Play interactive tour

Edit tour

Analysis Report J62DQ7fO0b.exe

Overview

General Information

Sample Name:	J62DQ7fO0b.exe
Analysis ID:	384486
MD5:	a74ece32bc1b6db38a2d379c7fc78d2c
SHA1:	25ea63e67b842641e57bc5b405ea51ec9c6beb5b
SHA256:	20e490afba639ea251a2f095a8b9b85e1b9922ff6d8b6f47ceb567ba62521a28
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Startup

System is w10x64

J62DQ7fO0b.exe (PID: 6516 cmdline: 'C:\Users\user\Desktop\J62DQ7fO0b.exe' MD5: A74ECE32BC1B6DB38A2D379C7FC78D2C)

schtasks.exe (PID: 6628 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6672 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

dhcpmon.exe (PID: 7068 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)

conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f57d5a77-8670-45ef-b736-5f3a07b6", "Group": "Addora", "Domain1": "79.134.225.30", "Domain2": "nassiru1155.ddns.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1177b5:$x1: NanoCore.ClientPluginHost 0x149fd5:$x1: NanoCore.ClientPluginHost 0x1177f2:$x2: IClientNetworkHost 0x14a012:$x2: IClientNetworkHost 0x11b325:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x14db45:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x11751d:$a: NanoCore 0x11752d:$a: NanoCore 0x117761:$a: NanoCore 0x117775:$a: NanoCore 0x1177b5:$a: NanoCore 0x149d3d:$a: NanoCore 0x149d4d:$a: NanoCore 0x149f81:$a: NanoCore 0x149f95:$a: NanoCore 0x149fd5:$a: NanoCore 0x11757c:$b: ClientPlugin 0x11777e:$b: ClientPlugin 0x1177be:$b: ClientPlugin 0x149d9c:$b: ClientPlugin 0x149f9e:$b: ClientPlugin 0x149fde:$b: ClientPlugin 0x1176a3:$c: ProjectData 0x149ec3:$c: ProjectData 0x1180aa:$d: DESCrypto 0x14a8ca:$d: DESCrypto 0x11fa76:$e: KeepAlive
Process Memory Space: J62DQ7fO0b.exe PID: 6516	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.J62DQ7fO0b.exe.3f83628.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.J62DQ7fO0b.exe.3f83628.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.J62DQ7fO0b.exe.3f83628.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.J62DQ7fO0b.exe.3f83628.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
Click to see the 2 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6672, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\J62DQ7fO0b.exe' , ParentImage: C:\Users\user\Desktop\J62DQ7fO0b.exe, ParentProcessId: 6516, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp', ProcessId: 6628

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f57d5a77-8670-45ef-b736-5f3a07b6", "Group": "Addora", "Domain1": "79.134.225.30", "Domain2": "nassiru1155.ddns.net", "Port": 1144, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\tHyARuOEdFlN.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: J62DQ7fO0b.exe

Joe Sandbox ML: detected

Source: J62DQ7fO0b.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: J62DQ7fO0b.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000003.00000003.671469676.0000000001120000.00000004.00000001.sdmp, dhcpmon.exe, 00000005.00000000.699290873.00000000008C2000.00000002.00020000.sdmp, dhcpmon.exe.3.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000003.00000003.671469676.0000000001120000.00000004.00000001.sdmp, dhcpmon.exe, dhcpmon.exe.3.dr

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		0_2_0F7417C8
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		0_2_0F7417B8

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49725 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49734 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49736 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49739 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49740 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49742 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49745 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49752 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49756 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49757 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49758 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49761 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49763 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 79.134.225.30:1144
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49772 -> 79.134.225.30:1144

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: nassiru1155.ddns.net
Source: Malware configuration extractor	URLs: 79.134.225.30

Source: global traffic

TCP traffic: 192.168.2.4:49725 -> 79.134.225.30:1144

Source: Joe Sandbox View

IP Address: 79.134.225.30 79.134.225.30

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 79.134.225.30

Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: J62DQ7fO0b.exe, 00000000.00000002.670741597.0000000002E71000.00000004.00000001.sdmp, J62DQ7fO0b.exe, 00000000.00000002.671216367.0000000002F1A000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: J62DQ7fO0b.exe, 00000000.00000002.671216367.0000000002F1A000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: J62DQ7fO0b.exe, 00000000.00000003.642142169.000000000146B000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: J62DQ7fO0b.exe, 00000000.00000003.642738927.0000000005EAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comCQ
Source: J62DQ7fO0b.exe, 00000000.00000003.642738927.0000000005EAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comMic&
Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: J62DQ7fO0b.exe, 00000000.00000003.642738927.0000000005EAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comams
Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comand
Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comen
Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comext
Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comhe
Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comily
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comol
Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comsofz
Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtk
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: J62DQ7fO0b.exe, 00000000.00000002.669671162.0000000001460000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comt
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: J62DQ7fO0b.exe, 00000000.00000003.641650393.0000000005EA9000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: J62DQ7fO0b.exe, 00000000.00000003.641998608.0000000005EAC000.00000004.00000001.sdmp, J62DQ7fO0b.exe, 00000000.00000003.641490648.0000000005EDD000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: J62DQ7fO0b.exe, 00000000.00000003.641873996.000000000146B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/-e
Source: J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/a
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: J62DQ7fO0b.exe, 00000000.00000003.641650393.0000000005EA9000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnF
Source: J62DQ7fO0b.exe, 00000000.00000003.641650393.0000000005EA9000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnbli
Source: J62DQ7fO0b.exe, 00000000.00000003.641627718.0000000005EA6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnbliQ
Source: J62DQ7fO0b.exe, 00000000.00000003.641710944.000000000146B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnivZ
Source: J62DQ7fO0b.exe, 00000000.00000003.641710944.000000000146B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnporF
Source: J62DQ7fO0b.exe, 00000000.00000003.646392618.0000000005EE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr_4F
Source: J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krkrF
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: J62DQ7fO0b.exe, 00000000.00000003.646317309.0000000005EE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: J62DQ7fO0b.exe, 00000000.00000003.646271163.0000000005EE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.=
Source: J62DQ7fO0b.exe, 00000000.00000003.646942158.0000000005EE5000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.B
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krF
Source: J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kro.kr-d
Source: J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krpl
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07975BA0 NtQueryInformationProcess,		0_2_07975BA0
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07975B99 NtQueryInformationProcess,		0_2_07975B99

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_052BD400	0_2_052BD400
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_052BB184	0_2_052BB184
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_052BDAC1	0_2_052BDAC1
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_052BC1D0	0_2_052BC1D0
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_052BB178	0_2_052BB178
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_052BDE70	0_2_052BDE70
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_052B7EE2	0_2_052B7EE2
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_052B98B0	0_2_052B98B0
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07975EBA	0_2_07975EBA
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07970D00	0_2_07970D00
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_0797B548	0_2_0797B548
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_0797C348	0_2_0797C348
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_0797B1E0	0_2_0797B1E0
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07974120	0_2_07974120
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07975950	0_2_07975950
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_079777D1	0_2_079777D1
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_079777E0	0_2_079777E0
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_079706D0	0_2_079706D0
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_079706C3	0_2_079706C3
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_0797CD10	0_2_0797CD10
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07970CF0	0_2_07970CF0
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07977330	0_2_07977330
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07970B38	0_2_07970B38
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07977320	0_2_07977320
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07970B2B	0_2_07970B2B
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07977ACA	0_2_07977ACA
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_079772E0	0_2_079772E0
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07974A30	0_2_07974A30
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_079749E0	0_2_079749E0
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_0797D118	0_2_0797D118
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_0797410F	0_2_0797410F
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07975150	0_2_07975150
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07975140	0_2_07975140
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07975940	0_2_07975940
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_079708D8	0_2_079708D8
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_079708C8	0_2_079708C8
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_079750F8	0_2_079750F8
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07970006	0_2_07970006
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_0797185F	0_2_0797185F
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07970040	0_2_07970040
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_07971860	0_2_07971860
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Code function: 0_2_0F741280	0_2_0F741280

Source: J62DQ7fO0b.exe, 00000000.00000002.667985165.0000000000B5B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIBindableIterable.exe( vs J62DQ7fO0b.exe
Source: J62DQ7fO0b.exe, 00000000.00000002.674685725.00000000040A7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs J62DQ7fO0b.exe
Source: J62DQ7fO0b.exe, 00000000.00000002.682513311.000000000F220000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs J62DQ7fO0b.exe
Source: J62DQ7fO0b.exe, 00000000.00000002.682735920.000000000F320000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs J62DQ7fO0b.exe
Source: J62DQ7fO0b.exe, 00000000.00000002.682735920.000000000F320000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs J62DQ7fO0b.exe
Source: J62DQ7fO0b.exe, 00000000.00000002.679359494.0000000007910000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs J62DQ7fO0b.exe
Source: J62DQ7fO0b.exe	Binary or memory string: OriginalFilenameIBindableIterable.exe( vs J62DQ7fO0b.exe

Source: J62DQ7fO0b.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/11@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe

File created: C:\Users\user\AppData\Roaming\tHyARuOEdFlN.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_01
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Mutant created: \Sessions\1\BaseNamedObjects\KQdgwQc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{f57d5a77-8670-45ef-b736-5f3a07b68725}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_01

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe

File created: C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp

Jump to behavior

Source: J62DQ7fO0b.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe

File read: C:\Users\user\Desktop\J62DQ7fO0b.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\J62DQ7fO0b.exe 'C:\Users\user\Desktop\J62DQ7fO0b.exe'
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: J62DQ7fO0b.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: J62DQ7fO0b.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: J62DQ7fO0b.exe

Static file information: File size 1865728 > 1048576

Source: J62DQ7fO0b.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x15d200

Source: J62DQ7fO0b.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000003.00000003.671469676.0000000001120000.00000004.00000001.sdmp, dhcpmon.exe, 00000005.00000000.699290873.00000000008C2000.00000002.00020000.sdmp, dhcpmon.exe.3.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000003.00000003.671469676.0000000001120000.00000004.00000001.sdmp, dhcpmon.exe, dhcpmon.exe.3.dr

Source: initial sample	Static PE information: section name: .text entropy: 7.5077416615
Source: initial sample	Static PE information: section name: .text entropy: 7.5077416615

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	File created: C:\Users\user\AppData\Roaming\tHyARuOEdFlN.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: J62DQ7fO0b.exe PID: 6516, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1301	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8321	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: foregroundWindowGot 736	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: foregroundWindowGot 630	Jump to behavior

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe TID: 6520	Thread sleep time: -103490s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe TID: 6536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7136	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Thread delayed: delay time: 103490	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RegSvcs.exe, 00000003.00000003.697272033.0000000001183000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DF9008	Jump to behavior

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Users\user\Desktop\J62DQ7fO0b.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J62DQ7fO0b.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\J62DQ7fO0b.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: RegSvcs.exe, 00000003.00000003.681337779.0000000006902000.00000004.00000001.sdmp

String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.J62DQ7fO0b.exe.3f83628.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.J62DQ7fO0b.exe.3f83628.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Process Injection211	Masquerading2	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery121	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection211	NTDS	Virtualization/Sandbox Evasion31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing1	DCSync	System Information Discovery12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
J62DQ7fO0b.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\tHyARuOEdFlN.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender	Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
nassiru1155.ddns.net	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cnporF	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnbli	0%	Avira URL Cloud	safe
http://www.carterandcone.comams	0%	Avira URL Cloud	safe
http://www.carterandcone.comen	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnF	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/-e	0%	Avira URL Cloud	safe
http://www.carterandcone.comily	0%	Avira URL Cloud	safe
http://www.carterandcone.comsofz	0%	Avira URL Cloud	safe
http://www.carterandcone.comMic&	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/a	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.carterandcone.comext	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.krF	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sandoll.co.krpl	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnivZ	0%	Avira URL Cloud	safe
http://www.carterandcone.comtk	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.sandoll.co.kro.kr-d	0%	Avira URL Cloud	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comCQ	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr_4F	0%	Avira URL Cloud	safe
79.134.225.30	0%	Avira URL Cloud	safe
http://www.carterandcone.comhe	0%	Avira URL Cloud	safe
http://www.goodfont.co.krkrF	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.fontbureau.comt	0%	URL Reputation	safe
http://www.fontbureau.comt	0%	URL Reputation	safe
http://www.fontbureau.comt	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.founder.com.cn/cnbliQ	0%	Avira URL Cloud	safe
http://www.monotype.B	0%	Avira URL Cloud	safe
http://www.monotype.=	0%	Avira URL Cloud	safe
http://www.carterandcone.comand	0%	Avira URL Cloud	safe
http://www.carterandcone.comol	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nassiru1155.ddns.net	true	Avira URL Cloud: safe	unknown
79.134.225.30	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnporF	J62DQ7fO0b.exe, 00000000.00000003.641710944.000000000146B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cnbli	J62DQ7fO0b.exe, 00000000.00000003.641650393.0000000005EA9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comams	J62DQ7fO0b.exe, 00000000.00000003.642738927.0000000005EAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comen	J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4	J62DQ7fO0b.exe, 00000000.00000002.671216367.0000000002F1A000.00000004.00000001.sdmp	false		high
http://www.tiro.com	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	J62DQ7fO0b.exe, 00000000.00000003.642738927.0000000005EAF000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnF	J62DQ7fO0b.exe, 00000000.00000003.641650393.0000000005EA9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	J62DQ7fO0b.exe, 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/-e	J62DQ7fO0b.exe, 00000000.00000003.641873996.000000000146B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comily	J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comsofz	J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comMic&	J62DQ7fO0b.exe, 00000000.00000003.642738927.0000000005EAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.founder.com.cn/cn/a	J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comext	J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.krF	J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.krpl	J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	J62DQ7fO0b.exe, 00000000.00000002.670741597.0000000002E71000.00000004.00000001.sdmp, J62DQ7fO0b.exe, 00000000.00000002.671216367.0000000002F1A000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnivZ	J62DQ7fO0b.exe, 00000000.00000003.641710944.000000000146B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comtk	J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	J62DQ7fO0b.exe, 00000000.00000003.642142169.000000000146B000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false		high
http://www.galapagosdesign.com/	J62DQ7fO0b.exe, 00000000.00000003.646392618.0000000005EE5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sandoll.co.kro.kr-d	J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comTC	J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comCQ	J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr_4F	J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.comhe	J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.krkrF	J62DQ7fO0b.exe, 00000000.00000003.641496129.0000000005EA6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	J62DQ7fO0b.exe, 00000000.00000003.641998608.0000000005EAC000.00000004.00000001.sdmp, J62DQ7fO0b.exe, 00000000.00000003.641490648.0000000005EDD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	J62DQ7fO0b.exe, 00000000.00000003.641650393.0000000005EA9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false		high
http://www.monotype.	J62DQ7fO0b.exe, 00000000.00000003.646317309.0000000005EE5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comt	J62DQ7fO0b.exe, 00000000.00000002.669671162.0000000001460000.00000004.00000040.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	J62DQ7fO0b.exe, 00000000.00000002.677595020.0000000005F90000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cnbliQ	J62DQ7fO0b.exe, 00000000.00000003.641627718.0000000005EA6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.B	J62DQ7fO0b.exe, 00000000.00000003.646942158.0000000005EE5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.=	J62DQ7fO0b.exe, 00000000.00000003.646271163.0000000005EE5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.comand	J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comol	J62DQ7fO0b.exe, 00000000.00000003.642529232.0000000005EA2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.134.225.30	unknown	Switzerland		6775	FINK-TELECOM-SERVICESCH	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	384486
Start date:	09.04.2021
Start time:	10:06:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	J62DQ7fO0b.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/11@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 89% Number of executed functions: 68 Number of non-executed functions: 27
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/384486/sample/J62DQ7fO0b.exe

Simulations

Behavior and APIs

Time	Type	Description
10:07:02	API Interceptor	1x Sleep call for process: J62DQ7fO0b.exe modified
10:07:11	API Interceptor	947x Sleep call for process: RegSvcs.exe modified
10:07:15	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
79.134.225.30	oE6O5K1emC.exe	Get hash	malicious	Browse
	AIC7VMxudf.exe	Get hash	malicious	Browse
	Payment Confirmation.exe	Get hash	malicious	Browse
	JOIN.exe	Get hash	malicious	Browse
	Itinerary.pdf.exe	Get hash	malicious	Browse
	vVH0wIFYFd.exe	Get hash	malicious	Browse
	GWee9QSphp.exe	Get hash	malicious	Browse
	s7pnYY2USl.jar	Get hash	malicious	Browse
	s7pnYY2USl.jar	Get hash	malicious	Browse
	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.exe	Get hash	malicious	Browse
	Import and Export Regulation.xlsx	Get hash	malicious	Browse
	BBdzKOGQ36.exe	Get hash	malicious	Browse
	BL.exe	Get hash	malicious	Browse
	Payment Invoice.exe	Get hash	malicious	Browse
	Payment Invoice.pdf.exe	Get hash	malicious	Browse
	Inquiries_scan_011023783591374376585.exe	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FINK-TELECOM-SERVICESCH	oE6O5K1emC.exe	Get hash	malicious	Browse	79.134.225.30
	zunUbtZ2Y3.exe	Get hash	malicious	Browse	79.134.225.40
	EASTERS.exe	Get hash	malicious	Browse	79.134.225.118
	LIST OF POEA DELISTED AGENCIES.pdf.exe	Get hash	malicious	Browse	79.134.225.9
	AWB.pdf.exe	Get hash	malicious	Browse	79.134.225.102
	AIC7VMxudf.exe	Get hash	malicious	Browse	79.134.225.30
	9mm case for ROYAL METAL INDUSTRIES 3milmonth Specification drawings.exe	Get hash	malicious	Browse	79.134.225.21
	PO50164.exe	Get hash	malicious	Browse	79.134.225.79
	Fast color scan to a PDFfile_1_20210331084231346.pdf.exe	Get hash	malicious	Browse	79.134.225.102
	n7dIHuG3v6.exe	Get hash	malicious	Browse	79.134.225.92
	F6JT4fXIAQ.exe	Get hash	malicious	Browse	79.134.225.92
	order_inquiry2094.xls.exe	Get hash	malicious	Browse	79.134.225.102
	5H957qLghX.exe	Get hash	malicious	Browse	79.134.225.25
	yBio5dWAOl.exe	Get hash	malicious	Browse	79.134.225.7
	wDIaJji4Vv.exe	Get hash	malicious	Browse	79.134.225.7
	DkZY1k3y9F.exe	Get hash	malicious	Browse	79.134.225.23
	hbvo9thTAX.exe	Get hash	malicious	Browse	79.134.225.7
	SCAN ORDER DOC 040202021.exe	Get hash	malicious	Browse	79.134.225.71
	Waybill Doc_pdf.exe	Get hash	malicious	Browse	79.134.225.92
	gfcYixSdyD.exe	Get hash	malicious	Browse	79.134.225.71

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	HSBc20210216B1.exe	Get hash	malicious	Browse
	zunUbtZ2Y3.exe	Get hash	malicious	Browse
	bank transfer.exe	Get hash	malicious	Browse
	nunu.exe	Get hash	malicious	Browse
	quotation.exe	Get hash	malicious	Browse
	GS_ PO NO.1862021.exe	Get hash	malicious	Browse
	UPDATED SOA.exe	Get hash	malicious	Browse
	comprobante de pago bancario.exe	Get hash	malicious	Browse
	ANS_309487487_#049844874.exe	Get hash	malicious	Browse
	Dekont_12VK2102526 VAKIF KATILIM.exe	Get hash	malicious	Browse
	taiwan.exe	Get hash	malicious	Browse
	SWIFT COPY.exe	Get hash	malicious	Browse
	GS_ PO NO.1862021.exe	Get hash	malicious	Browse
	purchase order.exe	Get hash	malicious	Browse
	Payment Advice.exe	Get hash	malicious	Browse
	Quotation.pdf...exe	Get hash	malicious	Browse
	PURCHASE ORDER.exe	Get hash	malicious	Browse
	money.exe	Get hash	malicious	Browse
	TT COPY.exe	Get hash	malicious	Browse
	$$$.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45152
Entropy (8bit):	6.149629800481177
Encrypted:	false
SSDEEP:	768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
MD5:	2867A3817C9245F7CF518524DFD18F28
SHA1:	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
SHA-256:	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
SHA-512:	7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: HSBc20210216B1.exe, Detection: malicious, Browse Filename: zunUbtZ2Y3.exe, Detection: malicious, Browse Filename: bank transfer.exe, Detection: malicious, Browse Filename: nunu.exe, Detection: malicious, Browse Filename: quotation.exe, Detection: malicious, Browse Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse Filename: UPDATED SOA.exe, Detection: malicious, Browse Filename: comprobante de pago bancario.exe, Detection: malicious, Browse Filename: ANS_309487487_#049844874.exe, Detection: malicious, Browse Filename: Dekont_12VK2102526 VAKIF KATILIM.exe, Detection: malicious, Browse Filename: taiwan.exe, Detection: malicious, Browse Filename: SWIFT COPY.exe, Detection: malicious, Browse Filename: GS_ PO NO.1862021.exe, Detection: malicious, Browse Filename: purchase order.exe, Detection: malicious, Browse Filename: Payment Advice.exe, Detection: malicious, Browse Filename: Quotation.pdf...exe, Detection: malicious, Browse Filename: PURCHASE ORDER.exe, Detection: malicious, Browse Filename: money.exe, Detection: malicious, Browse Filename: TT COPY.exe, Detection: malicious, Browse Filename: $$$.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\J62DQ7fO0b.exe.log Download File
Process:	C:\Users\user\Desktop\J62DQ7fO0b.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp Download File
Process:	C:\Users\user\Desktop\J62DQ7fO0b.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.18058135981098
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGRKatn:cbhK79lNQR/rydbz9I3YODOLNdq3EV
MD5:	F97E80A87AE958D4BC07AD23DE478B2A
SHA1:	47F349B089D0861714DF39749A40E92DAE653DA9
SHA-256:	3A01767F80C0386EBB0F5918844F2D1C781C02E3CED00A1B089CF443349AAE72
SHA-512:	A3096C0D7947F1313139EEE2F5CFE82383A6F9C695B90BD2573C84D568FCA2C9D3DBFA032C2CE3FE0995A0AB7B42F3775299846AA97D2809EA390C003FD48913
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	1512
Entropy (8bit):	7.012278113302776
Encrypted:	false
SSDEEP:	24:IQnybgCyHJ5lQnybgCyHJ5lQnybgCyHJ5lQnybgCyHJ5lQnybgCyHJ5lQnybgCyz:IkR5lkR5lkR5lkR5lkR5lkR5lkR5i
MD5:	99595ABE9D87E2528BEEAAB442B21B36
SHA1:	340D15872EEA4FB38B0BE5EC0BFF3F251A2BA69E
SHA-256:	4EC04D88C855C45BED9EDF5CF9684B402ACAE3DFB1A0161D9D6371E966B9EE6D
SHA-512:	E58CD537D72C7E00376D7595BA8F91A15452E1D3A08E97C74F99D0E5A8201C7039E8C3BDC8ADE74FD9DB7B55C129327C3A160576AA0D2012FCDFF7C938D8CA55
Malicious:	false
Reputation:	low
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.2d.f... ..q.. 7iO.+..c.....!.'...mL\|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.2d.f... ..q.. 7iO.+..c.....!.'...mL\|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.2d.f... ..q.. 7iO.+..c.....!.'...mL\|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6...T....+5.1............r.P.V..+..(.2d.f... ..q.. 7iO.+..c.....!.'...mL\|XGj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h.P.vY.........S.5.6.C4..E.Y.\|........).zs...w.gl..\.G..J.M.vES.0....P.:..6..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Dyalog APL external variable shared version 6.122
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:Hy:S
MD5:	E301BD4595E07EF6742AD3F194ACB0DB
SHA1:	C92A55F687D43CD1BDD5A632F037D1A58D00223B
SHA-256:	2AC8CF690E88B0C0A42129AB9925DBFFA3ABF501A119FE80A6CCFAFEEFED4410
SHA-512:	27DB5F621B7783CA0A043796A03ED91B0AD902EE013BFC5E7C744CFE34D5AD816720376CC87BE10AA70515C6087FEDEF561C7C5770516EEC8817B7DCB37A15FB
Malicious:	true
Reputation:	low
Preview:	...z...H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	327432
Entropy (8bit):	7.99938831605763
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
MD5:	7E8F4A764B981D5B82D1CC49D341E9C6
SHA1:	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
SHA-256:	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
SHA-512:	880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\tHyARuOEdFlN.exe Download File
Process:	C:\Users\user\Desktop\J62DQ7fO0b.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1865728
Entropy (8bit):	7.042310357804828
Encrypted:	false
SSDEEP:	49152:9Ni8vaKvPuXtaD5LNaw/RRMbBRtlxaJvxdrLBF+F36q:Bzv4w/RRMbBRZaJvz3XO35
MD5:	A74ECE32BC1B6DB38A2D379C7FC78D2C
SHA1:	25EA63E67B842641E57BC5B405EA51EC9C6BEB5B
SHA-256:	20E490AFBA639EA251A2F095A8B9B85E1B9922FF6D8B6F47CEB567BA62521A28
SHA-512:	63A026DEDC6B2478A0CA7625534045E98334185BFEA76B7DAA74C1FE8CB32757AB26F97ACE14B8400EA70DF8FDDD0F10DBA51041F2444534A11BF49F41746672
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o`................................. ........@.. ....................................@.....................................W.... ..t............................................................................ ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc...t.... ......................@..@........................H............p..........D...............................................z.(......}.....( ...o!...}.........0...........{......E............8...Z...u..................}..... ].4S}......}.......}..... ..Q.}......}.......}......{.... Km.a}......}.......}..... ,...}......}.......}......{.... ..=.a}......}.......}..... ....}......}.......}..... "G.R}......}.......}........{.....s"...z.2.{.....f...*....0..<........{......3..{....( ...o!...3...}......+..s.......{....}..

C:\Users\user\AppData\Roaming\tHyARuOEdFlN.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\J62DQ7fO0b.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.44831826838854
Encrypted:	false
SSDEEP:	24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
MD5:	1AEB3A784552CFD2AEDEDC1D43A97A4F
SHA1:	804286AB9F8B3DE053222826A69A7CDA3492411A
SHA-256:	0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
SHA-512:	5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.042310357804828
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	J62DQ7fO0b.exe
File size:	1865728
MD5:	a74ece32bc1b6db38a2d379c7fc78d2c
SHA1:	25ea63e67b842641e57bc5b405ea51ec9c6beb5b
SHA256:	20e490afba639ea251a2f095a8b9b85e1b9922ff6d8b6f47ceb567ba62521a28
SHA512:	63a026dedc6b2478a0ca7625534045e98334185bfea76b7daa74c1fe8cb32757ab26f97ace14b8400ea70df8fddd0f10dba51041f2444534a11bf49f41746672
SSDEEP:	49152:9Ni8vaKvPuXtaD5LNaw/RRMbBRtlxaJvxdrLBF+F36q:Bzv4w/RRMbBRZaJvz3XO35
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o`................................. ........@.. ....................................@................................

File Icon


Icon Hash:	71f0d4d4ccccf070

Static PE Info

General
Entrypoint:	0x55f0de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x606FFEAC [Fri Apr 9 07:13:48 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15f084	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x162000	0x6a074	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x160000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x15d0e4	0x15d200	False	0.644486495256	data	7.5077416615	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x160000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x162000	0x6a074	0x6a200	False	0.217089038575	data	4.26679146424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x162220	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x172a48	0x42028	data
RT_ICON	0x1b4a70	0x25a8	data
RT_ICON	0x1b7018	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
RT_ICON	0x1bb240	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 16777216, next used block 16777216
RT_GROUP_ICON	0x1cba68	0x22	data
RT_GROUP_ICON	0x1cba8c	0x4c	data
RT_VERSION	0x1cbad8	0x350	data
RT_MANIFEST	0x1cbe28	0x249	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Northern Star
Assembly Version	2.1.0.8
InternalName	IBindableIterable.exe
FileVersion	2.1.0.8
CompanyName	Northern Star
LegalTrademarks
Comments
ProductName	MDM
ProductVersion	2.1.0.8
FileDescription	MDM
OriginalFilename	IBindableIterable.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/09/21-10:07:12.671031	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49725	1144	192.168.2.4	79.134.225.30
04/09/21-10:07:19.452199	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49734	1144	192.168.2.4	79.134.225.30
04/09/21-10:07:26.421327	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49736	1144	192.168.2.4	79.134.225.30
04/09/21-10:07:33.554381	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49739	1144	192.168.2.4	79.134.225.30
04/09/21-10:07:39.696069	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49740	1144	192.168.2.4	79.134.225.30
04/09/21-10:07:46.643686	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49742	1144	192.168.2.4	79.134.225.30
04/09/21-10:07:52.853588	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49745	1144	192.168.2.4	79.134.225.30
04/09/21-10:07:59.880822	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49752	1144	192.168.2.4	79.134.225.30
04/09/21-10:08:06.886756	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49756	1144	192.168.2.4	79.134.225.30
04/09/21-10:08:13.696819	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49757	1144	192.168.2.4	79.134.225.30
04/09/21-10:08:19.884335	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49758	1144	192.168.2.4	79.134.225.30
04/09/21-10:08:26.972195	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49761	1144	192.168.2.4	79.134.225.30
04/09/21-10:08:33.851582	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49763	1144	192.168.2.4	79.134.225.30
04/09/21-10:08:39.897169	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49769	1144	192.168.2.4	79.134.225.30
04/09/21-10:08:46.177906	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49770	1144	192.168.2.4	79.134.225.30
04/09/21-10:08:52.997147	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49771	1144	192.168.2.4	79.134.225.30
04/09/21-10:08:59.086454	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49772	1144	192.168.2.4	79.134.225.30

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 9, 2021 10:07:12.412424088 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:12.633583069 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:12.633719921 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:12.671030998 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:12.927891970 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:12.996145010 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.081242085 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.134944916 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.212373018 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.212693930 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.393297911 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.447668076 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.453150034 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.692616940 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.725742102 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.726242065 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.726407051 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.727564096 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.728598118 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.728713036 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.729443073 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.736000061 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.736355066 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.736476898 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.737448931 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.737550020 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.737701893 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.738715887 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.740179062 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.929099083 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.929168940 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.929254055 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.929281950 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.930774927 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.930814981 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.930840015 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.939450026 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.939610004 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.940675020 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.941261053 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.941380024 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.946429014 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.949985027 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.950076103 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.971633911 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.971663952 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.971793890 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.972151995 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.972893953 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.972995043 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.980684996 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.981470108 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.981534958 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.981574059 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.981698036 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.981760979 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.981897116 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.990417004 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:13.990533113 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:13.995167971 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.123945951 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.124001026 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.124145031 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.124556065 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.125138998 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.134424925 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.134581089 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.142329931 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.142369986 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.142514944 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.142600060 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.142676115 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.143532038 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.143637896 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.143879890 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.143968105 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.144741058 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.144814968 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.145612955 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.145750999 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.145838976 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.146193981 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.146723986 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.146874905 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.147619009 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.147720098 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.148710012 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.148770094 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.148778915 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.148844957 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.157772064 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.157849073 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.158587933 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.158675909 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.158726931 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.158791065 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.158813000 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.158845901 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.158888102 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.180831909 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.180880070 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.180917978 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.180938959 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.181662083 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.181760073 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.183625937 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.183784962 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.191610098 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.191682100 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.191767931 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.191817045 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.192792892 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.192837954 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.192908049 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.192928076 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.196382999 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.196429014 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.196464062 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.196495056 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.196599007 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.196675062 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.196989059 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.197062016 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.201441050 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.201531887 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.201636076 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.201725006 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.206217051 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.206267118 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.206311941 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.206336975 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.207765102 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.207808971 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.207906008 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.207950115 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.223927975 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.223962069 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.223992109 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.224041939 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.224088907 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.320722103 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.320776939 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.320880890 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.321676970 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.322372913 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.322464943 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.323673010 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.324541092 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.324646950 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.325216055 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.331207037 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.331240892 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.331310987 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.331465960 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.331522942 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.332966089 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.346646070 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.346734047 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.355356932 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.364433050 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.364453077 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.364494085 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.365820885 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.365875959 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.367948055 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.370165110 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.370268106 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.373609066 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.375094891 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.375150919 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.375603914 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.376894951 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.376944065 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.377676964 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.377857924 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.377907991 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.378629923 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.379725933 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.379782915 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.380877018 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.400693893 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.400784969 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.401319027 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.414449930 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.414479017 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.414550066 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.415577888 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.415623903 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.416368008 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.417012930 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.417083025 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.424249887 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.425501108 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.425519943 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.427150011 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.434768915 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.434791088 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.434874058 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.442568064 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.442697048 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.443664074 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.443718910 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.443758965 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.444269896 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.445497036 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.445534945 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.456685066 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.457458973 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.457523108 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.458698034 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.459750891 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.459815025 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.459894896 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.460932016 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.460953951 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.460984945 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.509938002 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.517318010 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.518462896 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.518546104 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.519117117 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.527789116 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.527945042 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.528595924 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.549361944 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.549455881 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.550168991 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.550288916 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.550389051 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.551736116 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.552623987 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.552716017 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.565747976 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.567506075 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.567589045 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.567730904 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.567931890 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.568006039 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.568650961 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.575659037 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.575794935 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.575858116 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.576797962 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.576879978 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.577336073 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.578651905 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.578721046 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.585747004 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.585766077 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.585844994 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.594608068 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.599889994 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.599946976 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.686651945 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.686703920 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.686907053 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.687221050 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.687304974 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.687509060 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.687747002 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.687869072 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.688112974 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.688225985 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.688234091 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.688467979 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.688505888 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.688647985 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.688999891 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.689033031 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.689433098 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.689546108 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.689564943 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.689871073 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.689968109 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.690129042 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.690495014 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.690587044 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.690644979 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.690661907 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.690814018 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.690826893 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.691098928 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.691270113 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.691344976 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.691405058 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.691685915 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.691790104 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.691930056 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.692368984 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.692445993 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.692468882 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.692524910 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.692650080 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.696696997 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.697004080 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.698625088 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.707279921 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.707452059 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.707535028 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.707539082 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.711523056 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.716458082 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.717180967 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.717262983 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.726599932 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.726619959 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.726789951 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.736443043 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.737190962 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.737306118 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.750935078 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.751559019 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.752223015 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.752296925 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.754040003 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.754117966 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.760579109 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.761225939 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.761301994 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.761509895 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.767282009 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.767426014 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.770843983 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.771147966 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.771240950 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.772567034 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.780596972 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.780786991 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.781646967 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.781696081 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.781774044 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.790297031 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.790647984 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.790764093 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.791816950 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.792656898 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.792772055 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.808877945 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.808971882 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.809112072 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.809290886 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.809360981 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.809437037 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.811155081 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.811444044 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.811517000 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.812621117 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.828986883 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.829010963 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.829094887 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.829904079 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.830054045 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.830625057 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.830765963 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.830928087 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.831074953 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.838634014 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.838939905 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.839755058 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.840504885 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.840610981 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.840703964 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.841466904 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.841563940 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.842987061 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.844989061 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.849502087 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.879805088 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.879981995 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.880100012 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.888444901 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.893640995 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.893790960 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.895286083 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.895427942 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.895512104 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.895520926 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.903561115 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.903578997 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.903659105 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.904355049 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.904438972 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.917577982 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.917757034 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.917921066 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.926282883 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.927870035 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.928658962 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.928683996 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.928765059 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.928813934 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.929588079 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.935791016 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.935811043 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.935925961 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.936578035 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.936647892 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.937447071 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.946333885 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.946414948 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.946476936 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.946597099 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.948379993 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.949073076 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.949094057 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.949186087 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.950620890 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.950834036 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.951164007 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.951406956 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.952688932 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.957750082 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.959156036 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.959275961 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.959408998 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.967667103 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.967828989 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.968297005 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.972309113 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.972529888 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.973162889 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.973351002 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.973503113 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:14.977631092 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.978553057 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.978570938 CEST	1144	49725	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:14.978671074 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:15.037337065 CEST	49725	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:19.261755943 CEST	49734	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:19.451468945 CEST	1144	49734	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:19.451555967 CEST	49734	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:19.452198982 CEST	49734	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:19.626540899 CEST	1144	49734	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:20.100286007 CEST	49734	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:20.317323923 CEST	1144	49734	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:21.089623928 CEST	49734	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:21.127831936 CEST	1144	49734	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:21.182378054 CEST	49734	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:21.302192926 CEST	1144	49734	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:21.302360058 CEST	49734	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:21.483892918 CEST	1144	49734	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:21.492321014 CEST	49734	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:21.704447031 CEST	1144	49734	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:21.829210043 CEST	1144	49734	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:21.869831085 CEST	49734	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:21.953794003 CEST	49734	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:22.049978971 CEST	1144	49734	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:22.102484941 CEST	49734	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:22.170145988 CEST	1144	49734	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:22.170243979 CEST	49734	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:26.231019974 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:26.420412064 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:26.420567036 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:26.421327114 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:26.657146931 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:26.897248983 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:26.897943020 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:27.083429098 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:27.135938883 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:27.191548109 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:27.419770002 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:27.422338009 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:27.604722023 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:27.612271070 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:27.618385077 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:27.800437927 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:27.800992012 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:27.993577003 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:27.993809938 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:28.169379950 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:28.169574022 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:28.389447927 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:28.389533997 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:28.606205940 CEST	1144	49736	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:29.340356112 CEST	49736	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:33.357836962 CEST	49739	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:33.539345980 CEST	1144	49739	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:33.539499998 CEST	49739	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:33.554380894 CEST	49739	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:33.780337095 CEST	1144	49739	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:33.928359032 CEST	1144	49739	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:33.928867102 CEST	49739	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:34.120373964 CEST	1144	49739	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:34.167745113 CEST	49739	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:34.180835962 CEST	49739	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:34.400834084 CEST	1144	49739	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:34.400928020 CEST	49739	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:34.522656918 CEST	1144	49739	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:34.576531887 CEST	49739	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:34.580899954 CEST	1144	49739	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:34.580993891 CEST	49739	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:34.752696037 CEST	1144	49739	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:34.803684950 CEST	1144	49739	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:34.803793907 CEST	49739	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:34.994270086 CEST	1144	49739	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:35.003444910 CEST	49739	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:35.205540895 CEST	1144	49739	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:35.261646986 CEST	49739	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:35.497760057 CEST	49739	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:39.513470888 CEST	49740	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:39.695413113 CEST	1144	49740	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:39.695502996 CEST	49740	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:39.696069002 CEST	49740	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:39.910386086 CEST	1144	49740	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:40.161377907 CEST	1144	49740	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:40.171314001 CEST	49740	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:40.361021996 CEST	1144	49740	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:40.363765955 CEST	49740	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:40.606005907 CEST	1144	49740	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:40.606185913 CEST	49740	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:40.722146988 CEST	1144	49740	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:40.777681112 CEST	49740	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:40.815669060 CEST	1144	49740	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:40.815783978 CEST	49740	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:40.959223032 CEST	1144	49740	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:41.012103081 CEST	49740	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:41.033411026 CEST	1144	49740	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:41.033509016 CEST	49740	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:41.214696884 CEST	1144	49740	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:41.262125969 CEST	49740	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:41.434531927 CEST	49740	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:41.438158989 CEST	1144	49740	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:41.480976105 CEST	49740	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:41.656296015 CEST	1144	49740	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:42.434678078 CEST	49740	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:46.452661991 CEST	49742	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:46.642244101 CEST	1144	49742	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:46.642582893 CEST	49742	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:46.643686056 CEST	49742	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:46.855283022 CEST	1144	49742	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:47.039355040 CEST	1144	49742	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:47.048185110 CEST	49742	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:47.228216887 CEST	1144	49742	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:47.231112003 CEST	49742	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:47.448158026 CEST	1144	49742	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:47.482104063 CEST	49742	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:47.585314989 CEST	1144	49742	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:47.637582064 CEST	49742	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:47.662956953 CEST	1144	49742	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:47.663054943 CEST	49742	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:47.825611115 CEST	1144	49742	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:47.871984005 CEST	49742	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:47.878993988 CEST	1144	49742	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:47.955333948 CEST	49742	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:48.170507908 CEST	1144	49742	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:48.170635939 CEST	49742	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:48.354068995 CEST	1144	49742	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:48.403371096 CEST	49742	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:48.565701008 CEST	49742	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:52.576738119 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:52.766175985 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:52.766284943 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:52.853588104 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:53.068069935 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:53.175276995 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:53.175597906 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:53.364501953 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:53.367988110 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:53.592184067 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:53.592295885 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:53.742202044 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:53.774173021 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:53.774266005 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:53.975667000 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:53.976010084 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:54.153229952 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:54.153326988 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:54.330821037 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:54.372514963 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:54.500956059 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:54.716489077 CEST	1144	49745	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:55.498277903 CEST	49745	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:59.515943050 CEST	49752	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:59.811846018 CEST	1144	49752	79.134.225.30	192.168.2.4
Apr 9, 2021 10:07:59.812907934 CEST	49752	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:07:59.880821943 CEST	49752	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:00.186507940 CEST	1144	49752	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:00.268156052 CEST	1144	49752	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:00.268630028 CEST	49752	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:00.478352070 CEST	1144	49752	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:00.482280016 CEST	49752	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:00.708265066 CEST	1144	49752	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:00.708381891 CEST	49752	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:00.831832886 CEST	1144	49752	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:00.888704062 CEST	49752	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:00.910420895 CEST	1144	49752	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:00.910612106 CEST	49752	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:01.143410921 CEST	1144	49752	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:01.280272961 CEST	1144	49752	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:01.326292038 CEST	49752	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:01.490295887 CEST	49752	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:01.530970097 CEST	1144	49752	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:01.531548023 CEST	49752	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:01.705904961 CEST	1144	49752	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:01.706058979 CEST	49752	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:01.773015022 CEST	1144	49752	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:01.889511108 CEST	1144	49752	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:01.935726881 CEST	49752	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:02.158489943 CEST	1144	49752	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:02.201433897 CEST	49752	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:02.553544998 CEST	49752	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:06.671986103 CEST	49756	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:06.885150909 CEST	1144	49756	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:06.885588884 CEST	49756	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:06.886755943 CEST	49756	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:07.158415079 CEST	1144	49756	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:07.238521099 CEST	1144	49756	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:07.244375944 CEST	49756	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:07.469702005 CEST	1144	49756	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:07.469783068 CEST	49756	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:07.732254028 CEST	1144	49756	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:07.732326984 CEST	49756	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:07.956232071 CEST	1144	49756	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:08.079344988 CEST	1144	49756	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:08.082832098 CEST	49756	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:08.287497997 CEST	1144	49756	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:08.301904917 CEST	49756	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:08.559643030 CEST	1144	49756	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:08.560102940 CEST	49756	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:08.737406015 CEST	1144	49756	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:08.780148983 CEST	49756	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:09.468223095 CEST	49756	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:13.485075951 CEST	49757	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:13.690836906 CEST	1144	49757	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:13.690963984 CEST	49757	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:13.696819067 CEST	49757	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:13.914019108 CEST	1144	49757	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:14.594305992 CEST	49757	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:14.719100952 CEST	1144	49757	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:14.765031099 CEST	49757	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:14.819439888 CEST	1144	49757	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:14.819627047 CEST	49757	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:15.010103941 CEST	1144	49757	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:15.018764019 CEST	49757	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:15.236668110 CEST	1144	49757	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:15.348386049 CEST	1144	49757	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:15.350378990 CEST	49757	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:15.529154062 CEST	1144	49757	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:15.530875921 CEST	49757	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:15.609883070 CEST	49757	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:15.717047930 CEST	1144	49757	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:15.717250109 CEST	49757	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:19.640103102 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:19.882417917 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:19.882936954 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:19.884335041 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:20.109822035 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:20.517626047 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:20.518359900 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:20.703243017 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:20.703531981 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:20.922301054 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:20.922476053 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:21.154856920 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:21.330624104 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:21.332227945 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:21.520483017 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:21.522659063 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:21.708328009 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:21.708548069 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:21.889183998 CEST	1144	49758	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:21.937288046 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:22.594876051 CEST	49758	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:26.790384054 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:26.970374107 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:26.970490932 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:26.972194910 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:27.185282946 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:27.455544949 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:27.472251892 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:27.676076889 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:27.676183939 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:27.901678085 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:27.901774883 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:28.114200115 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:28.220541000 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:28.222486019 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:28.429425955 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:28.430483103 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:28.648988962 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:28.649600029 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:28.984884977 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:29.016084909 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:29.017693996 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:29.022157907 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:29.187140942 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:29.187181950 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:29.187278032 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:29.189614058 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:29.202286959 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:29.359869957 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:29.539021015 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:29.542315960 CEST	1144	49761	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:29.594202042 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:29.657248974 CEST	49761	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:33.674101114 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:33.850558996 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:33.850689888 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:33.851582050 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:34.088929892 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:34.231761932 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:34.232120037 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:34.424248934 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:34.425854921 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:34.644929886 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:34.689238071 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:34.759257078 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:34.813383102 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:34.920804977 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:34.921298981 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:35.142091990 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:35.142167091 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:35.328191996 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:35.376069069 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:35.555165052 CEST	1144	49763	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:35.610312939 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:35.688868999 CEST	49763	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:39.706221104 CEST	49769	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:39.896431923 CEST	1144	49769	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:39.896572113 CEST	49769	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:39.897169113 CEST	49769	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:40.114759922 CEST	1144	49769	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:40.154093027 CEST	1144	49769	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:40.154474974 CEST	49769	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:40.360236883 CEST	1144	49769	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:40.361490011 CEST	49769	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:40.584525108 CEST	1144	49769	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:40.719525099 CEST	1144	49769	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:40.720556021 CEST	49769	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:41.005891085 CEST	1144	49769	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:41.006118059 CEST	49769	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:41.237587929 CEST	1144	49769	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:41.239167929 CEST	49769	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:41.420231104 CEST	1144	49769	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:41.470263004 CEST	49769	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:41.651161909 CEST	1144	49769	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:41.704628944 CEST	49769	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:41.814548016 CEST	49769	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:45.837214947 CEST	49770	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:46.175550938 CEST	1144	49770	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:46.177181959 CEST	49770	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:46.177906036 CEST	49770	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:46.488655090 CEST	1144	49770	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:46.554517031 CEST	1144	49770	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:46.554837942 CEST	49770	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:46.850327015 CEST	1144	49770	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:46.850631952 CEST	49770	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:47.118289948 CEST	1144	49770	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:47.118469954 CEST	49770	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:47.342421055 CEST	1144	49770	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:47.459502935 CEST	1144	49770	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:47.461810112 CEST	49770	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:47.662585020 CEST	1144	49770	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:47.663753986 CEST	49770	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:47.842572927 CEST	1144	49770	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:47.842726946 CEST	49770	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:48.019328117 CEST	1144	49770	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:48.064510107 CEST	49770	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:48.805885077 CEST	49770	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:52.817212105 CEST	49771	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:52.995421886 CEST	1144	49771	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:52.995645046 CEST	49771	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:52.997147083 CEST	49771	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:53.220515966 CEST	1144	49771	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:53.278395891 CEST	1144	49771	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:53.278805971 CEST	49771	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:53.464849949 CEST	1144	49771	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:53.467592955 CEST	49771	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:53.684715033 CEST	1144	49771	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:53.810868979 CEST	1144	49771	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:53.812923908 CEST	49771	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:54.001211882 CEST	1144	49771	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:54.001349926 CEST	49771	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:54.232796907 CEST	1144	49771	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:54.232933044 CEST	49771	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:54.424259901 CEST	1144	49771	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:54.471338034 CEST	49771	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:54.656939030 CEST	1144	49771	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:54.705728054 CEST	49771	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:54.847887039 CEST	49771	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:58.862999916 CEST	49772	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:59.085530996 CEST	1144	49772	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:59.086169004 CEST	49772	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:59.086453915 CEST	49772	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:59.357844114 CEST	1144	49772	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:59.782387018 CEST	1144	49772	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:59.784621000 CEST	49772	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:08:59.976572037 CEST	1144	49772	79.134.225.30	192.168.2.4
Apr 9, 2021 10:08:59.977370024 CEST	49772	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:09:00.201441050 CEST	1144	49772	79.134.225.30	192.168.2.4
Apr 9, 2021 10:09:00.314018965 CEST	1144	49772	79.134.225.30	192.168.2.4
Apr 9, 2021 10:09:00.314426899 CEST	49772	1144	192.168.2.4	79.134.225.30
Apr 9, 2021 10:09:00.498735905 CEST	1144	49772	79.134.225.30	192.168.2.4
Apr 9, 2021 10:09:00.499372005 CEST	49772	1144	192.168.2.4	79.134.225.30

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: J62DQ7fO0b.exe PID: 6516 Parent PID: 6084

General

Start time:	10:06:54
Start date:	09/04/2021
Path:	C:\Users\user\Desktop\J62DQ7fO0b.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\J62DQ7fO0b.exe'
Imagebase:	0x990000
File size:	1865728 bytes
MD5 hash:	A74ECE32BC1B6DB38A2D379C7FC78D2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.671018247.0000000002ECB000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.674143460.0000000003E7C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 6628 Parent PID: 6516

General

Start time:	10:07:07
Start date:	09/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tHyARuOEdFlN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC6A9.tmp'
Imagebase:	0x8d0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6636 Parent PID: 6628

General

Start time:	10:07:07
Start date:	09/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6672 Parent PID: 6516

General

Start time:	10:07:08
Start date:	09/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xa50000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: dhcpmon.exe PID: 7068 Parent PID: 3424

General

Start time:	10:07:23
Start date:	09/04/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x8c0000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 7092 Parent PID: 7068

General

Start time:	10:07:24
Start date:	09/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: J62DQ7fO0b.exe PID: 6516 Parent PID: 6084 J62DQ7fO0b.exeCOMMON

Executed Functions

Function 079772E0, Relevance: 2.7, Strings: 2, Instructions: 240COMMON

Download Yara Rule

Strings

%%R!, xrefs: 07977469
<~':, xrefs: 0797744D

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID: %%R!$<~':
API String ID: 0-727281965
Opcode ID: 07ec4eae4b3bec8f5ffe4cbeaa9612081c9a304f023dad75c3d2c1ab605f2766
Instruction ID: 678872f76aec7d60a160d0268872aa128daa3ddd9ca8811f0e7c49bfc83bdf98
Opcode Fuzzy Hash: 07ec4eae4b3bec8f5ffe4cbeaa9612081c9a304f023dad75c3d2c1ab605f2766
Instruction Fuzzy Hash: 52A116B0E052598BCB04CFE9D5815EEFBF2AF89318F24C566D804AB358E7349942CF65

Uniqueness

Uniqueness Score: -1.00%

Function 052BDAC1, Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052BDCAA

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 702d34ec37c8adaddc384c3722e15788b79b31903b3795f2023fdb8c46b82aba
Instruction ID: 71fe3c29806f0c4441f75eec2414956eb3d0d3f8ba544fb86962168e49fb10d1
Opcode Fuzzy Hash: 702d34ec37c8adaddc384c3722e15788b79b31903b3795f2023fdb8c46b82aba
Instruction Fuzzy Hash: C17154B2C14349AFDF02CFA4D884ADEBFB1BF49340F19816AE808AB261D3759955CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07975BA0, Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07975C1F

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: c9eae36d067774efe010868501f2e4363a3bf1a3c27c291f5001c0b1dd833102
Instruction ID: 07a6736811c1ccb76fd271f33ab588dee3c8ede602e5f0596edf536522dd2184
Opcode Fuzzy Hash: c9eae36d067774efe010868501f2e4363a3bf1a3c27c291f5001c0b1dd833102
Instruction Fuzzy Hash: 4521CEB59002599FCB10CF9AD884BDEFBF4FB49324F10842AE918A7310D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07975B99, Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07975C1F

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 410d9bd077ce3734062746e6dc217d5663b887242691a34d7490847cd7e8684b
Instruction ID: 2122402d03ed6b17726b005205e3495042365cc922b54bc93bedccf0b81da34f
Opcode Fuzzy Hash: 410d9bd077ce3734062746e6dc217d5663b887242691a34d7490847cd7e8684b
Instruction Fuzzy Hash: 4321BDB59002599FCB10CF99D988BDEBBF4FF48324F14842AE929A7610D378A554CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07975950, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

ZqJL, xrefs: 07975A43

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID: ZqJL
API String ID: 0-2772146313
Opcode ID: 215d2a07e8ab2d56888bf26f55ef14928157e91312224749ebdc8479457e0639
Instruction ID: 61e226bd73bcdf787cbbeaa28129ec630a15d7c50d25b0d2c45205adc4e48470
Opcode Fuzzy Hash: 215d2a07e8ab2d56888bf26f55ef14928157e91312224749ebdc8479457e0639
Instruction Fuzzy Hash: 035123B4E14609CBCB58CFE9D9405DDFBB6FF89304F25852AD419AB214EB706952CF40

Uniqueness

Uniqueness Score: -1.00%

Function 07975940, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

ZqJL, xrefs: 07975A43

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID: ZqJL
API String ID: 0-2772146313
Opcode ID: 6f4e074df541cec909cf87641ae8942963570e12b456dac4d76a53338836f1c7
Instruction ID: 9759bbba7df40b0dc19b97868b801349be54a773c0706f112f270a2ed94dda7b
Opcode Fuzzy Hash: 6f4e074df541cec909cf87641ae8942963570e12b456dac4d76a53338836f1c7
Instruction Fuzzy Hash: 545132B4E11209CBCB58CFA9D9406DCFBB2FF89304F25862AD409AB214EB706952CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0F741280, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682823670.000000000F740000.00000040.00000001.sdmp, Offset: 0F740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 230d159f7abe436760d846efd9d6415dc2204a749baf71da4686281ffbbb9fe3
Instruction ID: 7a62d858f93501713a1e9d5e0ce571cfd4f15358225ac6db470f6ad66b3e0c0b
Opcode Fuzzy Hash: 230d159f7abe436760d846efd9d6415dc2204a749baf71da4686281ffbbb9fe3
Instruction Fuzzy Hash: 46D1CC31B012048FEB1AEB75C450BAFB7E6AF88700F54846DD246DB292CB75F941CB92

Uniqueness

Uniqueness Score: -1.00%

Function 052BD400, Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b25a6e82d0221cb16bfa5dbbe8d0d9f4a7b6acdb7d0f84d06a5e722184a71e8
Instruction ID: 7dbe8621210d32ab61265fd06d24bc20e41842f8d52426c4ed38e41f098d4b56
Opcode Fuzzy Hash: 4b25a6e82d0221cb16bfa5dbbe8d0d9f4a7b6acdb7d0f84d06a5e722184a71e8
Instruction Fuzzy Hash: C1B1AA74B047058FDB00EF79D490AAABBF2BF88354B00896AD51ADB755EB74E805CB90

Uniqueness

Uniqueness Score: -1.00%

Function 052BB184, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65adde62e161d2c1f1a7a85fe0750f875466a71170905f26e201f937cec44011
Instruction ID: e826ab2f623aa0209f52ed5d3ac7eeec13cc8ca81489ec273e30c32a263e2cdf
Opcode Fuzzy Hash: 65adde62e161d2c1f1a7a85fe0750f875466a71170905f26e201f937cec44011
Instruction Fuzzy Hash: A091AF74E203198FCB00DBE0C854ADDBBBAFF89304F558215E416AF3A4EB70A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 052BDE70, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7204a15ec0ff72d2472fc49573da5e65e6ac3629f2036ba5e7abf9a9313f45
Instruction ID: 15606f70066c611574ec853a739898afce81d0bbd9e7e5036b2911d7b4407cf5
Opcode Fuzzy Hash: 8d7204a15ec0ff72d2472fc49573da5e65e6ac3629f2036ba5e7abf9a9313f45
Instruction Fuzzy Hash: 1E81BD75E203198FCB00DBF0D8549DDBBBAFF89350F558215E416AF2A4EB70A985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 052BB178, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b239a713dae7e8af9a47bcd586e30f98b695ed82f36c0575d5fb2ddf03cd57
Instruction ID: 7727fc2a296f36aec200b3dc1c2eaf5b8ed2ba085125b10804e10b16f11400d8
Opcode Fuzzy Hash: c1b239a713dae7e8af9a47bcd586e30f98b695ed82f36c0575d5fb2ddf03cd57
Instruction Fuzzy Hash: 1881AD75E203198FCB00DFE0D8549DDBBBAFF89314F558215E416AF2A4EB70A985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07975EBA, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb58ed0eb54f9c30859583fc5fad78f191427d56b94797823d10cfababb2f4b0
Instruction ID: 8b4ba7bba3e5100eba65ec27168257d6fc822ceba0f0ddecc6f0b7f6208fbb1a
Opcode Fuzzy Hash: eb58ed0eb54f9c30859583fc5fad78f191427d56b94797823d10cfababb2f4b0
Instruction Fuzzy Hash: AB9148B0E25219DFCB58DFA5D889A9DBFB1FF4A304F108529E80AAB344DB705851CF24

Uniqueness

Uniqueness Score: -1.00%

Function 0797C348, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81283f8678ad39b738a753b92cf7ad5ae14bbb69c1a96a77c1894f70cae3953
Instruction ID: 39b9cc12bf825267bdb20924293074f1a82734ecbff86cfb4ef1580eece430b7
Opcode Fuzzy Hash: a81283f8678ad39b738a753b92cf7ad5ae14bbb69c1a96a77c1894f70cae3953
Instruction Fuzzy Hash: 728105B4E11209DFCB18DFA5D9445AEBBB2FF89304F20C42AE416AB354DB749902CF65

Uniqueness

Uniqueness Score: -1.00%

Function 07974120, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68706f52bbd599973a3ed9f3cafdfd281367a67518e00931d141455d630d5c31
Instruction ID: 02ae813c1ec180ec2face3b83791d19fe7757b4d5f603572559e2679d00e4b94
Opcode Fuzzy Hash: 68706f52bbd599973a3ed9f3cafdfd281367a67518e00931d141455d630d5c31
Instruction Fuzzy Hash: C77137B4D21208DFCB08DFA5E98569DBFB2FF89305F208429E416AB324DB345942DF61

Uniqueness

Uniqueness Score: -1.00%

Function 0797410F, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d22400ecbdf2546489ba1f98ed74752be2ea05f34781b4b645a0e7afd34dfec
Instruction ID: 3ba78e3ed918b268a4c3c9ed1fb66766d2f277052d1f17a43e334d477ae0c5ce
Opcode Fuzzy Hash: 6d22400ecbdf2546489ba1f98ed74752be2ea05f34781b4b645a0e7afd34dfec
Instruction Fuzzy Hash: 5F713AB4D21248DFCB08DFA5E98569DBFB2FF89305F20842AE416AB365DB345942DF10

Uniqueness

Uniqueness Score: -1.00%

Function 0797B548, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ed6ec7912a46a70a818198531c0d2eea76672e277c9adbb112fa52309fcf36
Instruction ID: 22e27d0bdc359e107b6e2b55e2fdeb81159fa80a9cfbbf8c64a460d9c511e64d
Opcode Fuzzy Hash: 14ed6ec7912a46a70a818198531c0d2eea76672e277c9adbb112fa52309fcf36
Instruction Fuzzy Hash: FB5169B1E252098BCF08CFA5D9415DEFBB6FB8E311F10D926D006B7258DB389901CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0797B1E0, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868342493dd99d794b3c2f086aa33ede7e45a32a70d2a0d2083041c680d17fff
Instruction ID: 13e35c288b20faba6da8297df6041232655a377df936b6211140b986b4c19df1
Opcode Fuzzy Hash: 868342493dd99d794b3c2f086aa33ede7e45a32a70d2a0d2083041c680d17fff
Instruction Fuzzy Hash: 98416FB4E2A219CBCF08CFA5D8455DEFBF6FB8E214F14982AD406B7254D7749901CB28

Uniqueness

Uniqueness Score: -1.00%

Function 052B7EE2, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1351453f8e632c3d3f0d55ce0035fa90b4608d14080b5d91128935c6e73a55
Instruction ID: be8e8f54652d475816d61255cbcfaef5c42accf3fc59d2b8fb9b6912851b62b1
Opcode Fuzzy Hash: 2d1351453f8e632c3d3f0d55ce0035fa90b4608d14080b5d91128935c6e73a55
Instruction Fuzzy Hash: 4931B030A102129FEB04EF729900AFA77F6FF80344B05C629DD55E7244F774A9078B95

Uniqueness

Uniqueness Score: -1.00%

Function 07970D00, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81039a3bb485e49ab0709de93bffb13889a6677bf8bb315821237e70fa5e6958
Instruction ID: c02d0fb9ffd061af83d73c8c2913fe91b7f5549e7ceedfa46b8617cd0265f20a
Opcode Fuzzy Hash: 81039a3bb485e49ab0709de93bffb13889a6677bf8bb315821237e70fa5e6958
Instruction Fuzzy Hash: B621E9B1E056188BEB58CF6BDC4469EFBF7AFC8204F04C1BAC508A6214EB301A46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 052B6AA1, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 052B6B10
GetCurrentThread.KERNEL32 ref: 052B6B4D
GetCurrentProcess.KERNEL32 ref: 052B6B8A
GetCurrentThreadId.KERNEL32 ref: 052B6BE3

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: aad6583e80cbcd814741d20283b26e43958c5d39be0e0b864bee645dde30aa18
Instruction ID: 068935b87d08e723f09b6d85951d2f7d341f7b9a52683fc16c1eed0224817aa7
Opcode Fuzzy Hash: aad6583e80cbcd814741d20283b26e43958c5d39be0e0b864bee645dde30aa18
Instruction Fuzzy Hash: F95152B49042498FDB14CFA9D989BDEBBF0FF49314F20846AE419B7250D7B4A884CB65

Uniqueness

Uniqueness Score: -1.00%

Function 052B6AB0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 052B6B10
GetCurrentThread.KERNEL32 ref: 052B6B4D
GetCurrentProcess.KERNEL32 ref: 052B6B8A
GetCurrentThreadId.KERNEL32 ref: 052B6BE3

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c66c29966ed723fbb8f7f781e6c0256fda6371f230bc1384d1653f03a7a261e4
Instruction ID: 3cf6e479ba6790ee5f7ceaa94a3c563d2774b0d9a2cd5af08baba4709a151b3d
Opcode Fuzzy Hash: c66c29966ed723fbb8f7f781e6c0256fda6371f230bc1384d1653f03a7a261e4
Instruction Fuzzy Hash: 795142B49042498FDB14CFA9D588BDEBBF0FF49314F20846AE419B7250DBB4A884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0797A088, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0797A2BE

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 53034373c25ab2daa64314b61927079e6eec7e6ca2a9b25c89bcfd1afb21aa1d
Instruction ID: 481bc5646533c08f6eaa460d4edac82efdb79ff9740074dc770d144be12e4070
Opcode Fuzzy Hash: 53034373c25ab2daa64314b61927079e6eec7e6ca2a9b25c89bcfd1afb21aa1d
Instruction Fuzzy Hash: 259129B1D0021ADFEF14CF68C881BEDBBB6FB48318F048569E819A7240DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 052BBAD8, Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 052BBD2E

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0a5638ed9f292486fc464ae4e97aad6064a3a17f82f84c0c26ac64046721892f
Instruction ID: 41fad8f5a731e594b17f74c2f6c1ee0366390720b49a3c3d012f55badd4aabf8
Opcode Fuzzy Hash: 0a5638ed9f292486fc464ae4e97aad6064a3a17f82f84c0c26ac64046721892f
Instruction Fuzzy Hash: 8A714570A10B068FE724CF2AD45479ABBF1FF48354F00892ED48AD7A54DBB5E8468F91

Uniqueness

Uniqueness Score: -1.00%

Function 052BDB98, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052BDCAA

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6646df14ac7ff33a43cbbd638948896cfc953a3e3152198b1be193e8dd69b68a
Instruction ID: 320076e99de1d9aa3631b5082c72736cf75a47a08a35422df2b07d24de1b724d
Opcode Fuzzy Hash: 6646df14ac7ff33a43cbbd638948896cfc953a3e3152198b1be193e8dd69b68a
Instruction Fuzzy Hash: 7F41B0B5D103099FDB14CF99C884ADEFBB5FF48354F64812AE819AB210D7B59885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 052BDDA0, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 052BDE3D

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 076f07f5e993cee83e4d49cca4fe2a6bc9d07d72be423b3ce0ac2a887a5be4dd
Instruction ID: aa2e7837099f7bb1686457fde19204358d449e2055fd812310cb3aaaf54c05f6
Opcode Fuzzy Hash: 076f07f5e993cee83e4d49cca4fe2a6bc9d07d72be423b3ce0ac2a887a5be4dd
Instruction Fuzzy Hash: 0221A7B6810208DFDB01CFA4D948BDEBBF4EF49324F09885AE855B7210C3B4A904CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07979E00, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07979E90

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 327817c2358d56ce082eb9fc0ca263dec65e11d696f8a762b29b9523fd5afba5
Instruction ID: 42c83fb0d8d6eb1ef086fefabb744189225503feab14404dd94f6a19d498b4d7
Opcode Fuzzy Hash: 327817c2358d56ce082eb9fc0ca263dec65e11d696f8a762b29b9523fd5afba5
Instruction Fuzzy Hash: 2C2126B59003199FCB10CFA9C884BDEBBF5FF48324F008429E919A7240C778A954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07979858, Relevance: 1.6, APIs: 1, Instructions: 68threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 079798DE

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 7de468bbbbd9a7e5ec431f401b97a5e9f8cdb1a7aafeb1a73579328437619881
Instruction ID: 54203f34ad9a869b549c5ea48bf7c5e7149de939c0ce979670830313bd89fa2e
Opcode Fuzzy Hash: 7de468bbbbd9a7e5ec431f401b97a5e9f8cdb1a7aafeb1a73579328437619881
Instruction Fuzzy Hash: 7B2139B19003098FDB10DFAAC4847EEFBF4EF48228F14842AD519B7340DB78A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07979EF0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07979F70

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f5cfb07793b5ab5acae5ae14007f8b47738aa413ed4d2ddd70d2a73ce2d07154
Instruction ID: f1ae362d4efe73aa6412ff916995e2d1f44e5f0ed1e287baf113401d102b319d
Opcode Fuzzy Hash: f5cfb07793b5ab5acae5ae14007f8b47738aa413ed4d2ddd70d2a73ce2d07154
Instruction Fuzzy Hash: 202128B19003199FCB10CFAAC884BDEFBF5FF48324F508429E919A7240C778A954CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07979860, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 079798DE

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 2445243ec23a6d23bba5e8e78d2dd8b924446b20b61af2cd0a37900b0f2b1c05
Instruction ID: b5127e5e96b2dca2c8c447d25d8a08ffafd66ec7d30d57087fdf1ff239a73e78
Opcode Fuzzy Hash: 2445243ec23a6d23bba5e8e78d2dd8b924446b20b61af2cd0a37900b0f2b1c05
Instruction Fuzzy Hash: 3B2118B1D003098FDB10DFAAC4847EEBBF4EF48228F54842AD559A7340DB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052B6CD8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 052B6D5F

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9215dd7aa5707caf6d58455eb80eef259d89e134fd5f62109e9d7da60eb0ca9d
Instruction ID: 9a074ac495d786cec29ab73d057e81058ffd8b8c7dff5b09e90d8a82cf2bd054
Opcode Fuzzy Hash: 9215dd7aa5707caf6d58455eb80eef259d89e134fd5f62109e9d7da60eb0ca9d
Instruction Fuzzy Hash: 5A21C2B5900219AFDB10CFA9D884ADEFBF8FB48324F14841AE915B3310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052B6CD1, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 052B6D5F

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 42d392051acac252d26914ac3064071128f84ebad834c868b25ea2e5936534db
Instruction ID: 7d6783648f32373b97d2cdb06d0a9d6f2fef8365c3c01a11ed6df0aec5b0af1b
Opcode Fuzzy Hash: 42d392051acac252d26914ac3064071128f84ebad834c868b25ea2e5936534db
Instruction Fuzzy Hash: B121B0B59002199FDB10CFA9D984AEEBBF4FB48324F15841AE919B3350D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07974010, Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0797408B

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 901186a94751562176bb6127bf72176ae327b18c87745a192c9b776c743cf408
Instruction ID: e2a2db8003f14beb02bca1eaf666e1f10fd8f3c6d5a6038d13771abe4524cfb4
Opcode Fuzzy Hash: 901186a94751562176bb6127bf72176ae327b18c87745a192c9b776c743cf408
Instruction Fuzzy Hash: 1D2106B59002499FCB10CF9AC484BDEFBF8FF49324F10842AE868A7651D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052BAFF8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,052BBDA9,00000800,00000000,00000000), ref: 052BBFBA

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 43948673e68a430458d8204f2971de31f4266ae7b3ae7c21fbb200df2f9d0975
Instruction ID: 9c5d36080c133638e425c7eeed7444040ecd263611bc880d1ade7b18188562c5
Opcode Fuzzy Hash: 43948673e68a430458d8204f2971de31f4266ae7b3ae7c21fbb200df2f9d0975
Instruction Fuzzy Hash: 4E1103B69042098FDB10CFAAC444BDEFBF4EB48360F04842EE919B7600C3B5A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07974018, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0797408B

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 54040ab3fcc19debb426c9f561b73d71633ebbf93ff71b2b4590fb7a09454b66
Instruction ID: 0695d5ddb91c9bdaded2588ee0c9a356c28a739496f04ab9a68827e9f5e5dd05
Opcode Fuzzy Hash: 54040ab3fcc19debb426c9f561b73d71633ebbf93ff71b2b4590fb7a09454b66
Instruction Fuzzy Hash: BF21E4B59002499FCB10CF9AC484BDEFBF8FB48324F108429E968A7650D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 079797A8, Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07979812

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 671add41690ce3d8348bc9c7e5506d3e078e827f8d00de6833cea551dc68a1b6
Instruction ID: f4c32fc29c303fa9290d1791b5c1c4d1f163b046bf53b16e2926501d98734d71
Opcode Fuzzy Hash: 671add41690ce3d8348bc9c7e5506d3e078e827f8d00de6833cea551dc68a1b6
Instruction Fuzzy Hash: 3E1128B5D043498BCB10DFAAC4487DEFBF8EB88328F148429D519B7740D779A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07979D40, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07979DAE

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 787d832b430fe452154bfb157cf9e8e0ac6ceda37abe5cdd8e9b7812b60e3084
Instruction ID: b3a21b5be28c42e5f80d283debeb6ff3baa96ab8adc02ccda57ac492fd3e383b
Opcode Fuzzy Hash: 787d832b430fe452154bfb157cf9e8e0ac6ceda37abe5cdd8e9b7812b60e3084
Instruction Fuzzy Hash: E111F6759002499FCB10DFA9C848BDEBBF5EB48324F148419E515A7250C775A954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 052BBF49, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,052BBDA9,00000800,00000000,00000000), ref: 052BBFBA

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b2d2c9ad997581b1410d846c46a26faa37791b0d9f4e4d63db8a47d8415fc257
Instruction ID: 2f2236b86563ffc8aa76f797003dea2ac7eda9b025525a175434bad82bb3e37d
Opcode Fuzzy Hash: b2d2c9ad997581b1410d846c46a26faa37791b0d9f4e4d63db8a47d8415fc257
Instruction Fuzzy Hash: 7811D0B69042098FDB10CFAAD484BDEFBF4BB48364F14842AE519A7600C3B9A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07977150, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 079771C0

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 4fbae5b6b6336ab9a6d254c3b4ecda4d1c6c1a20531719a3f5a95a10b49609b7
Instruction ID: 6e4d2de28da970a00374affa6acad2e021abc1b2c6f146a0544d436a75657728
Opcode Fuzzy Hash: 4fbae5b6b6336ab9a6d254c3b4ecda4d1c6c1a20531719a3f5a95a10b49609b7
Instruction Fuzzy Hash: 421104B5D0061A9BCB10CF9AD844B9EFBF8FB48324F10811AD818B3740D774A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07977148, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 079771C0

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 5eb2977aca8bcdee27d21978997b56be27a21f418f12d4fc939a1e0f8bb717ba
Instruction ID: 6fd385a01e45f077e3208f100fa7bbdfefdc337193dd1a32e8845adf12c2e01f
Opcode Fuzzy Hash: 5eb2977aca8bcdee27d21978997b56be27a21f418f12d4fc939a1e0f8bb717ba
Instruction Fuzzy Hash: 5B1112B5D0061A9BCB10CF9AD584B9EFBF8FF48324F00852AD818B3600C778A554CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 079797B0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07979812

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dcb99723e6f6224222893579d649314504f0a63a3f1a6489ee3e2f399a7f3ffe
Instruction ID: 664f36f2c948faa0480cc0b20880528e74a8078659b07ff6987524048b099a63
Opcode Fuzzy Hash: dcb99723e6f6224222893579d649314504f0a63a3f1a6489ee3e2f399a7f3ffe
Instruction Fuzzy Hash: A71125B19002498BCB10DFAAC4487DEFBF8EB88228F148429D519A7240C779A944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 052BBCC8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 052BBD2E

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5dacee22e40ecfebb5ce3e8d3cb312d7780932ca9c0f36891cafdc5506eff1f4
Instruction ID: 1cff66b8f30422fcb604417f04397ac81465f982f38c804f91daf974c3714ed7
Opcode Fuzzy Hash: 5dacee22e40ecfebb5ce3e8d3cb312d7780932ca9c0f36891cafdc5506eff1f4
Instruction Fuzzy Hash: 8F11C0B580024A8FDB10CF9AC444BDEFBF4EF89324F14841AD419A7600C3B9A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07979998, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0797F2A5

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 94894a01097c6807ec62ece582a8f4ccc0e15426182927e9979d6fd18272afde
Instruction ID: 2d54f65fe03af2bbb255940636918de0c0c87673a9926b7f4a95c648555ed39f
Opcode Fuzzy Hash: 94894a01097c6807ec62ece582a8f4ccc0e15426182927e9979d6fd18272afde
Instruction Fuzzy Hash: 7811F2B98003499FDB10DF99C489BDEBBF8FB49324F108819E915B7600D3B4A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 052BDDE0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 052BDE3D

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 47390c69ac766065daf455edd0e6138f1ea8e305e0f7e20634fb426ff0dd9bd3
Instruction ID: c6412718c9a828a2e2767d2d8e1100770238de4ed3dffc6984fcf13ee7add8bc
Opcode Fuzzy Hash: 47390c69ac766065daf455edd0e6138f1ea8e305e0f7e20634fb426ff0dd9bd3
Instruction Fuzzy Hash: 3C11CEB58002099FDB10CF99D488BDEBBF8EB49324F10841AE919A7700C3B5A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0141D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669521209.000000000141D000.00000040.00000001.sdmp, Offset: 0141D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433a1330d9be9f4b1e45ac5513e3ccf08ba443b25a4b58fedda38c62c1fb4b55
Instruction ID: 8c8fe4afac9c264bd9b13b4fe3eb25c8f77ed6fe814453f34d6125aef91d0f9a
Opcode Fuzzy Hash: 433a1330d9be9f4b1e45ac5513e3ccf08ba443b25a4b58fedda38c62c1fb4b55
Instruction Fuzzy Hash: DD21D6F1904240DFDB05CF54D9C8B17BFA5FB88328F24856AE9054B22AC336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0142D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669544936.000000000142D000.00000040.00000001.sdmp, Offset: 0142D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e3d8ae7f8557106351b6da2ab565ca46a05c5b2e8d3183aa274896ef94d9af
Instruction ID: 4386b7e5fd2c96f351b79263c6099582244768a792e8a86978fbd1475783038a
Opcode Fuzzy Hash: 37e3d8ae7f8557106351b6da2ab565ca46a05c5b2e8d3183aa274896ef94d9af
Instruction Fuzzy Hash: 8E2137B1904200DFDB05CF94D9C0B26BBA5FB85324F24C9AEE9094B366C776D886CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0142D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669544936.000000000142D000.00000040.00000001.sdmp, Offset: 0142D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e8ddd43d9d88a24b1fbd348c57ab914cdc4a75f52a8ce9503f979d26bd8880
Instruction ID: e49a7fb993ba2612688f0f44c5cd24489464cd4321fe077ff98f4b3baf92eb65
Opcode Fuzzy Hash: f5e8ddd43d9d88a24b1fbd348c57ab914cdc4a75f52a8ce9503f979d26bd8880
Instruction Fuzzy Hash: 242125F1904240DFCB15CF54D8C4B16BBA1FB84358F64C56ED9094B366C37AD887CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0F7408E8, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682823670.000000000F740000.00000040.00000001.sdmp, Offset: 0F740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77921f9af14b61ab9c679d3562309881f10165326ef4c3887584e1b0b44a9ca6
Instruction ID: 8b6c454b2070c2c0845f5f3ee38a13ff7dbc9387c26b6690f4f20186857e548f
Opcode Fuzzy Hash: 77921f9af14b61ab9c679d3562309881f10165326ef4c3887584e1b0b44a9ca6
Instruction Fuzzy Hash: 0721DA71A042058BDB14DF69D4857FEBBF2AF44310F14C579D159DB292CB386446CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0142D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669544936.000000000142D000.00000040.00000001.sdmp, Offset: 0142D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 648a252d7b799a53138ebce1498e8ad3810cac04012772fa0ad37709ab413888
Instruction ID: a017993cfbca2679c0deda3c27a999bda427ed6b7cb4e6df10134e281761dc5c
Opcode Fuzzy Hash: 648a252d7b799a53138ebce1498e8ad3810cac04012772fa0ad37709ab413888
Instruction Fuzzy Hash: 0D2162755093808FDB13CF24D594716BF71EF46214F28C5DBD8498B667C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0141D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669521209.000000000141D000.00000040.00000001.sdmp, Offset: 0141D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction ID: 6807a2faaa01266ef458828d839904566245352028727e92b98f6bafd923e019
Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
Instruction Fuzzy Hash: DD11D6B6904240CFCB16CF54D5C4B16BF71FB84324F2486AAD8050B72BC336D456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0142D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669544936.000000000142D000.00000040.00000001.sdmp, Offset: 0142D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
Instruction ID: 4eb4c9fb4a7ca00638046877b6bb8964f0aca0503335213343a54ad6b5ef1bc7
Opcode Fuzzy Hash: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
Instruction Fuzzy Hash: 6F118B75904280DFDB12CF54D5C4B16BBB1FB85324F28C6AAD8494B766C33AD48ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0141D75D, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669521209.000000000141D000.00000040.00000001.sdmp, Offset: 0141D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 391e26cfc6ec7b08f0f2410d557e927e524b1d7f379d695ca3a35cffcf2f44b3
Instruction ID: d8035aa0ccb77bffd1116c13cbd5b6aba6d07238c2d084fd4b6c0c00850bff14
Opcode Fuzzy Hash: 391e26cfc6ec7b08f0f2410d557e927e524b1d7f379d695ca3a35cffcf2f44b3
Instruction Fuzzy Hash: BC01DBB19083849EE7105A59CCC8767FBD8EF45664F08C45BEE185B25EC3789845C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0F7416E0, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682823670.000000000F740000.00000040.00000001.sdmp, Offset: 0F740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06456b00d401465266fed9ed140cdcd1804e0be153e2705277afa40160a0f73f
Instruction ID: 9acbd1ac808dbd55ed17785dafcf323ad5165cdf8277bf24dea5d0931ee349f1
Opcode Fuzzy Hash: 06456b00d401465266fed9ed140cdcd1804e0be153e2705277afa40160a0f73f
Instruction Fuzzy Hash: 17F067B4D0020ACFDB00EFA8D902BEEBFF4BB08310F41895AD024E3A02D3B196418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0141D75C, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.669521209.000000000141D000.00000040.00000001.sdmp, Offset: 0141D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f66fdc26cdcd6d449a38b24032a4abe6c018fe28cb1492a6fee51a4fac95064
Instruction ID: a4b7979aef526ae95d39edf7d399fcecaf3349a816fecffc67fd2413fc17fd6a
Opcode Fuzzy Hash: 5f66fdc26cdcd6d449a38b24032a4abe6c018fe28cb1492a6fee51a4fac95064
Instruction Fuzzy Hash: DDF062B14042849EE7118A19CCC8B63FFE8EF85634F18C45AED585B69AC3789844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0F7408F8, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682823670.000000000F740000.00000040.00000001.sdmp, Offset: 0F740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b2747cbc5457a9f52e95212e4f47c8855613c1a01cb5ad7e67f801e75a98988
Instruction ID: 8a21161d170d6bcc75e5b841b0a58236b7081b8ff844808d89d78c67c77a687f
Opcode Fuzzy Hash: 6b2747cbc5457a9f52e95212e4f47c8855613c1a01cb5ad7e67f801e75a98988
Instruction Fuzzy Hash: 5B0119B4D0420ADFDB10DFAAD4557FEBBF0AB08300F14846AD168E7292D738A641CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0F7416F0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682823670.000000000F740000.00000040.00000001.sdmp, Offset: 0F740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b7bc6c05129d025b711cc7525411cfcae7cdf85f71015307bd9e22474dc004
Instruction ID: 0f2973765954e19827d3a925483b5acef3993657b7698cf5ed6fb15417587e79
Opcode Fuzzy Hash: 63b7bc6c05129d025b711cc7525411cfcae7cdf85f71015307bd9e22474dc004
Instruction Fuzzy Hash: C7F03AB4D0020A9FDB44EFA9C801BAEBFF4BB0C300F4045A9D918E7202D770A5408BD5

Uniqueness

Uniqueness Score: -1.00%

Function 0F740978, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682823670.000000000F740000.00000040.00000001.sdmp, Offset: 0F740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a72a2ae194026977c7d97a2fca3e00c6f885beab12724ef9fdf4c782f4c7b4c9
Instruction ID: 058801cfe0290a6ef295e14393e8e6cf22f8646683cf1b87d513cb995e10eb62
Opcode Fuzzy Hash: a72a2ae194026977c7d97a2fca3e00c6f885beab12724ef9fdf4c782f4c7b4c9
Instruction Fuzzy Hash: DAF0EC9084D3D5DFD7114BB098282697F70DB07240F0945CAD191DB263C7785505CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0F741698, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682823670.000000000F740000.00000040.00000001.sdmp, Offset: 0F740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e1272da5ce5754457f49b26ae3af4a5eadf3d57c0390582b3189b9c779a80b
Instruction ID: 41473ab78da24e9a2d6290ccc413c976ea3793aadd9a8573ec259c71f8d256ca
Opcode Fuzzy Hash: f7e1272da5ce5754457f49b26ae3af4a5eadf3d57c0390582b3189b9c779a80b
Instruction Fuzzy Hash: CCE0B6B0D40209DFD740EFB9C905A5EBBF5BF08600F5585A9D019E7222EBB496458F92

Uniqueness

Uniqueness Score: -1.00%

Function 0F741790, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682823670.000000000F740000.00000040.00000001.sdmp, Offset: 0F740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5346d56ed6c037e70387ac8d3d5fce22a9bd0a61b884c89d5cd73577050b52b7
Instruction ID: f73fd882a531cedf6b6e5bcb483ef385437f731d1f25cf421025597581f1bf2f
Opcode Fuzzy Hash: 5346d56ed6c037e70387ac8d3d5fce22a9bd0a61b884c89d5cd73577050b52b7
Instruction Fuzzy Hash: 21D012362542089E4B42FA95E840C537BDCBB58740B808032F504CB032E761F5A4D752

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 079777D1, Relevance: 3.9, Strings: 3, Instructions: 185COMMON

Download Yara Rule

Strings

!, xrefs: 07977A03
!, xrefs: 07977A1A
!, xrefs: 079779FC

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID: !$!$!
API String ID: 0-1246445339
Opcode ID: 66425ec97e0a1415efe82228056e97bf8231c803e58dab921bbe5abe26643281
Instruction ID: 95468d12f559828f76d6a0643d6a05a226f1d09602cb34e3548b58f69cd9f746
Opcode Fuzzy Hash: 66425ec97e0a1415efe82228056e97bf8231c803e58dab921bbe5abe26643281
Instruction Fuzzy Hash: 997139B0E1520A9FDB04CFE9C4819EEFBF2AF89314F14D826D514AB354D6749A42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 079777E0, Relevance: 3.9, Strings: 3, Instructions: 180COMMON

Download Yara Rule

Strings

!, xrefs: 07977A03
!, xrefs: 07977A1A
!, xrefs: 079779FC

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID: !$!$!
API String ID: 0-1246445339
Opcode ID: 29e3e3b407998c842e2576f75fb788797019d9a1743d0587545cf6d8c4ee9b87
Instruction ID: e748cd2d0add450ec542e2dd223f34ad20e8032c1f07fcbd939fee78cf643756
Opcode Fuzzy Hash: 29e3e3b407998c842e2576f75fb788797019d9a1743d0587545cf6d8c4ee9b87
Instruction Fuzzy Hash: D26137B0E1521A9BDB04CFEAC4819EEFBF2AF89314F14D825D514AB354D7749A42CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07977330, Relevance: 2.7, Strings: 2, Instructions: 248COMMON

Download Yara Rule

Strings

%%R!, xrefs: 07977469
<~':, xrefs: 0797744D

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID: %%R!$<~':
API String ID: 0-727281965
Opcode ID: 7cd2d6c79e5b854302af992e237d986d9f4d546bcdcfbce176d437e71f09a3b8
Instruction ID: f2ea74c17277bce871119bbf8f95256b83c28f4745aadd3cfced031520efa7a9
Opcode Fuzzy Hash: 7cd2d6c79e5b854302af992e237d986d9f4d546bcdcfbce176d437e71f09a3b8
Instruction Fuzzy Hash: 8FA115B4E042198BCB08CFE9D5415DEFBF2BF89318F24C52AD805AB318E7349941CB65

Uniqueness

Uniqueness Score: -1.00%

Function 07977320, Relevance: 2.7, Strings: 2, Instructions: 245COMMON

Download Yara Rule

Strings

%%R!, xrefs: 07977469
<~':, xrefs: 0797744D

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID: %%R!$<~':
API String ID: 0-727281965
Opcode ID: 039edc21d8f79fbba261657c1016943db1c280157969c5e6e47f2a8d14e09b3f
Instruction ID: 3e70ae277a196fa608a4d609a4bd00f67e6b1946622d77ceca6462c52fd5e8cd
Opcode Fuzzy Hash: 039edc21d8f79fbba261657c1016943db1c280157969c5e6e47f2a8d14e09b3f
Instruction Fuzzy Hash: CBA116B0E042198BCB08CFE9D5415DEFBF2AF89318F14C56AD808AB358E7349942CF65

Uniqueness

Uniqueness Score: -1.00%

Function 079708D8, Relevance: 2.7, Strings: 2, Instructions: 161COMMON

Download Yara Rule

Strings

d?, xrefs: 07970932
fA?, xrefs: 07970A1C

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID: d?$fA?
API String ID: 0-2957904418
Opcode ID: 6372f945c1a6713c50cc0c71913ed3b3733cd758c30c1d988e44d9ebf31c4801
Instruction ID: faa707c975cfd563da7bea3a7c610e4d0fddd9eb28cebba5b18e8755a735b295
Opcode Fuzzy Hash: 6372f945c1a6713c50cc0c71913ed3b3733cd758c30c1d988e44d9ebf31c4801
Instruction Fuzzy Hash: 1961D0B4E15219CFDB08CFAAC5809EEFBF2BF89214F24942AD445B7214D7709A02CF64

Uniqueness

Uniqueness Score: -1.00%

Function 079708C8, Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

d?, xrefs: 07970932
fA?, xrefs: 07970A1C

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID: d?$fA?
API String ID: 0-2957904418
Opcode ID: f21e87ac2537a37f0f482e0d75a1ee449367051bc66427f3279a70a505908137
Instruction ID: ff55dba2acc113b63227496f163155f3ddfaefc09243bfd4d6defb505d5248b8
Opcode Fuzzy Hash: f21e87ac2537a37f0f482e0d75a1ee449367051bc66427f3279a70a505908137
Instruction Fuzzy Hash: 256104B4E15219CFDB08CFA9C5809EEFBF2BF89214F24942AD455B7214D3749A02CF64

Uniqueness

Uniqueness Score: -1.00%

Function 052BC1D0, Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d88adc63e07e32de5406faf55d385d225f65e2e49706e473d4c3f128ed1720d
Instruction ID: 62aa128aaced7719aac47764ccf9c7cdd2169b450150d239f7b13fd614accb2d
Opcode Fuzzy Hash: 2d88adc63e07e32de5406faf55d385d225f65e2e49706e473d4c3f128ed1720d
Instruction Fuzzy Hash: 055279B15607068FD711CF24E8CA5993FF9FB85328F908208E5626FA90DBB46546CF88

Uniqueness

Uniqueness Score: -1.00%

Function 079749E0, Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8c709afc8f3941e01791524792bc1a6860658354e3c150df3a3e0b006def0b
Instruction ID: 9a10050845a08417b90c8f62911ee1b700346d3c8962d3360156bf4c42484389
Opcode Fuzzy Hash: bb8c709afc8f3941e01791524792bc1a6860658354e3c150df3a3e0b006def0b
Instruction Fuzzy Hash: 2BE18FB4E142598FCB04CFA5D980AAEFBB2FF89314F249169D405AB366D7309D41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07974A30, Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a54538e138641c2fd11c93bc233162330fdbc532e1636253b8aa8e30427949
Instruction ID: 596f84029d308d6bad375db0c78c0949907dbb74d1dc05c0d9e71d4498f57fb8
Opcode Fuzzy Hash: 79a54538e138641c2fd11c93bc233162330fdbc532e1636253b8aa8e30427949
Instruction Fuzzy Hash: 0BD15BB4E142598FCB14CFA5D980AAEFBB2FF89304F249569D408AB366D7309D41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 052B98B0, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.675237871.00000000052B0000.00000040.00000001.sdmp, Offset: 052B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79dbc9ae9d183e75e230d62884a0661db024020a150abf5680e06280ada1bfbb
Instruction ID: 7ae1ffbf37094b6806272a3ad82339fa6e55220a586c4dd853f865e2e5f60a2c
Opcode Fuzzy Hash: 79dbc9ae9d183e75e230d62884a0661db024020a150abf5680e06280ada1bfbb
Instruction Fuzzy Hash: 42A16132E2061A8FDF05DFB5C8845DDBBB6FF85340F15856AE906BB220EB71A945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0797CD10, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1278a56c3e29f479babf732be5acb059d2ecf6097ecec6274b1ff21158cb8e
Instruction ID: a71bcdb3464f792c55271d716cb7fa42c158c8f24c78c3f3bc2bd7f39d30bf6a
Opcode Fuzzy Hash: 7b1278a56c3e29f479babf732be5acb059d2ecf6097ecec6274b1ff21158cb8e
Instruction Fuzzy Hash: 0791F6B4E15209CBCB14CFA9D4815AEBBB6BF8A344F10942AD415BB314E7749A42CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07970006, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ad873bc53bfa014a8aa8a65213b92f19e6f06497367fa6f5f341513b3bd11b8
Instruction ID: 95e93fc89e970f552271bfbab581891da0b678db8df6e1cf932e9cb9cf0d03c8
Opcode Fuzzy Hash: 4ad873bc53bfa014a8aa8a65213b92f19e6f06497367fa6f5f341513b3bd11b8
Instruction Fuzzy Hash: 70713AB4E0520A9FCB05CFA9C4818AEFFB2FF49314F198566D405AB352D3349982CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0797D118, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09018f5d1bdaf0a2253e11b777417e7a41b30f12953cd216bd47cf82342a0f00
Instruction ID: b10192d3dbb03412bda87680e53a5a25c8e683db73d2b6640ad482363f720c3b
Opcode Fuzzy Hash: 09018f5d1bdaf0a2253e11b777417e7a41b30f12953cd216bd47cf82342a0f00
Instruction Fuzzy Hash: 2B612BB0E1566ACBDB28CF66C84479DB7B6BFC9304F10D5E6D40DA6214EB705A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 07970040, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f31a09ad58567b0908431d37a5e956edb396c8a74b401f4d68808878c3eac0d
Instruction ID: a20e8a6be5a1973131d5acebba8de34b30a79f91b01fd20f20cb9077c8cc4050
Opcode Fuzzy Hash: 3f31a09ad58567b0908431d37a5e956edb396c8a74b401f4d68808878c3eac0d
Instruction Fuzzy Hash: 2671F2B4E1520ADFCB04CFA9D5818AEFBB2FF89314F148819D415AB315D770AA82CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07971860, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 318b3afb01dd778ba546e0d886d86e380fdbf96b67ebaf4e73c789bea5ad52bd
Instruction ID: b87924631faae51220ce59890a1f414a682608998c5cb24279ba24aebdb1a0f7
Opcode Fuzzy Hash: 318b3afb01dd778ba546e0d886d86e380fdbf96b67ebaf4e73c789bea5ad52bd
Instruction Fuzzy Hash: CA415EB1E116198BEB28CF6B9D4539EFBF3BFC9304F14C1BA850CA6214DB340A458E11

Uniqueness

Uniqueness Score: -1.00%

Function 07970B38, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba423f96deae1b1e41dbbb734c0bf522cfe5db0e8049239fa1b6e5e1da9b8a0
Instruction ID: 8c9af98b9c6fed3a81e139c18e5ce07e212e0ee7c5032906fa75b0b6db99283b
Opcode Fuzzy Hash: cba423f96deae1b1e41dbbb734c0bf522cfe5db0e8049239fa1b6e5e1da9b8a0
Instruction Fuzzy Hash: A841F7B0E1520ADFDB04CFAAC5815AEFBF2FB89304F24C56AC409B7254D7349A41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 07970B2B, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ce24b253be672801ad1785f8e3bc93e00a90dc16220ad33609188e56219265
Instruction ID: ca6b56346c4512902cf1e31508ea3ac50d5bed7abb5e76f44fef477402d94f53
Opcode Fuzzy Hash: 98ce24b253be672801ad1785f8e3bc93e00a90dc16220ad33609188e56219265
Instruction Fuzzy Hash: 7A4104B4E1520ACFDB04CFAAC5815AEFBB2FF89314F24C56AC409A7254D7349A41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 079706D0, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5993fe29025d667d6e51582cb1ad7c78d866c47d55f6e4eef102609d6a19df3b
Instruction ID: aa5ed5c10de495dca43f924bf8cb910e17030ddbc8d816c69e342bffa8df46c7
Opcode Fuzzy Hash: 5993fe29025d667d6e51582cb1ad7c78d866c47d55f6e4eef102609d6a19df3b
Instruction Fuzzy Hash: B141E6B0E0560ADBCB44CFAAC8815EEFBF2EF89304F24D529D419AB204D7749641CF94

Uniqueness

Uniqueness Score: -1.00%

Function 079706C3, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996bda0b8e91d42afeec8a531ab239dd0ffaac830e6174d36b25c36d86aa9d07
Instruction ID: acf14e2a3dc7bd53840daa0532812d60548603bbb365f3183173a6d37ee59f7b
Opcode Fuzzy Hash: 996bda0b8e91d42afeec8a531ab239dd0ffaac830e6174d36b25c36d86aa9d07
Instruction Fuzzy Hash: 884108B0E0560A9FCB04CFAAC8815EEFBF2EF89314F24C56AD419AB254D7749641CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0797185F, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75551766127617bfbbf920d5e26688fddd97a2168d9eaf054fd5acaf98018d95
Instruction ID: c767911d3ac3dab52ec4ad034ebe8cd63ebb5b09dba1a6779adf9aaac8a56215
Opcode Fuzzy Hash: 75551766127617bfbbf920d5e26688fddd97a2168d9eaf054fd5acaf98018d95
Instruction Fuzzy Hash: BE412EB1E116198BEB6CCF6B9D4539EFAF3BFC9300F14C1BA950CA6258DB3409458E11

Uniqueness

Uniqueness Score: -1.00%

Function 0F7417B8, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682823670.000000000F740000.00000040.00000001.sdmp, Offset: 0F740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 734c71fec6e2d77cf86e0315c2a2a538852962d7120c84319479b837dd32a8c2
Instruction ID: 2e47cfb35d336a67c3c032b20b8daefd3bd2989052ef36ef628439695a6e7033
Opcode Fuzzy Hash: 734c71fec6e2d77cf86e0315c2a2a538852962d7120c84319479b837dd32a8c2
Instruction Fuzzy Hash: 2721B570D45218DFCB12AFA1D448BFDBBF9BB0A320F805525E015B3292C7F46990CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0F7417C8, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.682823670.000000000F740000.00000040.00000001.sdmp, Offset: 0F740000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43dbcf315262a50c6e304fc20529e764cac7526209c7b407484a7f002674c53f
Instruction ID: aa5e7fa66f151ac674ec554e89c718cbe7f740558eb10b8b26441e8c5a3c1619
Opcode Fuzzy Hash: 43dbcf315262a50c6e304fc20529e764cac7526209c7b407484a7f002674c53f
Instruction Fuzzy Hash: 61219170D46218CFDB12EFA5D448BEDBBF9FB0A310F80412AE405B3282C7B46994CB56

Uniqueness

Uniqueness Score: -1.00%

Function 079750F8, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136ff3850e51539cc3fdd9a7ddf271ad48e6c486ee53536d87e92266d0c9dbb9
Instruction ID: 1a31546e1887b0508f03effc77117a663081aac649f0d0887d13786ca433bb1f
Opcode Fuzzy Hash: 136ff3850e51539cc3fdd9a7ddf271ad48e6c486ee53536d87e92266d0c9dbb9
Instruction Fuzzy Hash: 15215CB1E052089FCB48CFAAD94129EFBF3AB89214F14C16AD818EB254E6344A02CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07975140, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a51fcd76dd407c7037c307b78a4df184c4d0b78ac098ff8c1fc26c582935c1b0
Instruction ID: 287caf0b30ead4bd1ff91cfb63b1ef726210c5d992c820efeb2e930daecab531
Opcode Fuzzy Hash: a51fcd76dd407c7037c307b78a4df184c4d0b78ac098ff8c1fc26c582935c1b0
Instruction Fuzzy Hash: 9E2147B1E152198BDB18CF6AD8416AEFBF7AFC9210F15C12AD408BB254EA345A11CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07975150, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb44d9b296d45750b6208fcb0eedf621af944696e3c13dda3549c64ca5eaad30
Instruction ID: 46e80d4313aeb32f6a28ea6804455cf3593d288ae70d2e02577d950e7eff906f
Opcode Fuzzy Hash: eb44d9b296d45750b6208fcb0eedf621af944696e3c13dda3549c64ca5eaad30
Instruction Fuzzy Hash: 7F2118B1E112198BDB58CFAAD94069EFAF7BBC8210F14C12AD508AB254DB345A018B51

Uniqueness

Uniqueness Score: -1.00%

Function 07970CF0, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1d9577c59fd6a126f4516c9245b7a53110e04f72be415691fb3dbdf9ba8098e
Instruction ID: 9c0d2abc2f4505c36a5072780d5a20d314e07e74e9b8f2fc8984ffc757863671
Opcode Fuzzy Hash: f1d9577c59fd6a126f4516c9245b7a53110e04f72be415691fb3dbdf9ba8098e
Instruction Fuzzy Hash: 9C110DB1E156188BEB5CCF6BDC4069EFAF3AFC9200F08C17AD808AA254DB344945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07977ACA, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679384620.0000000007970000.00000040.00000001.sdmp, Offset: 07970000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa0501a2be410bb0e92d0426de1ce3989ce35e27b5ca5e9ead595e02d169cc1
Instruction ID: 97c639ec1fb37b56a9f61a02072625891cf42389dc72afaa9984c88af7905d75
Opcode Fuzzy Hash: faa0501a2be410bb0e92d0426de1ce3989ce35e27b5ca5e9ead595e02d169cc1
Instruction Fuzzy Hash: A71158B1E152199FEB49CFAAD90129EFBF3AFC9300F18C06BD408A7254EA344A01CB50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: dhcpmon.exe PID: 7068 Parent PID: 3424 dhcpmon.exeCOMMON

Executed Functions

Function 02A116D8, Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

$,%l, xrefs: 02A1176D

Memory Dump Source

Source File: 00000005.00000002.701615486.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID:
String ID: $,%l
API String ID: 0-2478089573
Opcode ID: eaae3e3dfb2637a097ba9c7e8bdde46418833ac222841ee170965e3b189b5435
Instruction ID: 4017ed579714f6bee381cae4b644e881e5bcdfa10fdefe1f86112ca8ea9eeb43
Opcode Fuzzy Hash: eaae3e3dfb2637a097ba9c7e8bdde46418833ac222841ee170965e3b189b5435
Instruction Fuzzy Hash: 2C11BE30B102089FCB19EBB4E454BAE77FAEF84608F10C069C609EB794DF349C068B91

Uniqueness

Uniqueness Score: -1.00%

Function 02A10F38, Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.701615486.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5312311cffd823550afe84451b852eba3ac164c9c751612fda1599e806c29df7
Instruction ID: 963b717bf4dcbc09b9ec90e6bdf875ddc04140f93ecdb282667a900de9449376
Opcode Fuzzy Hash: 5312311cffd823550afe84451b852eba3ac164c9c751612fda1599e806c29df7
Instruction Fuzzy Hash: 6F222D347006018FCB59EF64E59076A73B6FB84229B24893CD656CB788DF35EC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A10728, Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.701615486.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f49eae8dd3f6f11871deef9f15d5c6f0ae1edd63ca7efaa90db0c01d824013
Instruction ID: 09842722471554f23b885dc7a5c42010f31e5ab2da031a332b2a7568176b51e2
Opcode Fuzzy Hash: 20f49eae8dd3f6f11871deef9f15d5c6f0ae1edd63ca7efaa90db0c01d824013
Instruction Fuzzy Hash: 3281C234A003858FCB29AB74D45479EBBF2AF88324F05C569D8529B7A8DF75ACC5CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02A10E31, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.701615486.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628ced8deb264b4e4c628582c060a87aca7e6a282e42eb4e66e11c93b45670c7
Instruction ID: 9edf3c475fe94576d63364b80c1476646606f3ee46654b71b328e7328ff0824b
Opcode Fuzzy Hash: 628ced8deb264b4e4c628582c060a87aca7e6a282e42eb4e66e11c93b45670c7
Instruction Fuzzy Hash: 58314D707402508FC759AB38C4A8A6D37E1AF8A62931604BDE506CF7B1DF31EC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A10E40, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.701615486.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae8cd279a6c73e0b074ec0a6e3efce2377e994e5193ad6568304fe353664ba1b
Instruction ID: 656973fc80c51861cd4176d5fa5cb6c2e3b762abeac797c9863c81dfb6d9333d
Opcode Fuzzy Hash: ae8cd279a6c73e0b074ec0a6e3efce2377e994e5193ad6568304fe353664ba1b
Instruction Fuzzy Hash: AA21E9747502108FC759AB38D4A8A6D33E2AF8961935208B8E506CF771DF32EC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A117F8, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.701615486.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5289f97e85d3f6e3763195d38f38ab631eac567dce6fef11917e1e17d9cb51db
Instruction ID: 60e7e6e58143f2b6eb561946caa2d8df34e3a5ec26402a7ac40ae2501b6664ab
Opcode Fuzzy Hash: 5289f97e85d3f6e3763195d38f38ab631eac567dce6fef11917e1e17d9cb51db
Instruction Fuzzy Hash: DA11C875E002459FCB44EFB8D844ADFFBF5FF89210B10866AE519D7221EB31A945CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02A11808, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.701615486.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66fe92140eb3946a126f27dea1198b28110776ea0fef9ba9d057bfd3dc39a38
Instruction ID: 41bff77b79f26cdd9195b21765a605e6d2f46ad63c8a263ad6dbbb17118d66bb
Opcode Fuzzy Hash: d66fe92140eb3946a126f27dea1198b28110776ea0fef9ba9d057bfd3dc39a38
Instruction Fuzzy Hash: FF015E75E002059FCB44EFB8D8449EEFBF9FF8D2107118666E519D7221EB31A955CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02A10480, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.701615486.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69db138669b126c5b55225603da65a08e49187e468293fc1dc6a24b62a6e17f9
Instruction ID: 52ef8f93e6bd7239edecfcd3627235dabcf66b7dd35a60d99384545f696dd457
Opcode Fuzzy Hash: 69db138669b126c5b55225603da65a08e49187e468293fc1dc6a24b62a6e17f9
Instruction Fuzzy Hash: 1AF06DB0E483969FC7519FB4A9025DE7FF0AB46310F0480BFC884D7252E6780A55CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02A10B9C, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.701615486.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37959a39ee7575e557c8b131c0b4bc6c2aa93be597bb9e4fcdd7a6f36dbaaefa
Instruction ID: 8b317e83479fae5d79c039b91e8168bef91a4bfa1ebe5a7ea539d0b6929f7152
Opcode Fuzzy Hash: 37959a39ee7575e557c8b131c0b4bc6c2aa93be597bb9e4fcdd7a6f36dbaaefa
Instruction Fuzzy Hash: A6F01C70A04315CFEB24DB64C1597AD7BF0AF08228F150869D442A7795CF79A9C4CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02A104A8, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.701615486.0000000002A10000.00000040.00000001.sdmp, Offset: 02A10000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b34079a4800cc919606ed2f9c83c02c8e6dc1cf703db7dcbe968a418957fe8
Instruction ID: 6f27764c5a3797474d8163825cd9d220d653bdba8a1f7a723698503ae4217c12
Opcode Fuzzy Hash: 31b34079a4800cc919606ed2f9c83c02c8e6dc1cf703db7dcbe968a418957fe8
Instruction Fuzzy Hash: BDD067B1D04229AF8B50EFB999051DEBBF8EA08250B1045B6D919E3604E6745A50CBD1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report J62DQ7fO0b.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets