                                                        • Opcode ID: 0f5f04b3dd1b15ec6f64da6b6ac67ddb7f29678de2c39e60a5ba81c43106437d
                                                                        • Instruction ID: 89b5647d8f103f27a42266b8163b6c49e3c3d02d714f487bcd36379189316146
                                                                        • Opcode Fuzzy Hash: 0f5f04b3dd1b15ec6f64da6b6ac67ddb7f29678de2c39e60a5ba81c43106437d
                                                                        • Instruction Fuzzy Hash: A711E670608200DFF7234E54CAC8BAD3754AF06265FA14252EFD3D71E2D2A5D880C52B
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010029AD, Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TerminateThread.KERNEL32(000000FE,00000000), ref: 010029E1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: TerminateThread
                                                                        • String ID:
                                                                        • API String ID: 1852365436-0
                                                                        • Opcode ID: 534b21776b3fc2da3e839c50a1799d91372aa08fc020f44e477e23c2b3027214
                                                                        • Instruction ID: 8c65b27bf7ba02134caaf086bde1b618e7d2856dfb97edaadabd75bd524a5124
                                                                        • Opcode Fuzzy Hash: 534b21776b3fc2da3e839c50a1799d91372aa08fc020f44e477e23c2b3027214
                                                                        • Instruction Fuzzy Hash: 0811E370608200EFF7235E548EC8BAD3754AF46265FA14252EFD3DB1E2C2A5D880C52A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01005A40, Relevance: 1.6, APIs: 1, Instructions: 69libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(00000001,?,?,?,0100544A,?,?,?), ref: 01005C86
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 258132f70d681c52c41b6307698135a57d034b2b4a1bc7f10d2a1a04b7109ef6
                                                                        • Instruction ID: 903f6640a27f477378d628166cbd00b64490340ff7aaafabbca0d22363d6e1ed
                                                                        • Opcode Fuzzy Hash: 258132f70d681c52c41b6307698135a57d034b2b4a1bc7f10d2a1a04b7109ef6
                                                                        • Instruction Fuzzy Hash: 18116D54508A0DEDFF736B684E80FFD26979B12260F904BA6F5C34B1C2E6A5A0C48D53
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0100723F, Relevance: 1.5, APIs: 1, Instructions: 15nativeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,01006BDF,00000040,01002E11,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0100726C
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MemoryProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 2706961497-0
                                                                        • Opcode ID: b71af442d717bf8d03caa333762c76f593c52a6324ec2da8bceffc29d87497bf
                                                                        • Instruction ID: fd126960cb4ec939afdd3abafd88b747bc18ab5dc7d12d1d84964a649d9c75d1
                                                                        • Opcode Fuzzy Hash: b71af442d717bf8d03caa333762c76f593c52a6324ec2da8bceffc29d87497bf
                                                                        • Instruction Fuzzy Hash: B0C012E01141003E78058928CD48D2B726A87D562CF10C31DBC72723CCC530EC054131
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01004580, Relevance: 3.1, APIs: 2, Instructions: 125networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenA.WININET(01004D33,00000000,00000000,00000000,00000000), ref: 0100459F
                                                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 010046A3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InternetOpen
                                                                        • String ID:
                                                                        • API String ID: 2038078732-0
                                                                        • Opcode ID: 16f183e9c2aef597fb55758d03156a27a6461a080e366e667ab444f98343e8b7
                                                                        • Instruction ID: b7afa85b781816c8539ad84ba15a870f1f7f33b7816c85b03502c537f11d5e9c
                                                                        • Opcode Fuzzy Hash: 16f183e9c2aef597fb55758d03156a27a6461a080e366e667ab444f98343e8b7
                                                                        • Instruction Fuzzy Hash: 7941BF30644286EAFF324E20CC50BFE3695AF45740F448426EFCADA4C0E7759A849B1A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01004591, Relevance: 3.1, APIs: 2, Instructions: 96networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenA.WININET(01004D33,00000000,00000000,00000000,00000000), ref: 0100459F
                                                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 010046A3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InternetOpen
                                                                        • String ID:
                                                                        • API String ID: 2038078732-0
                                                                        • Opcode ID: 723931949787faa97263ca749579fdabe57bdf4fb6aedbf18e77ea08ae303090
                                                                        • Instruction ID: 9c0155bebf0a76dad0de232a925bd5bac73a33cd7e14667197607f213f4a1ed7
                                                                        • Opcode Fuzzy Hash: 723931949787faa97263ca749579fdabe57bdf4fb6aedbf18e77ea08ae303090
                                                                        • Instruction Fuzzy Hash: 6731C030744386EBFF368E14CD50BFE3695AF45740F448026AFCADA5C0E77199849B1A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01003764, Relevance: 1.7, APIs: 1, Instructions: 239COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 294fb004bacf557c3833fee35646862a159b9cff60a70e76a94794e6e1d99124
                                                                        • Instruction ID: 451ee5a50877a1af8f83a13ec839ccebaf4d57005896c124adf4d43d04fd85c3
                                                                        • Opcode Fuzzy Hash: 294fb004bacf557c3833fee35646862a159b9cff60a70e76a94794e6e1d99124
                                                                        • Instruction Fuzzy Hash: D471056140C3CAAFFB23AA744D59ABD7F61AE13210F18868FE5C68E0D3D72585458B53
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01002912, Relevance: 1.6, APIs: 1, Instructions: 136threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TerminateThread.KERNEL32(000000FE,00000000), ref: 010029E1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: TerminateThread
                                                                        • String ID:
                                                                        • API String ID: 1852365436-0
                                                                        • Opcode ID: a9813cb88095bb2b565ce13de9b845106bba52ebf1b16ae0256f8c44b2d9fddf
                                                                        • Instruction ID: 16a4f228ce6f5352e574e0c898cf9dd652a01e64bd987a0089ea861b9cdcd6b7
                                                                        • Opcode Fuzzy Hash: a9813cb88095bb2b565ce13de9b845106bba52ebf1b16ae0256f8c44b2d9fddf
                                                                        • Instruction Fuzzy Hash: DC11D370608300DFF7234E54CAD8BAD3754AF06265FA54292EFD3D71E2D2A5D880C62B
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01007732, Relevance: 1.6, APIs: 1, Instructions: 120threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(?,?,?,?,?,00000062), ref: 01007995
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: b349ebb71ac9d04783fbb6446f7026513bb4255d07de61c16be662590c1772d9
                                                                        • Instruction ID: 8030bc7e87754fe67de7fb8f57a48bc2f385149e6dbc66f9897b73722c85e1f4
                                                                        • Opcode Fuzzy Hash: b349ebb71ac9d04783fbb6446f7026513bb4255d07de61c16be662590c1772d9
                                                                        • Instruction Fuzzy Hash: BA31C32065860ACEFF675928C5187BC36D2EB46364F9883AAC9CB860D1D36DB5C1C743
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01007759, Relevance: 1.6, APIs: 1, Instructions: 104threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(?,?,?,?,?,00000062), ref: 01007995
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: 9b605865b92132ba779134ee1b3dce2d001d1a5c656de862e78e9a696a40f9ba
                                                                        • Instruction ID: 1013a7283c4b414f45cc465ffd87c0400bcf641ea5a5923e9bc40392716d8f95
                                                                        • Opcode Fuzzy Hash: 9b605865b92132ba779134ee1b3dce2d001d1a5c656de862e78e9a696a40f9ba
                                                                        • Instruction Fuzzy Hash: CE31722065960ACEFF675A28C4187BC36A2EB46364F9843A6C9CB871D1D36DB5C1C743
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010077A5, Relevance: 1.6, APIs: 1, Instructions: 93threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(?,?,?,?,?,00000062), ref: 01007995
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: 096d3ffc9bd9adf51a2c2fc2edb8490f43411aa5977b545635092a84cd558c71
                                                                        • Instruction ID: fcd053d656a45239906b758be03d4828682c33dd70e66961184ed31d90c2cf81
                                                                        • Opcode Fuzzy Hash: 096d3ffc9bd9adf51a2c2fc2edb8490f43411aa5977b545635092a84cd558c71
                                                                        • Instruction Fuzzy Hash: A6318120658605CEFF675A28C8187BC36A2EB46364F9883A6C9CB870D1D36CB5C0C743
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5AA02, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1DB5AAB1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Open
                                                                        • String ID:
                                                                        • API String ID: 71445658-0
                                                                        • Opcode ID: ac684d10a17b9fb8b01ac92cc5d215e34320c5522627a1fb7e58e0194ec3b497
                                                                        • Instruction ID: 38cef31caef0249c084f619d94e3af09a4c06394334c18f61199bdeb9b411b6f
                                                                        • Opcode Fuzzy Hash: ac684d10a17b9fb8b01ac92cc5d215e34320c5522627a1fb7e58e0194ec3b497
                                                                        • Instruction Fuzzy Hash: D931E5B25047846FE7228F25CC85FA7BFECEF05310F0884AAED819B152D264E909CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5AAF9, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegQueryValueExW.KERNEL32(?,00000EB4,104552DE,00000000,00000000,00000000,00000000), ref: 1DB5ABB4
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: bed63b480db613f7381bc556f4d8ffd60caffeed96ae270894e630ccf21a0876
                                                                        • Instruction ID: 5d37784d5db075933e39fd97da5a592aa5e6a516c1826e40aea4d8fdc8d26ebd
                                                                        • Opcode Fuzzy Hash: bed63b480db613f7381bc556f4d8ffd60caffeed96ae270894e630ccf21a0876
                                                                        • Instruction Fuzzy Hash: 083181711093846FDB22CF25DC84FA3BFA8EF06310F08849AE9859B153D264E548CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010045B5, Relevance: 1.6, APIs: 1, Instructions: 87networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 010046A3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InternetOpen
                                                                        • String ID:
                                                                        • API String ID: 2038078732-0
                                                                        • Opcode ID: 946964a55480d625cb3f6db76cd400b91cf4d1652fbc38626edf31711986ab66
                                                                        • Instruction ID: 0f1e07d158ae954d8f31039350257d833f4a4bf1baa59e16523a11cccadd4c46
                                                                        • Opcode Fuzzy Hash: 946964a55480d625cb3f6db76cd400b91cf4d1652fbc38626edf31711986ab66
                                                                        • Instruction Fuzzy Hash: B831D030244286EFFF368E14CD90BFE3695AF45340F44802AAFCADA5C0E7719984DB1A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5AF50, Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetConsoleCtrlHandler.KERNEL32(?,00000EB4,?,?), ref: 1DB5AFEA
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ConsoleCtrlHandler
                                                                        • String ID:
                                                                        • API String ID: 1513847179-0
                                                                        • Opcode ID: 8d1336d57d38aa3578f95d343079f823072f9ab7674955fa4a67b078ad3dfa68
                                                                        • Instruction ID: 2b2d14e69d6a09e1c2ba5a5ce1da9a0805f74341f6fc29ef32f7cd0b3f430718
                                                                        • Opcode Fuzzy Hash: 8d1336d57d38aa3578f95d343079f823072f9ab7674955fa4a67b078ad3dfa68
                                                                        • Instruction Fuzzy Hash: E631827540E7C06FD3138B258C55B62BFB4EF47610F0A41DBE884CB5A3D228A919C7B2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010045CD, Relevance: 1.6, APIs: 1, Instructions: 86networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 010046A3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InternetOpen
                                                                        • String ID:
                                                                        • API String ID: 2038078732-0
                                                                        • Opcode ID: 6c98597b2dd4f4cebd6cec77007a9848ae0a3f9bd4982706ba30e50687fbb524
                                                                        • Instruction ID: e20b6dae51e5676d018426bd2116ebc17eecae293f0b200f5de8284b578b8bdc
                                                                        • Opcode Fuzzy Hash: 6c98597b2dd4f4cebd6cec77007a9848ae0a3f9bd4982706ba30e50687fbb524
                                                                        • Instruction Fuzzy Hash: 6031BF70244286EFFF368E10CD50BFE3695AF45740F44842AAFCADA5C0E3759984DB1A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010077D5, Relevance: 1.6, APIs: 1, Instructions: 86threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(?,?,?,?,?,00000062), ref: 01007995
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: cff30c42c5c62e665ae4b33ac52fbd341a02fe7b22c13498a95eb90f21b083ea
                                                                        • Instruction ID: bfde000a3ef662eef553f416dbf769b7cb89d7ebc0f86ac717ecdd220e256cae
                                                                        • Opcode Fuzzy Hash: cff30c42c5c62e665ae4b33ac52fbd341a02fe7b22c13498a95eb90f21b083ea
                                                                        • Instruction Fuzzy Hash: 1E21A320659649CDFF675A28C4187B836A2EB06324F9893AAC9CB870D1D37DB5C0C743
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010077C5, Relevance: 1.6, APIs: 1, Instructions: 85threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(?,?,?,?,?,00000062), ref: 01007995
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: 1caa8c46fe9c6902e99cebe0848b6e085a5bcfe30586354721b83f000e1d5694
                                                                        • Instruction ID: cd28da3989a5ebd4e23a43324e76308d5d7f3ed51bac2d896cef0e8bdf167d51
                                                                        • Opcode Fuzzy Hash: 1caa8c46fe9c6902e99cebe0848b6e085a5bcfe30586354721b83f000e1d5694
                                                                        • Instruction Fuzzy Hash: B9218120659649CDFF675A28C4187B836A2EB06364F9893AAC9DF870E1D37DB5C0C743
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010045ED, Relevance: 1.6, APIs: 1, Instructions: 80networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 010046A3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InternetOpen
                                                                        • String ID:
                                                                        • API String ID: 2038078732-0
                                                                        • Opcode ID: e604fc7a0b96650ccc46b339e71c1b34910a57519c122e6871af723645626e02
                                                                        • Instruction ID: fba076a61a3150d5e1457d533c5e40d2d0e6e550cd1533a20c8732873be9ec3d
                                                                        • Opcode Fuzzy Hash: e604fc7a0b96650ccc46b339e71c1b34910a57519c122e6871af723645626e02
                                                                        • Instruction Fuzzy Hash: BA21BD30244286EFFF368E14CD90BFE3695AF45740F44802AEFCADA5C0E37599849B1A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010077F1, Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(?,?,?,?,?,00000062), ref: 01007995
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: f0bbf1de223bf7015cd20a689f72b12d08ee5b47c6ecec98739f3daef4a89638
                                                                        • Instruction ID: 8f4d016c0c832eca683b09fd1fe3aeee64fe2d48619421a82a8a267f1a2b40c8
                                                                        • Opcode Fuzzy Hash: f0bbf1de223bf7015cd20a689f72b12d08ee5b47c6ecec98739f3daef4a89638
                                                                        • Instruction Fuzzy Hash: 69218620659649CDFF675A28C4187B83692EB06324F9893A6C5DF860D1D37DA5C0C743
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010058E9, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 744e04809bf64444c73a84c2f4d4e918b55c751c08c93e0ad6b3b3c079802b77
                                                                        • Instruction ID: 6027fa0da13155ad84c890664f120ea9d813b26dfd6e296c8909bf18e12480da
                                                                        • Opcode Fuzzy Hash: 744e04809bf64444c73a84c2f4d4e918b55c751c08c93e0ad6b3b3c079802b77
                                                                        • Instruction Fuzzy Hash: BE114E5454C64DADFB3336A41E41FFE19878B52270F90467BFAC39A0C2DA5290C58D57
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01004621, Relevance: 1.6, APIs: 1, Instructions: 74networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 010046A3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InternetOpen
                                                                        • String ID:
                                                                        • API String ID: 2038078732-0
                                                                        • Opcode ID: e91759ae0d76c42c941a76d928324a190889f9cd18fa3cb1c34ae582e040e4ce
                                                                        • Instruction ID: 9385350e2dbe5886f36fe79acc20975bd6f14fa3337cc03e7c5a1e9d6bc0d07d
                                                                        • Opcode Fuzzy Hash: e91759ae0d76c42c941a76d928324a190889f9cd18fa3cb1c34ae582e040e4ce
                                                                        • Instruction Fuzzy Hash: D121B030244286EBFF368D14CD54BFE3696AF41740F44812AAFCADA5C0E7719984DB1A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5AA32, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1DB5AAB1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: Open
                                                                        • String ID:
                                                                        • API String ID: 71445658-0
                                                                        • Opcode ID: 7aa6b82df4e34a8fac9c6c1d226620c5a7018998a5dd731db9723e1941afc9e3
                                                                        • Instruction ID: 1fb7c0404918e08351abfc2bc32ec5f12d062968abda0550be2dd07b04f35e3e
                                                                        • Opcode Fuzzy Hash: 7aa6b82df4e34a8fac9c6c1d226620c5a7018998a5dd731db9723e1941afc9e3
                                                                        • Instruction Fuzzy Hash: 44219FB2500704AFE7218F55CD84FABFBECEF08720F04845AED459B645E675E909CAB2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5AB3A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegQueryValueExW.KERNEL32(?,00000EB4,104552DE,00000000,00000000,00000000,00000000), ref: 1DB5ABB4
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: QueryValue
                                                                        • String ID:
                                                                        • API String ID: 3660427363-0
                                                                        • Opcode ID: 7fa9af82df989d25bd8f9552d4be520b01672ced28b2d1a39bf38a748f9fbee7
                                                                        • Instruction ID: f95da2382fc26c98b1c68c8b25ad1b65cb5f79b057a43976cbd8dfdef2ce9f80
                                                                        • Opcode Fuzzy Hash: 7fa9af82df989d25bd8f9552d4be520b01672ced28b2d1a39bf38a748f9fbee7
                                                                        • Instruction Fuzzy Hash: B2214DB5600304AFEB21CE15DC84F67FBE8EF08720F04856AE9469B656D774F508CAB2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01004649, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 010046A3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InternetOpen
                                                                        • String ID:
                                                                        • API String ID: 2038078732-0
                                                                        • Opcode ID: 5f970bd9535a78d57c5b73916e928ff1061a82b7858d80a55e5ed7967bc3c278
                                                                        • Instruction ID: 1a4af9937cfa7a41ed66f2dc05560f2b2985e53566c6836830c5641f860197cf
                                                                        • Opcode Fuzzy Hash: 5f970bd9535a78d57c5b73916e928ff1061a82b7858d80a55e5ed7967bc3c278
                                                                        • Instruction Fuzzy Hash: D821D230244287DBFB368D14DD50BFE3695BF41740F448125AFCADA1C0E3709984DB1A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010029D5, Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • TerminateThread.KERNEL32(000000FE,00000000), ref: 010029E1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: TerminateThread
                                                                        • String ID:
                                                                        • API String ID: 1852365436-0
                                                                        • Opcode ID: c998746cc2933873188db186732462183eedf9371d78981785f6747b6f77feff
                                                                        • Instruction ID: 29e7b959e5a4c99d94ffa0c842d4e7e9887c87bc78f37c844a723485c9d4c553
                                                                        • Opcode Fuzzy Hash: c998746cc2933873188db186732462183eedf9371d78981785f6747b6f77feff
                                                                        • Instruction Fuzzy Hash: 0711C270608200AFF7235E548EC9BAD3754AF46265F914251EFD3DB1E2C2A5D980C56A
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5B7CA, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,?,?,?), ref: 1DB5B841
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: ebadcae3b9287a9eaed2d9814ed74a9d54b6b92a3f8e48bf056f6a3700c386f7
                                                                        • Instruction ID: 6f2b6669c319edc6d250feaa14dce157b0dc2b44119f5e8ee4645ed8b7febeec
                                                                        • Opcode Fuzzy Hash: ebadcae3b9287a9eaed2d9814ed74a9d54b6b92a3f8e48bf056f6a3700c386f7
                                                                        • Instruction Fuzzy Hash: 22218C724097C09FDB128B21DD50AA2BFB0EF17224F0D84DAEDC54F163D265A958DB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5A51F, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DB5A58A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 4e936656e5a5f24792182a6084c938871354deb31d50ff32f8bd68c413442b21
                                                                        • Instruction ID: 5dbe1a93b52b160fc6b10d249b334492ebcf25127a7d61062fe71181026274ca
                                                                        • Opcode Fuzzy Hash: 4e936656e5a5f24792182a6084c938871354deb31d50ff32f8bd68c413442b21
                                                                        • Instruction Fuzzy Hash: 15117271409384AFDB228F55DD44B62FFF4EF4A210F0884DAED858B552C375A418DB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0100466D, Relevance: 1.6, APIs: 1, Instructions: 59networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 010046A3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InternetOpen
                                                                        • String ID:
                                                                        • API String ID: 2038078732-0
                                                                        • Opcode ID: ade1354f42ff6be15963097727f48997cc5bfc8142eb5985464c9f9ef7f3fd58
                                                                        • Instruction ID: 6e92a498bdaf032fa04e5ab66fd0e1bd3d1a71018851942e0d85e5354a7cbe5a
                                                                        • Opcode Fuzzy Hash: ade1354f42ff6be15963097727f48997cc5bfc8142eb5985464c9f9ef7f3fd58
                                                                        • Instruction Fuzzy Hash: F5119D70244287DBFB368E14CC94BFE3695BB45240F44822AEE9ADA5C0E3309985DB19
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01007869, Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(?,?,?,?,?,00000062), ref: 01007995
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: a3f15889045c1f6c0aaf3ca19f633e7ca907117a704ab6e01e5f002f2428caa7
                                                                        • Instruction ID: 0d974d767fa492d64bc2e3a476d5454cf37f1bb4f0dd8c429c25914b1c86609b
                                                                        • Opcode Fuzzy Hash: a3f15889045c1f6c0aaf3ca19f633e7ca907117a704ab6e01e5f002f2428caa7
                                                                        • Instruction Fuzzy Hash: 8D115120649609CDFF675928C5187B837A2EB02324F8893A6C9DF860E1D37DA5C4C747
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01005B49, Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(00000001,?,?,?,0100544A,?,?,?), ref: 01005C86
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 7c8039812fbeff4d883681d2e970f21e3cb850560b56804032643eb1976f3cd2
                                                                        • Instruction ID: 7a9e1004ff62c212b18558aba19883b14134bc5d47b6e79321fc61a150c76f16
                                                                        • Opcode Fuzzy Hash: 7c8039812fbeff4d883681d2e970f21e3cb850560b56804032643eb1976f3cd2
                                                                        • Instruction Fuzzy Hash: 20017D4454890DECFB333BA41E80FFD19578B51260F90472BFAC35A0C1DA6550C44D63
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5BB4F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,?,?,?), ref: 1DB5BBB9
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: MessagePost
                                                                        • String ID:
                                                                        • API String ID: 410705778-0
                                                                        • Opcode ID: c41f3080e7c0800dc8f5fed631f777ae5df7a305110611a2721325e5b9301d4f
                                                                        • Instruction ID: 0dd6b87aa666a0d30a363c0aed04b128a403cfcafd60d695fd334c83b2f4393c
                                                                        • Opcode Fuzzy Hash: c41f3080e7c0800dc8f5fed631f777ae5df7a305110611a2721325e5b9301d4f
                                                                        • Instruction Fuzzy Hash: DB11BE754093C0AFDB128F25CC85B52FFB4EF06220F0884DEED858B563D275A858CBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5BE05, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DispatchMessageW.USER32(?), ref: 1DB5BE70
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: DispatchMessage
                                                                        • String ID:
                                                                        • API String ID: 2061451462-0
                                                                        • Opcode ID: 1f70ad912dc1560f7b592da9acc0cb0a5d6dd460e270ac7a926ab663fbccd4ba
                                                                        • Instruction ID: 98cd0f2b7301d33c894eb6db2d5737fde99f65d9538f30b7d8b0229f792ad1ba
                                                                        • Opcode Fuzzy Hash: 1f70ad912dc1560f7b592da9acc0cb0a5d6dd460e270ac7a926ab663fbccd4ba
                                                                        • Instruction Fuzzy Hash: 40118E754093C0AFD7138B259C84B62BFB4DF47624F0984DEED858F263D2796808CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01005B59, Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(00000001,?,?,?,0100544A,?,?,?), ref: 01005C86
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: b1def9832f1762486e1c55932a2b0b53d79b9d42e8bef84c9eaa249f441d8ec2
                                                                        • Instruction ID: 820213bd2c3144170ac4b5936884480ab1433513288d21f2e782f37e797013ba
                                                                        • Opcode Fuzzy Hash: b1def9832f1762486e1c55932a2b0b53d79b9d42e8bef84c9eaa249f441d8ec2
                                                                        • Instruction Fuzzy Hash: 2F01285468864DEDFB333AA51E80FFD19979B51260F904B27BAC39A0C2DAA690C44D93
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5B71E, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 1DB5B78A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CreateFromIconResource
                                                                        • String ID:
                                                                        • API String ID: 3668623891-0
