Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Shipping Documents Original BL, Invoice & Pa.exe

Overview

General Information

Sample Name:Shipping Documents Original BL, Invoice & Pa.exe
Analysis ID:403691
MD5:b89d3e7dd6ee20a09506365497f6cc3a
SHA1:d5a40ae65560da802d5c5135d024d5fa8e840ff4
SHA256:c2af0dcf4558a32fde15405648d8dd6410c51d319812755fcb8e4f742723bad7
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

DLL reload attack detected
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Shipping Documents Original BL, Invoice & Pa.exe (PID: 5936 cmdline: 'C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe' MD5: B89D3E7DD6EE20A09506365497F6CC3A)
    • MSBuild.exe (PID: 5764 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
      • schtasks.exe (PID: 5792 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF57E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 1680 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF909.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • MSBuild.exe (PID: 1556 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0 MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 980 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 4116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5728 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: D621FD77BD585874F9686D3A76462EF1)
    • conhost.exe (PID: 4804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "692d457c-2b26-4af6-a5f8-088a1838", "Group": "Default", "Domain1": "", "Domain2": "172.93.166.26", "Port": 4090, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x11fe0d:$x1: NanoCore.ClientPluginHost
  • 0x15282d:$x1: NanoCore.ClientPluginHost
  • 0x11fe4a:$x2: IClientNetworkHost
  • 0x15286a:$x2: IClientNetworkHost
  • 0x12397d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x15639d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x11fb75:$a: NanoCore
    • 0x11fb85:$a: NanoCore
    • 0x11fdb9:$a: NanoCore
    • 0x11fdcd:$a: NanoCore
    • 0x11fe0d:$a: NanoCore
    • 0x152595:$a: NanoCore
    • 0x1525a5:$a: NanoCore
    • 0x1527d9:$a: NanoCore
    • 0x1527ed:$a: NanoCore
    • 0x15282d:$a: NanoCore
    • 0x11fbd4:$b: ClientPlugin
    • 0x11fdd6:$b: ClientPlugin
    • 0x11fe16:$b: ClientPlugin
    • 0x1525f4:$b: ClientPlugin
    • 0x1527f6:$b: ClientPlugin
    • 0x152836:$b: ClientPlugin
    • 0x11fcfb:$c: ProjectData
    • 0x15271b:$c: ProjectData
    • 0x272bb6:$c: ProjectData
    • 0x2f4bd6:$c: ProjectData
    • 0x120702:$d: DESCrypto
    00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x30800:$x1: NanoCore.ClientPluginHost
      • 0x4f2a6:$x1: NanoCore.ClientPluginHost
      • 0x30861:$x2: IClientNetworkHost
      • 0x4f307:$x2: IClientNetworkHost
      • 0x35c66:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x43bd8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x5470c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x6267e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 3 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe105:$x1: NanoCore Client.exe
      • 0xe38d:$x2: NanoCore.ClientPluginHost
      • 0xf9c6:$s1: PluginCommand
      • 0xf9ba:$s2: FileCommand
      • 0x1086b:$s3: PipeExists
      • 0x16622:$s4: PipeCreated
      • 0xe3b7:$s5: IClientLoggingHost
      0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xe0f5:$a: NanoCore
        • 0xe105:$a: NanoCore
        • 0xe339:$a: NanoCore
        • 0xe34d:$a: NanoCore
        • 0xe38d:$a: NanoCore
        • 0xe154:$b: ClientPlugin
        • 0xe356:$b: ClientPlugin
        • 0xe396:$b: ClientPlugin
        • 0xe27b:$c: ProjectData
        • 0xec82:$d: DESCrypto
        • 0x1664e:$e: KeepAlive
        • 0x1463c:$g: LogClientMessage
        • 0x10837:$i: get_Connected
        • 0xefb8:$j: #=q
        • 0xefe8:$j: #=q
        • 0xf004:$j: #=q
        • 0xf034:$j: #=q
        • 0xf050:$j: #=q
        • 0xf06c:$j: #=q
        • 0xf09c:$j: #=q
        • 0xf0b8:$j: #=q
        0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x42bad:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x42bea:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        • 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 2 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        System Summary:

        barindex
        Sigma detected: System File Execution Location AnomalyShow sources
        Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF57E.tmp', ParentImage: C:\Windows\SysWOW64\schtasks.exe, ParentProcessId: 5792, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 5788
        Sigma detected: Possible Applocker BypassShow sources
        Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe' , ParentImage: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe, ParentProcessId: 5936, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5764

        Persistence and Installation Behavior:

        barindex
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF57E.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF57E.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 5764, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF57E.tmp', ProcessId: 5792

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 5764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "692d457c-2b26-4af6-a5f8-088a1838", "Group": "Default", "Domain1": "", "Domain2": "172.93.166.26", "Port": 4090, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936, type: MEMORY
        Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: Shipping Documents Original BL, Invoice & Pa.exeJoe Sandbox ML: detected
        Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.1.dr
        Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: dhcpmon.exe, 00000008.00000002.688516545.00000000005C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000002.703132653.0000000000F82000.00000002.00020000.sdmp, dhcpmon.exe.1.dr
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_07A4B700
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_07A4CFA0
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_07A4DCA0
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_07A4DB60
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_07A4DAA0

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49722 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49723 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49724 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49725 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49726 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49727 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49728 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49729 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49730 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49731 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49732 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49733 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49734 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49735 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49736 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49737 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49738 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49739 -> 172.93.166.26:4090
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49740 -> 172.93.166.26:4090
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: 172.93.166.26
        Source: Joe Sandbox ViewASN Name: GLOBALCOMPASSUS GLOBALCOMPASSUS
        Source: unknownTCP traffic detected without corresponding DNS query: 2.20.142.209
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: unknownTCP traffic detected without corresponding DNS query: 172.93.166.26
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670534502.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.654396019.0000000005FFC000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/type
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: Shipping Documents Original BL, Invoice & Pa.exeString found in binary or memory: http://www.churchsw.org/church-projector-project
        Source: Shipping Documents Original BL, Invoice & Pa.exeString found in binary or memory: http://www.churchsw.org/repository/Bibles/
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670478696.0000000001520000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.655221857.0000000005FFC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.656756517.0000000005FFC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.656074649.0000000005FFC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html8
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670478696.0000000001520000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.como
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.651499309.000000000600B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.653276119.0000000006005000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.659032488.0000000005FFB000.00000004.00000001.sdmp, Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.658535409.0000000005FFC000.00000004.00000001.sdmp, Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr0I
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krK
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krr
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.660037136.0000000006025000.00000004.00000001.sdmpString found in binary or memory: http://www.monot.
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr.
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kra-d
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krcom
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kre
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.657239356.0000000005FFC000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936, type: MEMORY
        Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Shipping Documents Original BL, Invoice & Pa.exe
        Source: initial sampleStatic PE information: Filename: Shipping Documents Original BL, Invoice & Pa.exe
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_014FC2B00_2_014FC2B0
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_014F99900_2_014F9990
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A4ACE80_2_07A4ACE8
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A4C1380_2_07A4C138
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A457C80_2_07A457C8
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A457D80_2_07A457D8
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A455200_2_07A45520
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A455100_2_07A45510
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A40BD80_2_07A40BD8
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A40B2B0_2_07A40B2B
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A440F80_2_07A440F8
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A400070_2_07A40007
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A450680_2_07A45068
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A470680_2_07A47068
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A450780_2_07A45078
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_07A400400_2_07A40040
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952BBB00_2_0952BBB0
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_09528BAA0_2_09528BAA
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_095200400_2_09520040
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952B3F80_2_0952B3F8
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952D5900_2_0952D590
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952C6200_2_0952C620
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952F8580_2_0952F858
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952F8680_2_0952F868
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952A8000_2_0952A800
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952FAC00_2_0952FAC0
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952FAB10_2_0952FAB1
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_095291A00_2_095291A0
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952C0980_2_0952C098
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952C0A00_2_0952C0A0
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_095232500_2_09523250
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952E2400_2_0952E240
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952E2310_2_0952E231
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952D55E0_2_0952D55E
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952F6300_2_0952F630
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952F6210_2_0952F621
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00BE5CF96_2_00BE5CF9
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00BE21486_2_00BE2148
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00BE4A206_2_00BE4A20
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00BE21336_2_00BE2133
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 6_2_00BE1A406_2_00BE1A40
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00EC58688_2_00EC5868
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00EC45808_2_00EC4580
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00EC21488_2_00EC2148
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00EC1A408_2_00EC1A40
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00EC21338_2_00EC2133
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0173237010_2_01732370
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0173520810_2_01735208
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_01731A4010_2_01731A40
        Source: dhcpmon.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Shipping Documents Original BL, Invoice & Pa.exe
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.686876240.0000000009390000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Shipping Documents Original BL, Invoice & Pa.exe
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.687212948.0000000009470000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs Shipping Documents Original BL, Invoice & Pa.exe
        Source: Shipping Documents Original BL, Invoice & Pa.exeBinary or memory string: OriginalFilenameManifestEnvelope.exeB vs Shipping Documents Original BL, Invoice & Pa.exe
        Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.1.dr, Microsoft.Build/CommandLine/OutOfProcTaskHostNode.csTask registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
        Source: dhcpmon.exe.1.dr, Microsoft.Build/Shared/TaskLoader.csTask registration methods: 'CreateTask'
        Source: dhcpmon.exe.1.dr, Microsoft.Build/BackEnd/TaskParameter.csTask registration methods: 'CreateNewTaskItemFrom'
        Source: dhcpmon.exe.1.dr, Microsoft.Build/Shared/RegisteredTaskObjectCacheBase.csTask registration methods: '.cctor', 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', '.ctor', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'
        Source: 8.0.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 8.0.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 8.2.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 8.2.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
        Source: 8.2.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
        Source: 10.0.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 10.0.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: dhcpmon.exe.1.dr, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: dhcpmon.exe.1.dr, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 10.2.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 10.2.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
        Source: 10.2.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
        Source: 10.0.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 10.0.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
        Source: 10.0.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
        Source: 10.2.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 10.2.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: dhcpmon.exe.1.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: dhcpmon.exe.1.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
        Source: dhcpmon.exe.1.dr, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
        Source: 8.2.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 8.2.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/Internal/CommunicationsUtilities.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 8.0.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 8.0.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent(System.Boolean)
        Source: 8.0.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/BackEnd/NodeEndpointOutOfProcBase.csSecurity API names: System.Void System.IO.Pipes.PipeSecurity::AddAccessRule(System.IO.Pipes.PipeAccessRule)
        Source: dhcpmon.exe, 0000000A.00000002.704185808.00000000033C1000.00000004.00000001.sdmpBinary or memory string: l)C:\Program Files (x86)\DHCP Monitor\*.sln
        Source: dhcpmon.exe, 00000008.00000002.688516545.00000000005C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000002.703132653.0000000000F82000.00000002.00020000.sdmp, dhcpmon.exe.1.drBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
        Source: dhcpmon.exe, 00000008.00000002.688516545.00000000005C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000002.703132653.0000000000F82000.00000002.00020000.sdmp, dhcpmon.exe.1.drBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
        Source: dhcpmon.exe, dhcpmon.exe.1.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
        Source: dhcpmon.exe, 0000000A.00000002.704185808.00000000033C1000.00000004.00000001.sdmpBinary or memory string: *.slnP#
        Source: dhcpmon.exe, 00000008.00000002.688516545.00000000005C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000002.703132653.0000000000F82000.00000002.00020000.sdmp, dhcpmon.exe.1.drBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
        Source: dhcpmon.exe, dhcpmon.exe.1.drBinary or memory string: *.sln
        Source: dhcpmon.exe, 00000008.00000002.688516545.00000000005C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000002.703132653.0000000000F82000.00000002.00020000.sdmp, dhcpmon.exe.1.drBinary or memory string: MSBuild MyApp.csproj /t:Clean
        Source: dhcpmon.exe, 00000008.00000002.688516545.00000000005C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000002.703132653.0000000000F82000.00000002.00020000.sdmp, dhcpmon.exe.1.drBinary or memory string: /ignoreprojectextensions:.sln
        Source: dhcpmon.exe, 00000008.00000002.688516545.00000000005C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000002.703132653.0000000000F82000.00000002.00020000.sdmp, dhcpmon.exe.1.drBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
        Source: classification engineClassification label: mal100.troj.evad.winEXE@15/14@0/1
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Documents Original BL, Invoice & Pa.exe.logJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4804:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{692d457c-2b26-4af6-a5f8-088a183828b4}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1492:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4116:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF57E.tmpJump to behavior
        Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
        Source: unknownProcess created: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe 'C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe'
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF57E.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF909.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF57E.tmp'Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF909.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Shipping Documents Original BL, Invoice & Pa.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: dhcpmon.exe, dhcpmon.exe.1.dr
        Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: dhcpmon.exe, 00000008.00000002.688516545.00000000005C2000.00000002.00020000.sdmp, dhcpmon.exe, 0000000A.00000002.703132653.0000000000F82000.00000002.00020000.sdmp, dhcpmon.exe.1.dr
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeCode function: 0_2_0952E4F6 push ss; ret 0_2_0952E4F7
        Source: initial sampleStatic PE information: section name: .text entropy: 7.68387820085

        Persistence and Installation Behavior:

        barindex
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeFile created: \shipping documents original bl, invoice & pa.exe
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeFile created: \shipping documents original bl, invoice & pa.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF57E.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        DLL reload attack detectedShow sources
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeModule Loaded: Original DLL: "C:\USERS\user\DESKTOP\SHIPPING DOCUMENTS ORIGINAL BL reload: INVOICE & PA.EXE"
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 4457Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 4934Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 624Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: foregroundWindowGot 706Jump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe TID: 484Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe TID: 4048Thread sleep time: -102723s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe TID: 6016Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1368Thread sleep time: -11068046444225724s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 960Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 864Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3476Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeThread delayed: delay time: 102723Jump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        .NET source code references suspicious native API functionsShow sources
        Source: dhcpmon.exe.1.dr, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
        Source: 8.2.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
        Source: 8.0.dhcpmon.exe.5c0000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
        Source: 10.0.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
        Source: 10.2.dhcpmon.exe.f80000.0.unpack, Microsoft.Build/Shared/NativeMethodsShared.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('OpenProcess', 'OpenProcess@KERNEL32.DLL'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000Jump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 420000Jump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 422000Jump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D0A008Jump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF57E.tmp'Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF909.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformationJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936, type: MEMORY
        Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: MSBuild.exe, 00000001.00000003.686473988.000000000673C000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936, type: MEMORY
        Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Shipping Documents Original BL, Invoice & Pa.exe.3ee8c80.3.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job11Process Injection211Masquerading2OS Credential DumpingSecurity Software Discovery111Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job11DLL Side-Loading1Scheduled Task/Job11Disable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsNative API1Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection211NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 403691 Sample: Shipping Documents  Origina... Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 12 other signatures 2->53 8 Shipping Documents  Original BL, Invoice & Pa.exe 3 2->8         started        12 dhcpmon.exe 4 2->12         started        14 dhcpmon.exe 3 2->14         started        16 MSBuild.exe 2 2->16         started        process3 file4 43 Shipping Documents...nvoice & Pa.exe.log, ASCII 8->43 dropped 59 Writes to foreign memory regions 8->59 61 Injects a PE file into a foreign processes 8->61 18 MSBuild.exe 1 14 8->18         started        23 conhost.exe 12->23         started        25 conhost.exe 14->25         started        27 conhost.exe 16->27         started        signatures5 process6 dnsIp7 45 172.93.166.26, 4090, 49722, 49723 GLOBALCOMPASSUS United States 18->45 37 C:\Users\user\AppData\Roaming\...\run.dat, data 18->37 dropped 39 C:\Users\user\AppData\Local\...\tmpF57E.tmp, XML 18->39 dropped 41 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->41 dropped 55 Uses schtasks.exe or at.exe to add and modify task schedules 18->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->57 29 schtasks.exe 1 18->29         started        31 schtasks.exe 1 18->31         started        file8 signatures9 process10 process11 33 conhost.exe 29->33         started        35 conhost.exe 31->35         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Shipping Documents Original BL, Invoice & Pa.exe6%ReversingLabs
        Shipping Documents Original BL, Invoice & Pa.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        0%Avira URL Cloudsafe
        http://www.monot.0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.goodfont.co.kr0I0%Avira URL Cloudsafe
        http://www.goodfont.co.krr0%Avira URL Cloudsafe
        http://www.ascendercorp.com/type0%Avira URL Cloudsafe
        http://www.sandoll.co.kr.0%Avira URL Cloudsafe
        http://www.churchsw.org/repository/Bibles/0%Avira URL Cloudsafe
        http://www.sandoll.co.kra-d0%Avira URL Cloudsafe
        172.93.166.260%Avira URL Cloudsafe
        http://www.goodfont.co.krK0%Avira URL Cloudsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kre0%Avira URL Cloudsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.sandoll.co.krcom0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.fontbureau.como0%URL Reputationsafe
        http://www.fontbureau.como0%URL Reputationsafe
        http://www.fontbureau.como0%URL Reputationsafe
        http://www.founder.com.cn/cnt0%URL Reputationsafe
        http://www.founder.com.cn/cnt0%URL Reputationsafe
        http://www.founder.com.cn/cnt0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.churchsw.org/church-projector-project0%Avira URL Cloudsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.de0%URL Reputationsafe
        http://www.urwpp.de0%URL Reputationsafe
        http://www.urwpp.de0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        true
        • Avira URL Cloud: safe
        		low
        172.93.166.26true
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.monot.Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.660037136.0000000006025000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.comShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670478696.0000000001520000.00000004.00000040.sdmpfalse
            		high
            http://www.fontbureau.com/designersGShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designers/?