                                                                        • Opcode ID: cff1314461693a51a118bd54722a525d5e8e5b84515e4a526c81de389d51168d
                                                                        • Instruction ID: 1071f719122c0cd6b7ae0f97d1b71a8008ac9efdaeeb8202dc02e9434af2f09f
                                                                        • Opcode Fuzzy Hash: cff1314461693a51a118bd54722a525d5e8e5b84515e4a526c81de389d51168d
                                                                        • Instruction Fuzzy Hash: 30117271408384AFDB228F55DC84B52FFF4EF45310F09859EED898B562D375A458CB61
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5BEB4, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteFileW.KERNEL32(?,104552DE,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 1DB5BF0C
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: DeleteFile
                                                                        • String ID:
                                                                        • API String ID: 4033686569-0
                                                                        • Opcode ID: c49ee28bc2b0127e39b355527efbf6552db3a438ede13b743e243ca442723a01
                                                                        • Instruction ID: 2994aa57d2426708df0984e780a75ab49d5c8a034735f5db07c1b995e2568efe
                                                                        • Opcode Fuzzy Hash: c49ee28bc2b0127e39b355527efbf6552db3a438ede13b743e243ca442723a01
                                                                        • Instruction Fuzzy Hash: 6F1191715053809FD711CF25DC85B52BFE8EF01220F0884AAED49CF256D274E848CF62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01007889, Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(?,?,?,?,?,00000062), ref: 01007995
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: d030e03fb4af729c82d09a33e7a732e1b9041bdecb795f32f793a8714fef93ee
                                                                        • Instruction ID: 78fbd6ff328523d6ae4aaff342bfa2dbe6f6a9c6b42b365308d570134d66a725
                                                                        • Opcode Fuzzy Hash: d030e03fb4af729c82d09a33e7a732e1b9041bdecb795f32f793a8714fef93ee
                                                                        • Instruction Fuzzy Hash: E9116520659609CDFF675A28C5187B837E2EB03324F8893A6C9DF860E1D37C65C4C746
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0100468D, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 010046A3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: InternetOpen
                                                                        • String ID:
                                                                        • API String ID: 2038078732-0
                                                                        • Opcode ID: 287c695c4ee0587412393a4aa3f28da29b2daafa9fad064b87c5a4b7777f64b2
                                                                        • Instruction ID: b61b7c2e0663fabd18dfb58be60dc17da69a9101847b0e98b7f31fa8d00af669
                                                                        • Opcode Fuzzy Hash: 287c695c4ee0587412393a4aa3f28da29b2daafa9fad064b87c5a4b7777f64b2
                                                                        • Instruction Fuzzy Hash: 5611AC30244287DBFB368E14CC94BFE36A5BB41240F44812AAF8ADA5C0E33099849B19
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5A75B, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: closesocket
                                                                        • String ID:
                                                                        • API String ID: 2781271927-0
                                                                        • Opcode ID: a766582799ed9985a939d63b48951b03feb3e84460163f2b2ca5d95fe5dc0c7a
                                                                        • Instruction ID: 8d8d7aa7b161e289abbeab34a3eeb4c63b0d0bfb87f44097bdbf4236ab5aab02
                                                                        • Opcode Fuzzy Hash: a766582799ed9985a939d63b48951b03feb3e84460163f2b2ca5d95fe5dc0c7a
                                                                        • Instruction Fuzzy Hash: D0119E71449384AFD712CF15DD84B52BFB4EF06224F0884EAED499F293D375A849CBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01005B79, Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(00000001,?,?,?,0100544A,?,?,?), ref: 01005C86
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: f46859e5f6d8aa40aa0a8b9eb9a011ac54dfcd1a375fedf9d446071be725a5b1
                                                                        • Instruction ID: 3a622c63a7d9d8f0e40db65ef93ed72d1cb6dc2b8d62d54276960e602d71a199
                                                                        • Opcode Fuzzy Hash: f46859e5f6d8aa40aa0a8b9eb9a011ac54dfcd1a375fedf9d446071be725a5b1
                                                                        • Instruction Fuzzy Hash: 2EF0F65858864DEDFA333A641D80FFD15939B21260F904B27B9C39E0C2DA6690C88D53
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5A8CC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowLongW.USER32(?,?,?), ref: 1DB5A926
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: LongWindow
                                                                        • String ID:
                                                                        • API String ID: 1378638983-0
                                                                        • Opcode ID: 060e1aa033e038aab4321fba0b112240687037f6516afbbf8e5f4e258c337641
                                                                        • Instruction ID: da712456b367375d8dc3a6f3cfabd04524c5d6e22d1d84df3b1396c173bdd6af
                                                                        • Opcode Fuzzy Hash: 060e1aa033e038aab4321fba0b112240687037f6516afbbf8e5f4e258c337641
                                                                        • Instruction Fuzzy Hash: 5D1182714097849FD7218F15DD85B52FFB4EF06220F0984DAED854B262C375A819CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5BED2, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DeleteFileW.KERNEL32(?,104552DE,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 1DB5BF0C
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: DeleteFile
                                                                        • String ID:
                                                                        • API String ID: 4033686569-0
                                                                        • Opcode ID: 2e7a070cc5677950ce6712912c3b13d94db4eaeab90b39dcc7992fc6a11662b6
                                                                        • Instruction ID: 773856115f23161d22dd7e82182561271aa036f16a61658af40fadf65439378a
                                                                        • Opcode Fuzzy Hash: 2e7a070cc5677950ce6712912c3b13d94db4eaeab90b39dcc7992fc6a11662b6
                                                                        • Instruction Fuzzy Hash: FD017175A003459FD751DF6AD8857A6FB94EF00620F08C4AADD4ACF64AD778E408CF62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01005BA1, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(00000001,?,?,?,0100544A,?,?,?), ref: 01005C86
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 15c09e9191a1538474835ec7933f570f22e305d6a07ea81fe471b085504e5259
                                                                        • Instruction ID: 0ffdce53bbf4b12c37aed06995e7d52e31b4f426f61ffb439f39e860da92b3f4
                                                                        • Opcode Fuzzy Hash: 15c09e9191a1538474835ec7933f570f22e305d6a07ea81fe471b085504e5259
                                                                        • Instruction Fuzzy Hash: 9BF0E25828864DFDFA333A646D90FFD2A539B51360F904B27FAC35E1C2D66690C88D43
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5B746, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 1DB5B78A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: CreateFromIconResource
                                                                        • String ID:
                                                                        • API String ID: 3668623891-0
                                                                        • Opcode ID: f3a5a67750ff06a9eac1344000a10d591835c2d5396ea944b58be77c7ea74d13
                                                                        • Instruction ID: 44f8f7376c753c8f14de605465866e78e9f82c69c128cf2c9cda6b4f1a7f97ad
                                                                        • Opcode Fuzzy Hash: f3a5a67750ff06a9eac1344000a10d591835c2d5396ea944b58be77c7ea74d13
                                                                        • Instruction Fuzzy Hash: 4E0161714007419FDB218F55D944B56FBE0FF04720F08C4AEEE494A656D375E418DFA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5A546, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1DB5A58A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: a2dbdbcd89a7814a283e66f124eded3bd19bd30fb3d5eb88f6db1b83efec7371
                                                                        • Instruction ID: 5059868c57c673f79763434032cc61afd8a37699116d44dfd7c5b6fb5324be9c
                                                                        • Opcode Fuzzy Hash: a2dbdbcd89a7814a283e66f124eded3bd19bd30fb3d5eb88f6db1b83efec7371
                                                                        • Instruction Fuzzy Hash: DD0161715007449FDB218F55D944B56FFE0EF08720F08C49ADE4A4A655D375E418CF62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010078E5, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(?,?,?,?,?,00000062), ref: 01007995
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: c2c9a33a5a6e7eb6d6307cf23d8fb1f0a16cbcb4dc1c718d6578c46d46766e31
                                                                        • Instruction ID: d5461bbe8724997bc4ae7b6a9f1186ba3213eb70317148d373db2c83a189feeb
                                                                        • Opcode Fuzzy Hash: c2c9a33a5a6e7eb6d6307cf23d8fb1f0a16cbcb4dc1c718d6578c46d46766e31
                                                                        • Instruction Fuzzy Hash: 46F0C210749246DCFB2B592889187BC37929B43264F9C8356CDCB860E0E32964C18242
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5AF9A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetConsoleCtrlHandler.KERNEL32(?,00000EB4,?,?), ref: 1DB5AFEA
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ConsoleCtrlHandler
                                                                        • String ID:
                                                                        • API String ID: 1513847179-0
                                                                        • Opcode ID: e2363af9887e1fca4fa7835bf855b700368d7ff1a2b6e47799b99cc310b9aaee
                                                                        • Instruction ID: 477f66012d35e5583686020de022169459d4d39bb577c71b696179a136131669
                                                                        • Opcode Fuzzy Hash: e2363af9887e1fca4fa7835bf855b700368d7ff1a2b6e47799b99cc310b9aaee
                                                                        • Instruction Fuzzy Hash: 8101A271500600ABD314DF1ADC82B32FBA4FB89B20F148159ED084B741D335F916CBE5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5BB7E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,?,?,?), ref: 1DB5BBB9
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: MessagePost
                                                                        • String ID:
                                                                        • API String ID: 410705778-0
                                                                        • Opcode ID: 1891cca7689417b8561881800137e03d93c52bf3e200b36e17e3317543655bfb
                                                                        • Instruction ID: a4df25a03e4b68d1d1572132b12bbddd270de2e41a51f5dffff8a9bd8e645f76
                                                                        • Opcode Fuzzy Hash: 1891cca7689417b8561881800137e03d93c52bf3e200b36e17e3317543655bfb
                                                                        • Instruction Fuzzy Hash: BD01D4355003409FDB218F16DD84B66FBA0EF04320F08C09EDD4A8BA6AD375E418CFA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5A78A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: closesocket
                                                                        • String ID:
                                                                        • API String ID: 2781271927-0
                                                                        • Opcode ID: 51c2a84820ec542ec76f7410919c4e97cacca65928f057cb4b0ba5c7db723acd
                                                                        • Instruction ID: 1f6bbd87a0e8ba0f2b2fc33cc13ccf70a63c7336d4004e383a0dde0ae8a62b3e
                                                                        • Opcode Fuzzy Hash: 51c2a84820ec542ec76f7410919c4e97cacca65928f057cb4b0ba5c7db723acd
                                                                        • Instruction Fuzzy Hash: B401AD749003459FD711CF1AD984752FBA4EF04624F08C4AADD499F646D378A408CAA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5B806, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SendMessageW.USER32(?,?,?,?), ref: 1DB5B841
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: MessageSend
                                                                        • String ID:
                                                                        • API String ID: 3850602802-0
                                                                        • Opcode ID: 87ea5231cd30db37d09cf8f396504270b0030dc1b18b0e15d7d805e1ef8f2008
                                                                        • Instruction ID: 9ea874683e3f9a0102e0737a8eef71360ff6f76daf0e53b7b80af85d28737d14
                                                                        • Opcode Fuzzy Hash: 87ea5231cd30db37d09cf8f396504270b0030dc1b18b0e15d7d805e1ef8f2008
                                                                        • Instruction Fuzzy Hash: 0C018B319003449FDB218F46D984B62FBA0EF04720F08C49EED494B666D375A418CFA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5A8EE, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowLongW.USER32(?,?,?), ref: 1DB5A926
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: LongWindow
                                                                        • String ID:
                                                                        • API String ID: 1378638983-0
                                                                        • Opcode ID: 2efd0bd1234bd4ca93197b1a3371b3af06998fa740b29829b04cfb1e9bafea8e
                                                                        • Instruction ID: c437b4bdec8efc8c39b44da1431e31502f3561591de0eeca486a8d8c2864e6cf
                                                                        • Opcode Fuzzy Hash: 2efd0bd1234bd4ca93197b1a3371b3af06998fa740b29829b04cfb1e9bafea8e
                                                                        • Instruction Fuzzy Hash: 6B01AD315007449FD7218F06D985752FFA0EF05720F08C4AADD4A4B656D375A408CBB2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01005BD9, Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(00000001,?,?,?,0100544A,?,?,?), ref: 01005C86
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 492404b7c8675ddd600849dcd31e3cf4dae5880628217a95fa863b2c19ed1d3c
                                                                        • Instruction ID: 2e92acbaec5ef18c89a4397d1b63277b773c5d9ced9134061ede3764702ab9be
                                                                        • Opcode Fuzzy Hash: 492404b7c8675ddd600849dcd31e3cf4dae5880628217a95fa863b2c19ed1d3c
                                                                        • Instruction Fuzzy Hash: B7F09B6814424DFDFA333A655D94FFD15439B516A0F904766F9C35E1C1C76690C48D43
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01007919, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(?,?,?,?,?,00000062), ref: 01007995
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: 7114ae5528d9536b32270bc6d59ac095f7944fed16841f483a104b3ccd692367
                                                                        • Instruction ID: a6bbc70be81cd89a80fbfc1362c953a8e0f298c37ef73a96f82739d565563c9e
                                                                        • Opcode Fuzzy Hash: 7114ae5528d9536b32270bc6d59ac095f7944fed16841f483a104b3ccd692367
                                                                        • Instruction Fuzzy Hash: E8F08210799245DCBA67592889157FD3B93DA53254F8C835A8ED6960E4D32924818346
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5BE3E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DispatchMessageW.USER32(?), ref: 1DB5BE70
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: DispatchMessage
                                                                        • String ID:
                                                                        • API String ID: 2061451462-0
                                                                        • Opcode ID: 9467c728d6e3b8ac14035bc4c2200256ccea56eb6ab63863dd68d5aa9fdc0b5b
                                                                        • Instruction ID: 62ad480e13de63a4b735c75b6c32ba40335b380e50578c5c85f01b594f21dfab
                                                                        • Opcode Fuzzy Hash: 9467c728d6e3b8ac14035bc4c2200256ccea56eb6ab63863dd68d5aa9fdc0b5b
                                                                        • Instruction Fuzzy Hash: C7F0AF359047849FD7218F06D985761FBA0EF04720F4CC8AADE494B656D3B9A418CEA3
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB5A372, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNEL32(?,104552DE,00000000,?,?,?,?,?,?,?,?,72203C38), ref: 1DB5A3A4
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205571979.000000001DB5A000.00000040.00000001.sdmp, Offset: 1DB5A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 9467c728d6e3b8ac14035bc4c2200256ccea56eb6ab63863dd68d5aa9fdc0b5b
                                                                        • Instruction ID: 8447d2866c1e26a6d94f69464d3afbf8c92be9201e7637be35a4b79c11ccfcee
                                                                        • Opcode Fuzzy Hash: 9467c728d6e3b8ac14035bc4c2200256ccea56eb6ab63863dd68d5aa9fdc0b5b
                                                                        • Instruction Fuzzy Hash: C4F0AF34500344DFD7218F06D984B66FFA0EF04724F18C09ADD495BA56D779E408CEA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01007909, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(?,?,?,?,?,00000062), ref: 01007995
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: c82c16590a1086d409bff2550fbc9f7bf11d550f358dbef1cfe6f6e16615bbe2
                                                                        • Instruction ID: f930768bbb921fcdec0df57cc1f0dc14e733f0852685ad0b9473265d8bf913f7
                                                                        • Opcode Fuzzy Hash: c82c16590a1086d409bff2550fbc9f7bf11d550f358dbef1cfe6f6e16615bbe2
                                                                        • Instruction Fuzzy Hash: 82F0821075D245CC7B57592885147FC37529D43254F8C8356CED7560E4E32920818307
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01005BF5, Relevance: 1.5, APIs: 1, Instructions: 31libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(00000001,?,?,?,0100544A,?,?,?), ref: 01005C86
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 5d6e55fcdc8585a16b8bf3e71dca78f8259d76c3ca49cd80add6b0a4b052d535
                                                                        • Instruction ID: 245582973ba37c200eae996d40434f1a9e1345a0d35bddb0e0556429149f67d4
                                                                        • Opcode Fuzzy Hash: 5d6e55fcdc8585a16b8bf3e71dca78f8259d76c3ca49cd80add6b0a4b052d535
                                                                        • Instruction Fuzzy Hash: C4E0206814410DEDB6233A641E80DFC260359111A0F804336BDC35E1C1C76580884D82
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01007935, Relevance: 1.5, APIs: 1, Instructions: 29threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(?,?,?,?,?,00000062), ref: 01007995
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: bde97b48bae2b9825b5e030a6c23d4e526616ce80c420fe4d2e0722388eff6c9
                                                                        • Instruction ID: 6deeb254fdc3ed4bf9d21362fd97fb1422829ef87ad2bb91ce3ddc7b1c5fe04b
                                                                        • Opcode Fuzzy Hash: bde97b48bae2b9825b5e030a6c23d4e526616ce80c420fe4d2e0722388eff6c9
                                                                        • Instruction Fuzzy Hash: EDE06D1065920AC87E6B5928C5153FC3692DA43254F8C835BCADA920E4E32920858307
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01005C15, Relevance: 1.5, APIs: 1, Instructions: 27libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(00000001,?,?,?,0100544A,?,?,?), ref: 01005C86
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 627697b25164587d1d9eca2e7e6eeadd2ede49dcd80ce7b44a855904e8025b5e
                                                                        • Instruction ID: 051c81832b1ab64f4e8480bde2b21bf27bab13bb89a7c2a1105de101ea34e091
                                                                        • Opcode Fuzzy Hash: 627697b25164587d1d9eca2e7e6eeadd2ede49dcd80ce7b44a855904e8025b5e
                                                                        • Instruction Fuzzy Hash: 53E0CD6C14420DEEBA332E741EC5DFC5A435A116A0E904326BAC25E1C1D7B680488D42
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01007951, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(?,?,?,?,?,00000062), ref: 01007995
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: 2271b3bb153c976a0bbbb62822943567ece7f4a8c7c16a8486162a11f6d37661
                                                                        • Instruction ID: 1f5c1975a990815005d012498f2a752dcd17ae47164440955394db160626157b
                                                                        • Opcode Fuzzy Hash: 2271b3bb153c976a0bbbb62822943567ece7f4a8c7c16a8486162a11f6d37661
                                                                        • Instruction Fuzzy Hash: 91E04F11759205CC7F5B9D28C5157FC3662DA43614F9C835ACAC6561E4E22920C58307
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01005C3D, Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(00000001,?,?,?,0100544A,?,?,?), ref: 01005C86
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 6571c54f11d5aa2ee66fe2386451800410ebad4051aedc73a751e76cae042306
                                                                        • Instruction ID: 0849c1aa326399a72bf1a46b091fdd7487cd267367880bb76913dd6942a90424
                                                                        • Opcode Fuzzy Hash: 6571c54f11d5aa2ee66fe2386451800410ebad4051aedc73a751e76cae042306
                                                                        • Instruction Fuzzy Hash: 7AD0A73C10420CDEB7033F501EC1CEC5B5259001D0F40832569C659084C775C0444E41
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01005C55, Relevance: 1.5, APIs: 1, Instructions: 17libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(00000001,?,?,?,0100544A,?,?,?), ref: 01005C86
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: 59b95c30b88b3a1a3dc0cb33e0697a3a977edb897d0936cd179f7f4d7e586a66
                                                                        • Instruction ID: 50defafb2777fee30bf024651c24f34556d15771017e9949eaf2e0cd33d35533
                                                                        • Opcode Fuzzy Hash: 59b95c30b88b3a1a3dc0cb33e0697a3a977edb897d0936cd179f7f4d7e586a66
                                                                        • Instruction Fuzzy Hash: 14D0C92C24421D9EBA132E555DC5CED6B5299846D1F84822569969A184C77485488E81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010055C1, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLongPathNameW.KERNEL32(?,?,00000200), ref: 01005614
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LongNamePath
                                                                        • String ID:
                                                                        • API String ID: 82841172-0
                                                                        • Opcode ID: 6ff6daaa2d1999eba6a1d8a133f0591fbdc262ad013c4fe3d3f5a53f3ad92953
                                                                        • Instruction ID: 99e91786ae860779cd8ce80bb6cd3cd21487c3098f528fa6ececfd9c5534e2a4
                                                                        • Opcode Fuzzy Hash: 6ff6daaa2d1999eba6a1d8a133f0591fbdc262ad013c4fe3d3f5a53f3ad92953
                                                                        • Instruction Fuzzy Hash: 32D0C7B5208307BFEE6595408CA4F7E7165AB58741F904409B5C7C7585D5319440CE35
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01007991, Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateThread.KERNEL32(?,?,?,?,?,00000062), ref: 01007995
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateThread
                                                                        • String ID:
                                                                        • API String ID: 2422867632-0
                                                                        • Opcode ID: d26baeaa550afa7ca7d92440436dc3ac094ed36ab90f1f5211cb307f8be230e3
                                                                        • Instruction ID: 28244ef8d1a0cd062308cf8557967b2e0c5849bfae902c60f06cab60f83fe778
                                                                        • Opcode Fuzzy Hash: d26baeaa550afa7ca7d92440436dc3ac094ed36ab90f1f5211cb307f8be230e3
                                                                        • Instruction Fuzzy Hash: 2BD0A920599704C8BE5B8C74CE1ABAD36638F82220F58430F8CD2050C8C23B60804247
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010055B3, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLongPathNameW.KERNEL32(?,?,00000200), ref: 01005614
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LongNamePath
                                                                        • String ID:
                                                                        • API String ID: 82841172-0
                                                                        • Opcode ID: ef665ae98d753c0c1a9e550869019d773a9a9399d21adf45c9d0f94de62e6337
                                                                        • Instruction ID: dcc226366b2602cdc22d5d12020ba09cf26ab7b0b606f6848d6fcfd2d77939e1
                                                                        • Opcode Fuzzy Hash: ef665ae98d753c0c1a9e550869019d773a9a9399d21adf45c9d0f94de62e6337
                                                                        • Instruction Fuzzy Hash: 04D0C975208306BFFE6595508DA4B7F76AAAB68712F90440ABAC7C7584E5319440CE26
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01005C6D, Relevance: 1.5, APIs: 1, Instructions: 13libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(00000001,?,?,?,0100544A,?,?,?), ref: 01005C86
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: a64d99503412328929bb6d9af807802fef119cc51ece999c8f2441bc46020a77
                                                                        • Instruction ID: 3a9f88b42daa4b605496d6e67ccf71736fc67077163e5df0274793850db8dacd
                                                                        • Opcode Fuzzy Hash: a64d99503412328929bb6d9af807802fef119cc51ece999c8f2441bc46020a77
                                                                        • Instruction Fuzzy Hash: 39C0802810521CDF7B031F154DC58DCBB915D445D1FC0C3356DD64A140CB7480084F45
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010040F5, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,0100407D,01004165), ref: 01004121
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 26f16a5363d00813013452d2438cf1404dab3ddf43acf4a434639b9bd188043e
                                                                        • Instruction ID: 75d4323009871458203195943f24f17f540c307ba2ce216488509f358ec6a315
                                                                        • Opcode Fuzzy Hash: 26f16a5363d00813013452d2438cf1404dab3ddf43acf4a434639b9bd188043e
                                                                        • Instruction Fuzzy Hash: 0AC04C75794300B7F5358A208D67F9A65156BA0F00F21840D7B4A7C0C485F1A654C519
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01005C81, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(00000001,?,?,?,0100544A,?,?,?), ref: 01005C86
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoad
                                                                        • String ID:
                                                                        • API String ID: 1029625771-0
                                                                        • Opcode ID: c2d174af308ae53cba6152785d3291cbf6f70842b9ff9ed7d744561e93363724
                                                                        • Instruction ID: d322067dd84e2952e51d5fcbbd7b6d6666a95448160be4adf1edb1881697561e
                                                                        • Opcode Fuzzy Hash: c2d174af308ae53cba6152785d3291cbf6f70842b9ff9ed7d744561e93363724
                                                                        • Instruction Fuzzy Hash: FAC08C1820120C9EFA022A140D85ECC5B925B412C1EC0832169919A080C76084084942
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0100410D, Relevance: 1.5, APIs: 1, Instructions: 8fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,0100407D,01004165), ref: 01004121
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFile
                                                                        • String ID:
                                                                        • API String ID: 823142352-0
                                                                        • Opcode ID: 68d7ab19f09ef222a85959a0d8d401c571a519bfc7ceb3e4d1786612c780e5dd
                                                                        • Instruction ID: a7014f6c4dfcadb929a4a27b73b5e3d82e83325c08163a2daf1872720f94dcb7
                                                                        • Opcode Fuzzy Hash: 68d7ab19f09ef222a85959a0d8d401c571a519bfc7ceb3e4d1786612c780e5dd
                                                                        • Instruction Fuzzy Hash: 7BB012706A0300B3F93087304C66F8B14195760B00E20C40D3B053C0C481F29314C028
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0100560D, Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLongPathNameW.KERNEL32(?,?,00000200), ref: 01005614
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LongNamePath
                                                                        • String ID:
                                                                        • API String ID: 82841172-0
                                                                        • Opcode ID: 83729f01bcbf0df79089b50a33ad3997a65cefb89d492817540c6a61b5285ed1
                                                                        • Instruction ID: 00272373fdad6a072c78cc3d80707d46f82e3db9af92e7ffabad440fef22041c
                                                                        • Opcode Fuzzy Hash: 83729f01bcbf0df79089b50a33ad3997a65cefb89d492817540c6a61b5285ed1
                                                                        • Instruction Fuzzy Hash: E9A0027594019A5ACEA2BA504D18BEE7511BBA0341FD58411D8C7CF045CA30855AD764
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB80845, Relevance: .1, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205663202.000000001DB80000.00000040.00000040.sdmp, Offset: 1DB80000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ac5d3303d0a94827b15da4567b6a2416b9cb235d26468c537955e29cb21ae979
                                                                        • Instruction ID: b7a3d616451441db2e249447531f98a52635f90e44c52d6940c96c08ecd9f423
                                                                        • Opcode Fuzzy Hash: ac5d3303d0a94827b15da4567b6a2416b9cb235d26468c537955e29cb21ae979
                                                                        • Instruction Fuzzy Hash: A8216F756093C58FD307CB14D950B55BFB2EB47704F2985EED4898B6A3C33A8816CB52
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB8087C, Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205663202.000000001DB80000.00000040.00000040.sdmp, Offset: 1DB80000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0335b258779208804dd425f2fd2c7208c9f8bf0e0315cbbb679687105a3494dd
                                                                        • Instruction ID: f85bf27a714f21e794082acaf1069fbaee9b9efcd55e803018cb582f45ac3540
                                                                        • Opcode Fuzzy Hash: 0335b258779208804dd425f2fd2c7208c9f8bf0e0315cbbb679687105a3494dd
                                                                        • Instruction Fuzzy Hash: F011D634204385DFD306CB14C940B26BB95EB88718F24C9ACE94A0B643C77BD853CA92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB6ACF0, Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205594179.000000001DB62000.00000040.00000001.sdmp, Offset: 1DB62000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b0e8e021847f37595e5934a4f23ab90359e2a3f84ca15b2411f51282d87651f0
                                                                        • Instruction ID: 3594b8d0eab417f3bed8960490f956168141fbd9d21cc02fe4a9fe7ce8c86302
                                                                        • Opcode Fuzzy Hash: b0e8e021847f37595e5934a4f23ab90359e2a3f84ca15b2411f51282d87651f0
                                                                        • Instruction Fuzzy Hash: F711FEB5608305AFD350CF09DC80A57FBE8EB88660F14895EFD9997311D331E9088FA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB805DC, Relevance: .0, Instructions: 39COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205663202.000000001DB80000.00000040.00000040.sdmp, Offset: 1DB80000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0d7ef3392d11294776d0e069e7c206bda1c7233568319766db4db9f2f1398684
                                                                        • Instruction ID: 77cd97b8fc4efbf4b28ad390ae94f5fc591383860765e1e3b4c5180a1d3f406c
                                                                        • Opcode Fuzzy Hash: 0d7ef3392d11294776d0e069e7c206bda1c7233568319766db4db9f2f1398684
                                                                        • Instruction Fuzzy Hash: F0F068755497846FD7118B06EC41853FFE8DF8663070884ABEC49CB611D235B919CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB80938, Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205663202.000000001DB80000.00000040.00000040.sdmp, Offset: 1DB80000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
                                                                        • Instruction ID: 45e57eb20aad6f84725e96c14317319f7cc0e118bbb0cb0cbfc667f661156eaa
                                                                        • Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
                                                                        • Instruction Fuzzy Hash: F7F03135204645DFC306CF04D940B15FBA2FB89718F24C6ADE9490B752C337D813DA81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB805F6, Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205663202.000000001DB80000.00000040.00000040.sdmp, Offset: 1DB80000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5a8ce26d135002ef7f54ac6a234b02e43510a44901aa968c4744739f09039d18
                                                                        • Instruction ID: 4a06a083a430e3f463d5da25dd475eddcaf5c3a04a0e90e80853408dc2953efe
                                                                        • Opcode Fuzzy Hash: 5a8ce26d135002ef7f54ac6a234b02e43510a44901aa968c4744739f09039d18
                                                                        • Instruction Fuzzy Hash: F5E06DB66006045BD750CF0AEC81462FBD4EB84630B18C06BDC0D8B701E639B5098EA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB6AD3F, Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205594179.000000001DB62000.00000040.00000001.sdmp, Offset: 1DB62000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ec9375d3b46bb777702e6e2fb11f3fa33062ea319d5e5d3b71c8d318e9189772
                                                                        • Instruction ID: 1eaea5b669432812c1506f7c73b3ad3f8ebab420df52cd802090c409f9ee6eda
                                                                        • Opcode Fuzzy Hash: ec9375d3b46bb777702e6e2fb11f3fa33062ea319d5e5d3b71c8d318e9189772
                                                                        • Instruction Fuzzy Hash: 0CE048B264130467D3508F069C85B63FB98DB50A30F14C557ED0D5B742E275B5148AF5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB523F4, Relevance: .0, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205565353.000000001DB52000.00000040.00000001.sdmp, Offset: 1DB52000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1da1099c7d21583dde5882fc0dd9b08a8a40aedfe5067d93e89a4fd3e78601ee
                                                                        • Instruction ID: 1dcb8bae726cee7c71a123ff3ae1ca25d8a050c59f6db489656166d2b681de8b
                                                                        • Opcode Fuzzy Hash: 1da1099c7d21583dde5882fc0dd9b08a8a40aedfe5067d93e89a4fd3e78601ee
                                                                        • Instruction Fuzzy Hash: 86D05E79605B914FD3128A1CC1A1BA53BD4EB52B04F4644F9A8018B767C768D681D201
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 1DB523BC, Relevance: .0, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1205565353.000000001DB52000.00000040.00000001.sdmp, Offset: 1DB52000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 310e1edc6f19391ba4084f9f4c2c0343f709f907f799399df72d780adcd7eeb7
                                                                        • Instruction ID: b156be4d6d21351fabcf12c912845c92cdc9bfb42c19e4963dc672dff4968f4d
                                                                        • Opcode Fuzzy Hash: 310e1edc6f19391ba4084f9f4c2c0343f709f907f799399df72d780adcd7eeb7
                                                                        • Instruction Fuzzy Hash: 64D017346012814FD701DA08C2D0F6937D4AB40B00F0644A8BC028F266C7A4D881C600
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 01006AB7, Relevance: .6, Instructions: 645COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoadMemoryProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 3389902171-0
                                                                        • Opcode ID: 3d5a63ebf4bd51357feee091229a4c718ea79f9f49df706e1bfff88706774eaf
                                                                        • Instruction ID: 896464ceeabfee144a88965bb34b09f9139b68021c4da5444fbfd060b2f9de05
                                                                        • Opcode Fuzzy Hash: 3d5a63ebf4bd51357feee091229a4c718ea79f9f49df706e1bfff88706774eaf
                                                                        • Instruction Fuzzy Hash: 71222670648345DFFB238E28CC84BFD76A2BF12350F54826AE9D64F2D2C77A94918712
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01006AC9, Relevance: .2, Instructions: 180COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoadMemoryProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 3389902171-0
                                                                        • Opcode ID: f3feafb2ca2b4027bbe21f806181ff9b39b2d3915c18611655c547b1bf3a859b
                                                                        • Instruction ID: 83c91da249392c9be6cbdb32ff26f0760e0f25c48b87f94df5972372b7ad9588
                                                                        • Opcode Fuzzy Hash: f3feafb2ca2b4027bbe21f806181ff9b39b2d3915c18611655c547b1bf3a859b
                                                                        • Instruction Fuzzy Hash: EB51B864D08786CEFB279F288494B797BD39B12320F84829BC5D24B2D6C33685A5C713
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01006AF1, Relevance: .2, Instructions: 174COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: LibraryLoadMemoryProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 3389902171-0
                                                                        • Opcode ID: 63b86948405a4b5be5edd6bff2ce478d2bbad9208c7ba0411f236de5723cfffe
                                                                        • Instruction ID: 0d5bf84e8d060fddf1362d796a2e8b97a8a013f3ca16e784493b2c8115c79e47
                                                                        • Opcode Fuzzy Hash: 63b86948405a4b5be5edd6bff2ce478d2bbad9208c7ba0411f236de5723cfffe
                                                                        • Instruction Fuzzy Hash: 5C51B964D08786CEFB279F288494B797BD39B12320F85829BC5D24B2D7C37685A5C713
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01006B11, Relevance: .2, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MemoryProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 2706961497-0
                                                                        • Opcode ID: b49160c7d88ea16940b8712f91e44591fbb37eef7bc3158d21a73f0e906e8ea6
                                                                        • Instruction ID: f80976365fc55bcf3b1efd34f292269df0a24f69cbd22919775ccd83941199d3
                                                                        • Opcode Fuzzy Hash: b49160c7d88ea16940b8712f91e44591fbb37eef7bc3158d21a73f0e906e8ea6
                                                                        • Instruction Fuzzy Hash: 8251B964D08786CEFB279B288494B797BD39B12320F85829BC5E24B2D6C37685A5C713
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01006B25, Relevance: .2, Instructions: 167COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: MemoryProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 2706961497-0
                                                                        • Opcode ID: b61c026ae77966c2097fa183ac90ce519a0d24ad46246f18674154cd9c7878f3
                                                                        • Instruction ID: d054d00f30872cf8d75b33b47360e21882dd42395674addb66ad5d8a629ad0b0
                                                                        • Opcode Fuzzy Hash: b61c026ae77966c2097fa183ac90ce519a0d24ad46246f18674154cd9c7878f3
                                                                        • Instruction Fuzzy Hash: 3551B964D08785CEFB279B288494B797BD39B12320F85829BC5E24B2D6C37684A5C713
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 01006010, Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0eaf130644d4ffc789f660e787f4c63d0e3e54eba928ac72f016bccf90d8bdfc
                                                                        • Instruction ID: 1de2dbb663797b11cb36302720c781b545eb3ab1b23f66911f86b7b835daf454
                                                                        • Opcode Fuzzy Hash: 0eaf130644d4ffc789f660e787f4c63d0e3e54eba928ac72f016bccf90d8bdfc
                                                                        • Instruction Fuzzy Hash: 74F039753946018FF766EB18C1D4E6B77B2AF24340F018594F686CB2A2C326E860CA11
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010039D3, Relevance: .0, Instructions: 13COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4a08c5826c40b64c4e2e68010e68255762cc8a9a7bb32233a5c5764634c1e53b
                                                                        • Instruction ID: 4b3f416a0f6d1620ea972760022d5b918f59e8e827a0da28f95db732dbcfc50c
                                                                        • Opcode Fuzzy Hash: 4a08c5826c40b64c4e2e68010e68255762cc8a9a7bb32233a5c5764634c1e53b
                                                                        • Instruction Fuzzy Hash: C1C01271204641CFFB17C909C94276472A5BB1B244F490490EC43CF2D1D318E9408500
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 010039F5, Relevance: .0, Instructions: 12COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1187103126.0000000001002000.00000040.00000001.sdmp, Offset: 01002000, based on PE: false
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 658dd0352b29bc5eedcefa901c46e40358d0b56f99cabf6cadebb62e650bffcc
                                                                        • Instruction ID: da600ef3031905388ac866da698a1bc7f7f068a6c155e0f06b763351bfd7d1b6
                                                                        • Opcode Fuzzy Hash: 658dd0352b29bc5eedcefa901c46e40358d0b56f99cabf6cadebb62e650bffcc
                                                                        • Instruction Fuzzy Hash: B8C012B2340982CFEA06DA09C841F8072A2AB56680F4C0490E802CF2D1D318EC018620
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Analysis Process: RegAsm.exe PID: 768 Parent PID: 968 RegAsm.exeCOMMON

                                                                        Executed Functions

                                                                        Function 049101B7, Relevance: 4.3, Strings: 3, Instructions: 572COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.952632478.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: :@fq$:@fq$:@fq
                                                                        • API String ID: 0-3738185570
                                                                        • Opcode ID: 0e27e000d4de93b586e818dd0b8f4e43dd6ff3bea5c7f7fcbd9542bff31b4c04
                                                                        • Instruction ID: 934591f62ef0dd27f4b5e32a7a67b12c6ebaab925574154427cdb7f645ed4111
                                                                        • Opcode Fuzzy Hash: 0e27e000d4de93b586e818dd0b8f4e43dd6ff3bea5c7f7fcbd9542bff31b4c04
                                                                        • Instruction Fuzzy Hash: 95326D34700209CFDB14DF28D588A6AB7F2FF88304F14C979D5469B666EB76E885CB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04910710, Relevance: 4.2, Strings: 3, Instructions: 444COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.952632478.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: :@fq$:@fq$:@fq
                                                                        • API String ID: 0-3738185570
                                                                        • Opcode ID: 0b304125cc3448a7ad2dfecffd82826d8894863bf537a1cd6d588868f9f3cb91
                                                                        • Instruction ID: 1deb3338135c6012f846ab6ad42e41910d0301b2f02a314a87171b343ce476a8
                                                                        • Opcode Fuzzy Hash: 0b304125cc3448a7ad2dfecffd82826d8894863bf537a1cd6d588868f9f3cb91
                                                                        • Instruction Fuzzy Hash: 08028B30A00609CFCB15DF68C894A6EB7E6FF84304F25C569D9199B3A6DB31EC42CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0085A6DF, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SearchPathW.KERNELBASE(?,00000E90,?,?), ref: 0085A78E
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.951691148.000000000085A000.00000040.00000001.sdmp, Offset: 0085A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: PathSearch
                                                                        • String ID:
                                                                        • API String ID: 2203818243-0
                                                                        • Opcode ID: 34bf39f7ddf13089eca68da014fbe4fbd16ffe506c8d55b1da17248c00c582e7
                                                                        • Instruction ID: a70546b29db76ea340a9fd72a8db013d1cd7746766db2b178b6b422c9afd44ec
                                                                        • Opcode Fuzzy Hash: 34bf39f7ddf13089eca68da014fbe4fbd16ffe506c8d55b1da17248c00c582e7
                                                                        • Instruction Fuzzy Hash: DD316FB25093C55FD7168B25CC51B62BFB4EF47614F0A81DBD8848F1A3D225A909C7A2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0085A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNELBASE(?,00000E90,62979C40,00000000,00000000,00000000,00000000), ref: 0085A53D
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.951691148.000000000085A000.00000040.00000001.sdmp, Offset: 0085A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: FileWrite
                                                                        • String ID:
                                                                        • API String ID: 3934441357-0
                                                                        • Opcode ID: 023820c76f1c8d5446087fb23388db80e8d5332e7f4cbd133f5918892d81cf6e
                                                                        • Instruction ID: 01a2b10aea5bc131909903e03c992c3b980e9ecf116c20c01504bb2718c42859
                                                                        • Opcode Fuzzy Hash: 023820c76f1c8d5446087fb23388db80e8d5332e7f4cbd133f5918892d81cf6e
                                                                        • Instruction Fuzzy Hash: 77218371409380AFEB228F65DC54F96BFB8EF46310F0885DBE9849F153D265A509C772
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0085A71A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SearchPathW.KERNELBASE(?,00000E90,?,?), ref: 0085A78E
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.951691148.000000000085A000.00000040.00000001.sdmp, Offset: 0085A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: PathSearch
                                                                        • String ID:
                                                                        • API String ID: 2203818243-0
                                                                        • Opcode ID: 70dd3753a7a57f5db539866873dd2e701957d91581077d9b8ad8dbf21f18c302
                                                                        • Instruction ID: f28317ce96e7ea6af2df2e17d8cc737d9f521e80e722d20cf7786b5cbfd3060e
                                                                        • Opcode Fuzzy Hash: 70dd3753a7a57f5db539866873dd2e701957d91581077d9b8ad8dbf21f18c302
                                                                        • Instruction Fuzzy Hash: C511E271504340AFD321CF15DC41F62BFB8EF86A20F0885AAED488B642D231B915CBA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0085A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNELBASE(?,00000E90,62979C40,00000000,00000000,00000000,00000000), ref: 0085A53D
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.951691148.000000000085A000.00000040.00000001.sdmp, Offset: 0085A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: FileWrite
                                                                        • String ID:
                                                                        • API String ID: 3934441357-0
                                                                        • Opcode ID: 4a29cfcb9c8c7e83e9b550c7dea613ba8ddf09f3726907e585dfd92cd0925022
                                                                        • Instruction ID: 12721973fbd4a2b0e23ede9bcb464b17fa949fa3165ed9a68a0605dd24ee802a
                                                                        • Opcode Fuzzy Hash: 4a29cfcb9c8c7e83e9b550c7dea613ba8ddf09f3726907e585dfd92cd0925022
                                                                        • Instruction Fuzzy Hash: 6411E371500304EFEB21CF95DC84F66FBA8EF44721F14856AED499B256D275E408CBB2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0085A1F4, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetConsoleOutputCP.KERNELBASE ref: 0085A269
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.951691148.000000000085A000.00000040.00000001.sdmp, Offset: 0085A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ConsoleOutput
                                                                        • String ID:
                                                                        • API String ID: 3985236979-0
                                                                        • Opcode ID: a4365386e1016a82fa1d158e5ac2790a2af1d4ef2062829e483a028b63f87922
                                                                        • Instruction ID: a15250a9c227fc3007e4465a48f32a27a6485a6833b33d97e4d137408ea610a6
                                                                        • Opcode Fuzzy Hash: a4365386e1016a82fa1d158e5ac2790a2af1d4ef2062829e483a028b63f87922
                                                                        • Instruction Fuzzy Hash: 6A21A97540E3C09FD7138B258C95682BFB0EF03220F0E80DBD8848F2A3C269A909C762
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0085A587, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(?), ref: 0085A5F4
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.951691148.000000000085A000.00000040.00000001.sdmp, Offset: 0085A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: eb4e8b67ef1cee96602f8d57676cd2d2df39119c9436c11f7f99549a6b601e5f
                                                                        • Instruction ID: 59b5188a4f40ec77ed6f2976a2dc5bb1d32584c993a311435deb329ede5b5f08
                                                                        • Opcode Fuzzy Hash: eb4e8b67ef1cee96602f8d57676cd2d2df39119c9436c11f7f99549a6b601e5f
                                                                        • Instruction Fuzzy Hash: 79119D714093C09FE7228B25DC95B92BFF4EF56324F0D80DADD848F163D265A908CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0085A73E, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SearchPathW.KERNELBASE(?,00000E90,?,?), ref: 0085A78E
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.951691148.000000000085A000.00000040.00000001.sdmp, Offset: 0085A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: PathSearch
                                                                        • String ID:
                                                                        • API String ID: 2203818243-0
                                                                        • Opcode ID: e8c4af5a085c297428048c107a30eb97c610044c1dbcbcb37a33ecd8ad1a20cc
                                                                        • Instruction ID: 15f67bc80ae96deae3a3fc1ea324e227af3ff6b66a243031c177018e0ffd5e8f
                                                                        • Opcode Fuzzy Hash: e8c4af5a085c297428048c107a30eb97c610044c1dbcbcb37a33ecd8ad1a20cc
                                                                        • Instruction Fuzzy Hash: C501B171500600AFE714DF1ADC81B26FBA8FB88B20F14852AED088B641D231F915CAA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0085A5C2, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(?), ref: 0085A5F4
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.951691148.000000000085A000.00000040.00000001.sdmp, Offset: 0085A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 941c31c52fa76571d0381523584ee50c20ee03e214115ddaacca2e85036983ca
                                                                        • Instruction ID: d9b9b1614911467c483aa8c64aaf68dcbadeb33becac08dac64574cfd6b70eea
                                                                        • Opcode Fuzzy Hash: 941c31c52fa76571d0381523584ee50c20ee03e214115ddaacca2e85036983ca
                                                                        • Instruction Fuzzy Hash: 6BF0AF345003449FEB20CF46D885761FFE0EF54726F0CC1AADD498B656E279E848CAA3
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0085A23A, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetConsoleOutputCP.KERNELBASE ref: 0085A269
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.951691148.000000000085A000.00000040.00000001.sdmp, Offset: 0085A000, based on PE: false
                                                                        Similarity
                                                                        • API ID: ConsoleOutput
                                                                        • String ID:
                                                                        • API String ID: 3985236979-0
                                                                        • Opcode ID: 4604f820813762b3eb6a699e3074af11bf19d123eecab61600b3359c925a1d73
                                                                        • Instruction ID: 8ac1a0a7c9962341b654ddfe2f82ce92cb7c32116e06e405297c6f1c458be423
                                                                        • Opcode Fuzzy Hash: 4604f820813762b3eb6a699e3074af11bf19d123eecab61600b3359c925a1d73
                                                                        • Instruction Fuzzy Hash: 00F0AF309043448FEB20CF06D885761FFA0EF40725F08C1AADD098F656D27AE848CAA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04910E30, Relevance: .5, Instructions: 469COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.952632478.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7db573fb755ccb7f8f082a2e1988bf324b17853e6957c46801413078116f6753
                                                                        • Instruction ID: d3638aa63ddbee3b94fecfeaf64b1a42073bc96b419f7ef3d7d00329f58065a7
                                                                        • Opcode Fuzzy Hash: 7db573fb755ccb7f8f082a2e1988bf324b17853e6957c46801413078116f6753
                                                                        • Instruction Fuzzy Hash: 4A124938700206DFC744EB28D499A2D77E3BB88349B95C568E905CB7AADF75EC01CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049100B9, Relevance: .1, Instructions: 82COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.952632478.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 154e5be8ad75da13afe7a3a56a6b12e5fa943a81b6294c1dc55b6d30434a6178
                                                                        • Instruction ID: 3b68429d79cc5d5da70499ecbbd84cbd2a346e7946e9bc48302d5b12a6d1ff06
                                                                        • Opcode Fuzzy Hash: 154e5be8ad75da13afe7a3a56a6b12e5fa943a81b6294c1dc55b6d30434a6178
                                                                        • Instruction Fuzzy Hash: FD214C307012158FCB49AB7CC018A6D3BE7AF86355B1485BDD406CB7A6DE3ADC89CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04910006, Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.952632478.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 45ac5231f0b73601d1ac765d11152578fb2c81478be7e734eeca94e8fd44b570
                                                                        • Instruction ID: f07ba96c75487618e25027709693194852174ee9b600fc6df1e749e2e705c7a3
                                                                        • Opcode Fuzzy Hash: 45ac5231f0b73601d1ac765d11152578fb2c81478be7e734eeca94e8fd44b570
                                                                        • Instruction Fuzzy Hash: 0611486550F3D19FC703C7305C615967FB5AE4311470A84DBD0C0CB0A3D669490AC763
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04910D38, Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.952632478.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3e249c15b816a9ea9c2f8ecd274ea4d0bd3c89fa93f3ae51d78be950a4e94fc2
                                                                        • Instruction ID: f49de3cdcad2d3d3f162438c242e3e7c4e658aa75962114801ef39ffaf20694b
                                                                        • Opcode Fuzzy Hash: 3e249c15b816a9ea9c2f8ecd274ea4d0bd3c89fa93f3ae51d78be950a4e94fc2
                                                                        • Instruction Fuzzy Hash: 1701F930B002049FC705E7B8D81569DBBA9FF85314F20C0A6D508EB392CE749E06C7D6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 005805D1, Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.951306654.0000000000580000.00000040.00000040.sdmp, Offset: 00580000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fd96897934838cb7f69c0dbadb9cfe3e7985d00374d91203b9ddd3fc24081cdf
                                                                        • Instruction ID: 9f37b8ecd3b12ca4e946e9590892fcce05d1fb32756510bb223e078eec659870
                                                                        • Opcode Fuzzy Hash: fd96897934838cb7f69c0dbadb9cfe3e7985d00374d91203b9ddd3fc24081cdf
                                                                        • Instruction Fuzzy Hash: 6B01D6725097806FD7128B069C40862FFF8EF86630748C09FEC498B612D125A908CB72
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04910CB0, Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.952632478.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 683df4779680f430822461dd4af10375107ddadf32c88c6cb65a9d5baae4efd5
                                                                        • Instruction ID: 758bcb464b09914b7962451709794d0dbc22608a3b6283a227fe71047ab1c705
                                                                        • Opcode Fuzzy Hash: 683df4779680f430822461dd4af10375107ddadf32c88c6cb65a9d5baae4efd5
                                                                        • Instruction Fuzzy Hash: 93F0C2727082101FD71952B9AC506AF7BEBEBC6314B21407ED40AD7392DD754C064392
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04910CC0, Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.952632478.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b787da7122a37968b67acbcb8c0355c79f9fdb863e2b6df9a50ccb7afcc9ad9d
                                                                        • Instruction ID: 8777c2cb886b2466526697b5b69883d4a857cf99dd23ffeb58b8fb7a94fb4e75
                                                                        • Opcode Fuzzy Hash: b787da7122a37968b67acbcb8c0355c79f9fdb863e2b6df9a50ccb7afcc9ad9d
                                                                        • Instruction Fuzzy Hash: 2AF0A7327042245BD71866BEAC1076F76DFEBC9724F10803DE50AD7391DD769C4542E5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049114E8, Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.952632478.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0dad70c6a80cd89e35e1615450970090dc18ed104675796c847f137daa6f8476
                                                                        • Instruction ID: d28278ea1d009fe79458e7d7d302c25a5872e1877f3416761722b1dc714314f8
                                                                        • Opcode Fuzzy Hash: 0dad70c6a80cd89e35e1615450970090dc18ed104675796c847f137daa6f8476
                                                                        • Instruction Fuzzy Hash: DCF08C323001118F8B09AB3DD45882E37EBABCD26031944BAE407CB374DE30DC029B91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04911540, Relevance: .0, Instructions: 33COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.952632478.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d70d90a17b91cd3eff2a51e657394af234a158ed729b966845ad627fdd138776
                                                                        • Instruction ID: 85e3d2006b5196fc5e316d71fc76505b4af94b9ef900f54da7c1ac9de0463705
                                                                        • Opcode Fuzzy Hash: d70d90a17b91cd3eff2a51e657394af234a158ed729b966845ad627fdd138776
                                                                        • Instruction Fuzzy Hash: ACF0A7726042549FCB049B6DA8849FBBBF9EBC9254B14457EE509C3251D5714C018791
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049114D9, Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.952632478.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b4c772e22dadb62a89724e36020b27b83e654931f16647156f7e2f7bc699b2e8
                                                                        • Instruction ID: a82bba28e5c4599be23e1bb93539137044ed3f1a5960d954629fb81b349939b7
                                                                        • Opcode Fuzzy Hash: b4c772e22dadb62a89724e36020b27b83e654931f16647156f7e2f7bc699b2e8
                                                                        • Instruction Fuzzy Hash: 94F0ED323042009FCB06673AA44897EBBEFABC9228B1954BAE507C7322CE30DC01C791
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04910070, Relevance: .0, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.952632478.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f7dca6b475d6eb2b4cffd341a54f151c62805abc19d8f1d68f80003399a3d9a5
                                                                        • Instruction ID: d078622ac24f673ab437900a9d9d84d237346ccacbd7b0ef2df6c456d6626133
                                                                        • Opcode Fuzzy Hash: f7dca6b475d6eb2b4cffd341a54f151c62805abc19d8f1d68f80003399a3d9a5
                                                                        • Instruction Fuzzy Hash: 2AE09236A04609FF8B04DFA5FC484DEBFFEFB84266B018066E10DC2110EF7256488B81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 005805F6, Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.951306654.0000000000580000.00000040.00000040.sdmp, Offset: 00580000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7b3b17fd5a6cb92341e87f4c1683c946783f87dd3b2b377f300af676b81e1bf8
                                                                        • Instruction ID: 953b02c7a3c1a7a7f03806f82b07588011571fee48995d2541e5536f63097576
                                                                        • Opcode Fuzzy Hash: 7b3b17fd5a6cb92341e87f4c1683c946783f87dd3b2b377f300af676b81e1bf8
                                                                        • Instruction Fuzzy Hash: 57E06D766406009BE650CF0AEC41452FBE4EB84630B18C06BDC0D8B711E536F504CAA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 04910D29, Relevance: .0, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.952632478.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 10926a3f9a869c2055ab6ecf34a6cf8c38d986393b3ee9aa79f32c93b497ef65
                                                                        • Instruction ID: 40e0fe034ee52b8cbcb0fc9b04b500c5310f793ad9199a8dc6f6d07d9549d71a
                                                                        • Opcode Fuzzy Hash: 10926a3f9a869c2055ab6ecf34a6cf8c38d986393b3ee9aa79f32c93b497ef65
                                                                        • Instruction Fuzzy Hash: 92D02E32E882600FCB2312B43C8A0DE3FA09802200B1000AAC849E7093EA008E0B87C7
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 008523F4, Relevance: .0, Instructions: 15COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.951682217.0000000000852000.00000040.00000001.sdmp, Offset: 00852000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8a5b6646dea52a7688e8564a615aa4fb65f8511ba036b0d83ea1a5300492773e
                                                                        • Instruction ID: 5811281784d6d2ead6b7b9df7907938817bfb0be4a8dfc7dd26652ee50abee76
                                                                        • Opcode Fuzzy Hash: 8a5b6646dea52a7688e8564a615aa4fb65f8511ba036b0d83ea1a5300492773e
                                                                        • Instruction Fuzzy Hash: E4D05E79204A914FE326CA1CC1A4F953BD4FB52B05F4644F9AC00CB6A7C768DA85D200
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 008523BC, Relevance: .0, Instructions: 14COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.951682217.0000000000852000.00000040.00000001.sdmp, Offset: 00852000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 342bde7963d3a408c515a90f72b843fab43e775af81d33ce3972927e55a75d1b
                                                                        • Instruction ID: 6a9a693953ee13e4bb5987b2ce5dd7ec1868e5c4b06d4df6d1aa10672aedeafe
                                                                        • Opcode Fuzzy Hash: 342bde7963d3a408c515a90f72b843fab43e775af81d33ce3972927e55a75d1b
                                                                        • Instruction Fuzzy Hash: 5DD05E342002814BD715DB0CC294F9937D4FB41B05F0644E8AC00CB3B6CBB8DC85C600
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049114B5, Relevance: .0, Instructions: 11COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.952632478.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 78420a66d4559833988cda6c9c643f90020af98db378e78478bd3c056a340368
                                                                        • Instruction ID: b56dca9b038bc1e6a3144c35895083c4b0b4acac40d21a86cf3c97772ff93b74
                                                                        • Opcode Fuzzy Hash: 78420a66d4559833988cda6c9c643f90020af98db378e78478bd3c056a340368
                                                                        • Instruction Fuzzy Hash: DBC04C3BF001444BDF1467A8B8441DCF752E7C4225B155162DA19C3144ED35C9698651
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Analysis Process: dhcpmon.exe PID: 2936 Parent PID: 968 dhcpmon.exeCOMMON

                                                                        Executed Functions

                                                                        Function 050101B7, Relevance: 4.3, Strings: 3, Instructions: 571COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.952887189.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: :@fq$:@fq$:@fq
                                                                        • API String ID: 0-3738185570
                                                                        • Opcode ID: 9b6b688ffea3594f4d4112a5c9d3a13e182f1d84848759661a89acca777faef8
                                                                        • Instruction ID: a5d962c414aea3dfe5f6f05658d186dd083e7eed2250c5cb026c8c7b795bb791
                                                                        • Opcode Fuzzy Hash: 9b6b688ffea3594f4d4112a5c9d3a13e182f1d84848759661a89acca777faef8
                                                                        • Instruction Fuzzy Hash: 33329E30604205DFCB54DF69E4A8B6EB7F3FF88344F108928D9869B255DB71E881CBA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05010710, Relevance: 4.2, Strings: 3, Instructions: 450COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.952887189.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: :@fq$:@fq$:@fq
                                                                        • API String ID: 0-3738185570
                                                                        • Opcode ID: 40076b5a57828f7a996e8540436abb340b11a20caadea7f5f02e59dd517a6575
                                                                        • Instruction ID: 0d64fa9474bd38a45ffb6d6064390a3ee07d013fdd556d90d986b45fa6cc75cb
                                                                        • Opcode Fuzzy Hash: 40076b5a57828f7a996e8540436abb340b11a20caadea7f5f02e59dd517a6575
                                                                        • Instruction Fuzzy Hash: 6D02B130A002059FCB05DF68D494AAEB7F2FF88304F25C569D9569B396DB31EC42CBA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05010E30, Relevance: .5, Instructions: 469COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.952887189.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fe5f00233f4ffe4140d9762e9e81982994991599c9fbe7d7036e8bee36120170
                                                                        • Instruction ID: af49e69c2ef5b4391b83ab92c6535563f3c08831e49750525f21e271442e488d
                                                                        • Opcode Fuzzy Hash: fe5f00233f4ffe4140d9762e9e81982994991599c9fbe7d7036e8bee36120170
                                                                        • Instruction Fuzzy Hash: CE125D347102628FC755EB29E498E2E77E3FB88380B158658ED05CB7A9DB71ED01CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 050100B9, Relevance: .1, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.952887189.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8049ecdbecdb21b3a2f31137a3925d7fba6cf79153ba115c71e77dcb463a2bc7
                                                                        • Instruction ID: 744f558e249eed06288da3acff4ab612713cbd689048af3bc3d72f33dce0e14e
                                                                        • Opcode Fuzzy Hash: 8049ecdbecdb21b3a2f31137a3925d7fba6cf79153ba115c71e77dcb463a2bc7
                                                                        • Instruction Fuzzy Hash: 80216D307052158FCB49AB78D018BAD3BE3AF85304B1481BCD406CB3A6EE3ACC45CB51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05010007, Relevance: .1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.952887189.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 994ad2519c20b0f0ecaea5911b931a3997b9c8403764b65179ddcd17723dbbc6
                                                                        • Instruction ID: 0d6427fcda4618138c260fe058e53137df75bb0ad6d831074699895d0c47cc9e
                                                                        • Opcode Fuzzy Hash: 994ad2519c20b0f0ecaea5911b931a3997b9c8403764b65179ddcd17723dbbc6
                                                                        • Instruction Fuzzy Hash: 6511353150E3C5AFC7038B709C6168A7FB4AF03214F0A44DBD4C0CB1A3E6AD8A89C762
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05010D38, Relevance: .1, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.952887189.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d6e60fc13e4de93c27bb4236e8d05902ee2268a466ff5cbc48d931f4c9f9f71b
                                                                        • Instruction ID: cb35c2e370e557bc190840bc7cad198cb5e26625f41a83898f1f61e91c63ebde
                                                                        • Opcode Fuzzy Hash: d6e60fc13e4de93c27bb4236e8d05902ee2268a466ff5cbc48d931f4c9f9f71b
                                                                        • Instruction Fuzzy Hash: 8E01D230B046449FC745A7B8981569E7FB5EF86320F1080A6D519DB296CE75CE02CBA2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02B105CF, Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.952186040.0000000002B10000.00000040.00000040.sdmp, Offset: 02B10000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8486a240be1c4ec88ff34aaf40f8702a88ddd4a2ae4767cafdd190991579d71b
                                                                        • Instruction ID: 10151cc1da1b444a958a09fe10a2c246051ef72866f782588d009f52f9e679a6
                                                                        • Opcode Fuzzy Hash: 8486a240be1c4ec88ff34aaf40f8702a88ddd4a2ae4767cafdd190991579d71b
                                                                        • Instruction Fuzzy Hash: F301F9B65083806FD7118F06DC41862FFE8EF86620748C1AFEC49CB612D125B908CBB2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05010CC0, Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.952887189.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9d56baee90dead47f88c12702449a426d2790784d4b2d0f4ca97b129cd79bcc2
                                                                        • Instruction ID: bbfb059a1ec5e206c45fce4b43def49006191d30ef825cc3787acd27a0689a80
                                                                        • Opcode Fuzzy Hash: 9d56baee90dead47f88c12702449a426d2790784d4b2d0f4ca97b129cd79bcc2
                                                                        • Instruction Fuzzy Hash: 95F082327042242BD718A6BEA81066F76DFDBC9724B10803DE51AD7391DD768C4142A1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 050114E8, Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.952887189.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a101d5f510b2b8469077e046cb22b69f2c0f0b14abf031fa8865622da1fed3b5
                                                                        • Instruction ID: b85a637ef74fdbb1444ca87594910fbb6cf0e979ad1ffccf9a5db8962d33ecb1
                                                                        • Opcode Fuzzy Hash: a101d5f510b2b8469077e046cb22b69f2c0f0b14abf031fa8865622da1fed3b5
                                                                        • Instruction Fuzzy Hash: E9F01C363001118F8B49EB3EE45892E37EBABCD661319446AE907CB764DE71DC02DB95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05011540, Relevance: .0, Instructions: 32COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.952887189.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 74feb193f1162a4437505aa616edab039606b08752e37a1ec0b14778d7d6c3a3
                                                                        • Instruction ID: e6c2132f96883413960fc1fe4174070d7263bf382963263a1243bbd90f8165fa
                                                                        • Opcode Fuzzy Hash: 74feb193f1162a4437505aa616edab039606b08752e37a1ec0b14778d7d6c3a3
                                                                        • Instruction Fuzzy Hash: CAE0E5712002186FD7009B6DF844EEBBFFDEB89350B10466AF108C3310DA715C0187A0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 050114D9, Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.952887189.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a297133cc1baefdeae8e95968fdac412b0de8b2521bcf895d452f32022bf2d8f
                                                                        • Instruction ID: e4f14af3b686d9a196eddab461fca500c07fffbb2d20929653e8f5dd9e6fe65d
                                                                        • Opcode Fuzzy Hash: a297133cc1baefdeae8e95968fdac412b0de8b2521bcf895d452f32022bf2d8f
                                                                        • Instruction Fuzzy Hash: 8BE092363040549FCB06973AB814A6E7BEBABCA261719506AE903C7761DE70DC02D791
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05010070, Relevance: .0, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.952887189.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 95568780a72314af0b9c4c033915b22127fea438a248410c684f64dc5b6e0079
                                                                        • Instruction ID: e0daed8bc6acdff8e65f752ddd734bf81ba862c75310db64d8f8af06640c22b4
                                                                        • Opcode Fuzzy Hash: 95568780a72314af0b9c4c033915b22127fea438a248410c684f64dc5b6e0079
                                                                        • Instruction Fuzzy Hash: B4E0ED36A0421DFF8B04DFA5FC484DEBFFAEB84265B008166E509D2110EA7196499B95
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 02B105F6, Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.952186040.0000000002B10000.00000040.00000040.sdmp, Offset: 02B10000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ae77d1050fb191d1062a49191e3faea86152e7ad9043b4c8e0ae692cd1b6b6b3
                                                                        • Instruction ID: 10f582b5cc19281fab39b6afe1a789499419ceab264cd591452fd43f3de002c1
                                                                        • Opcode Fuzzy Hash: ae77d1050fb191d1062a49191e3faea86152e7ad9043b4c8e0ae692cd1b6b6b3
                                                                        • Instruction Fuzzy Hash: CDE06D766006045BD650CF0AEC42452FBD8EB84630718C06FDC0D8B710E575B5048EA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 05010D29, Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.952887189.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bdf219f895f269d6c69211661581647207a75e2bf3a6ff384ab2fb25eb3580c8
                                                                        • Instruction ID: f7376151e38b55c77a8ee38ba123ccc3c59246f6127d21b0e05537f0f303b218
                                                                        • Opcode Fuzzy Hash: bdf219f895f269d6c69211661581647207a75e2bf3a6ff384ab2fb25eb3580c8
                                                                        • Instruction Fuzzy Hash: 9DE0C23290D2A44FCB13537528580ED7F709E02180B06419FD886D70A2EA608B2EC392
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 050114B5, Relevance: .0, Instructions: 11COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000018.00000002.952887189.0000000005010000.00000040.00000001.sdmp, Offset: 05010000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a46d8a6205921579a712fc7aeb29fa489cabcaa341745c94ee2e978ec3be1997
                                                                        • Instruction ID: 38f148f241a5a0cec52994fa1708d2225f9063a936d55c714df551aac3d245bc
                                                                        • Opcode Fuzzy Hash: a46d8a6205921579a712fc7aeb29fa489cabcaa341745c94ee2e978ec3be1997
                                                                        • Instruction Fuzzy Hash: DAC04C3BF001444BDF1467A8B8441DCF752D7C4225B144162DA29C3144E935C9699651
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Analysis Process: dhcpmon.exe PID: 6896 Parent PID: 3424 dhcpmon.exeCOMMON

                                                                        Executed Functions

                                                                        Function 049A01C8, Relevance: 5.8, Strings: 4, Instructions: 825COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001B.00000002.978572630.00000000049A0000.00000040.00000001.sdmp, Offset: 049A0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: :@fq$:@fq$:@fq$:@fq
                                                                        • API String ID: 0-2153455795
                                                                        • Opcode ID: 3f9cdd63a1af2f2346b5b79c075268922b3bb174548e3f9f4aaa02d02f98d660
                                                                        • Instruction ID: 867fb8e86da391339181d8dfbd6bee683ed8c0ee55b9fee2fd65d4f507c4b05b
                                                                        • Opcode Fuzzy Hash: 3f9cdd63a1af2f2346b5b79c075268922b3bb174548e3f9f4aaa02d02f98d660
                                                                        • Instruction Fuzzy Hash: 96626C30600209DFDB14EF68C484B6AB7E2FF88304F15CA69D5469B396EB35EC56CB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049A01B7, Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000001B.00000002.978572630.00000000049A0000.00000040.00000001.sdmp, Offset: 049A0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: :@fq
                                                                        • API String ID: 0-3673016210
                                                                        • Opcode ID: 762c5a3818be11908b6127f0a32f08d6b6b1fdade91adaec8f495f2291ca05d6
                                                                        • Instruction ID: 8288ec52d695f1e4e74bb1a81482178f51ce9aa68f99f5942cab9e0c7b2e1074
                                                                        • Opcode Fuzzy Hash: 762c5a3818be11908b6127f0a32f08d6b6b1fdade91adaec8f495f2291ca05d6
                                                                        • Instruction Fuzzy Hash: 043161347002089BDB14AF6DD850B5DBBE3FF89300F61C53AD50A9336AEA358D16CB55
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049A00B9, Relevance: .1, Instructions: 82COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001B.00000002.978572630.00000000049A0000.00000040.00000001.sdmp, Offset: 049A0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 071190e84a20dc933965192d19c60e805f3689ea718ba064f21b8e02853aaf3f
                                                                        • Instruction ID: b57db5eb60ced43b7d6cb9e10da1731f217e260bb885fe19f15e461b27a7607d
                                                                        • Opcode Fuzzy Hash: 071190e84a20dc933965192d19c60e805f3689ea718ba064f21b8e02853aaf3f
                                                                        • Instruction Fuzzy Hash: 8B21F8307012158FCB49AB7CC018A6D3BE7AF86314B1585B9D406DB7A6EE39DC45CB92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049A00C8, Relevance: .1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001B.00000002.978572630.00000000049A0000.00000040.00000001.sdmp, Offset: 049A0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 22810c34d0db4314203a87bcb725f2e17a9be69699fa07d76735b2466db4c83b
                                                                        • Instruction ID: 0201c7fcb23eceed4a8e14b1bf7c0fd62c8ee6be2afae9e924f51fd66235c9cb
                                                                        • Opcode Fuzzy Hash: 22810c34d0db4314203a87bcb725f2e17a9be69699fa07d76735b2466db4c83b
                                                                        • Instruction Fuzzy Hash: F6210730B012158FCB48AB7CC018A6D37E7EF85345B2485BDE406DB7A5EE3ADC458B92
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049A0006, Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001B.00000002.978572630.00000000049A0000.00000040.00000001.sdmp, Offset: 049A0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3fcfb4ba04bef1169eea06931a31f26e7586f6eaddb991ab68dbe07fc37ccec6
                                                                        • Instruction ID: 1a07e636fba643f64ca2323017218f7fa45ac1ce8f8c0d6f06bff68884a7eedb
                                                                        • Opcode Fuzzy Hash: 3fcfb4ba04bef1169eea06931a31f26e7586f6eaddb991ab68dbe07fc37ccec6
                                                                        • Instruction Fuzzy Hash: 6E11A16140E3D2AFD707DB305C2458A7F75AF83215F0A82DBD584CB0E3D6285909CB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049A0DA0, Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001B.00000002.978572630.00000000049A0000.00000040.00000001.sdmp, Offset: 049A0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0b7a0f5dba46e1180445a687bf77bd2340cf98ddcc61f7834e2b02d28ae5a251
                                                                        • Instruction ID: 88786ff641809891d29ca4d42d983fa89730fa6b8d6f572593ebd4ea3b859384
                                                                        • Opcode Fuzzy Hash: 0b7a0f5dba46e1180445a687bf77bd2340cf98ddcc61f7834e2b02d28ae5a251
                                                                        • Instruction Fuzzy Hash: F401B530B042449FC705EBB8D814A9D7F7ABF85311F1480AED509EB395CE749E06CBA6
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049A0C28, Relevance: .0, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001B.00000002.978572630.00000000049A0000.00000040.00000001.sdmp, Offset: 049A0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f4ee71318d77ad4e323cbc4831e5152dcebb383f918e7d08b0b5c6028c520ce6
                                                                        • Instruction ID: 685c769ec86ded000cb056b5096d32cd5f1026d38c776ec15ccfb597177158dc
                                                                        • Opcode Fuzzy Hash: f4ee71318d77ad4e323cbc4831e5152dcebb383f918e7d08b0b5c6028c520ce6
                                                                        • Instruction Fuzzy Hash: 5A01F7717026149BC720AF3CE888F1677F9AB88760B018237D80A87315CA31DC05C7E2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009205CF, Relevance: .0, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001B.00000002.977050602.0000000000920000.00000040.00000040.sdmp, Offset: 00920000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 94ac7f357a820d801aa0143c96af5853e5bfc338a7702181a849935b3e7bd76d
                                                                        • Instruction ID: e169eb0465ec8dc6f0e1928dc157ce3d9490e4da10b01c15eaa7acc655cc46a4
                                                                        • Opcode Fuzzy Hash: 94ac7f357a820d801aa0143c96af5853e5bfc338a7702181a849935b3e7bd76d
                                                                        • Instruction Fuzzy Hash: E001F9765487816FD3528F56EC40893FFE8DF4627070984ABEC48CB212D225F909CB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049A0D19, Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001B.00000002.978572630.00000000049A0000.00000040.00000001.sdmp, Offset: 049A0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6d86e0d9140c69d90e2ad4c4b16535377f92b2b6488bf0de6f8abfbb3d7c93e6
                                                                        • Instruction ID: c27a4efb850bb3bd1db9934b7f149bca1cde1f79ff19d2ca071bbb9f07c216af
                                                                        • Opcode Fuzzy Hash: 6d86e0d9140c69d90e2ad4c4b16535377f92b2b6488bf0de6f8abfbb3d7c93e6
                                                                        • Instruction Fuzzy Hash: 9FF0C2727082501FD70957BDA8107AF7BEBEBC6314B15807ED40AD7792DC794C024392
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049A0D28, Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001B.00000002.978572630.00000000049A0000.00000040.00000001.sdmp, Offset: 049A0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 044d8ca2ffb028cc49896b5e847733741419b1fbfd42cc780601b0b8c3f4eab8
                                                                        • Instruction ID: 3fb5ecf4265d09375a6515a8f55dd805002c92baf86ab9d29062bcd24a7dc1c9
                                                                        • Opcode Fuzzy Hash: 044d8ca2ffb028cc49896b5e847733741419b1fbfd42cc780601b0b8c3f4eab8
                                                                        • Instruction Fuzzy Hash: E9F08C327042245BD71866BEA810B6F76EFEBC9724B20803EE50AD7391ED7A9C0142A5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049A0070, Relevance: .0, Instructions: 28COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001B.00000002.978572630.00000000049A0000.00000040.00000001.sdmp, Offset: 049A0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 33e6479b0e270f5cab32dac8853dbcd7c73f45fb5e6107961f8e68e84eb4ab43
                                                                        • Instruction ID: c01311789c4ff5c5fc39edaed4825566680006d6f99c4d5afae167a7988aea32
                                                                        • Opcode Fuzzy Hash: 33e6479b0e270f5cab32dac8853dbcd7c73f45fb5e6107961f8e68e84eb4ab43
                                                                        • Instruction Fuzzy Hash: 36E06D32604619AF8B04EFA5FC484DEBFAAFB84262B008167E109C2210EA315A418B81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 009205F6, Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001B.00000002.977050602.0000000000920000.00000040.00000040.sdmp, Offset: 00920000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 874bdd324ad1d8b186cc7f90bbe8e007461663b409c5bf08c407265ae7291ef7
                                                                        • Instruction ID: 199c997cad2fa95ba5517e5ff9e8daf79a73c391b5ea7b83ac25ec97fc2a892e
                                                                        • Opcode Fuzzy Hash: 874bdd324ad1d8b186cc7f90bbe8e007461663b409c5bf08c407265ae7291ef7
                                                                        • Instruction Fuzzy Hash: A4E092766446009BD650CF0BEC41462FBD8EB94630B18C07FDC0D8B700E539F504CEA5
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049A0CC8, Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001B.00000002.978572630.00000000049A0000.00000040.00000001.sdmp, Offset: 049A0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5c4d0cb29ce1715eb9db10b0c64baf895f5c4a21ffe57dfcff9586e67365f518
                                                                        • Instruction ID: 9eada6544bca54c75a29d0abca77319e449313ba0c888dc01ac9deaf806796be
                                                                        • Opcode Fuzzy Hash: 5c4d0cb29ce1715eb9db10b0c64baf895f5c4a21ffe57dfcff9586e67365f518
                                                                        • Instruction Fuzzy Hash: 50F05531A161889FD301BB38E009BD13BA6AB42211F4442B7C0098725BCB682C46C3D2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049A0D90, Relevance: .0, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001B.00000002.978572630.00000000049A0000.00000040.00000001.sdmp, Offset: 049A0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 165c7de5c0c3404bbd4bc460adbac860d17ee36c0aec35e7ecf90f079b20b8a0
                                                                        • Instruction ID: 3741531bd6744d9f7f41e35c8a7d308460bcacd37872d82c8e45cbc1098c2f2e
                                                                        • Opcode Fuzzy Hash: 165c7de5c0c3404bbd4bc460adbac860d17ee36c0aec35e7ecf90f079b20b8a0
                                                                        • Instruction Fuzzy Hash: ECD02B3694A2605FCB015BB57D461DC3B609D0722036001A6C845E7542D2104F1B83C2
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 049A0CD8, Relevance: .0, Instructions: 20COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000001B.00000002.978572630.00000000049A0000.00000040.00000001.sdmp, Offset: 049A0000, based on PE: false
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: acdd315d810fc09ad89a54f611274241ff30bbb2e613fde58d457d401563e02e
                                                                        • Instruction ID: 21cf8cff63a0c42e1bcabd6815f2c356835d395af8d675ea16fd364dbd54cd00
                                                                        • Opcode Fuzzy Hash: acdd315d810fc09ad89a54f611274241ff30bbb2e613fde58d457d401563e02e
                                                                        • Instruction Fuzzy Hash: 3AE08631A1115C9FC700FF68E408B5177DEAB45211F9546B6D5098735ACF68AC45C7D1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions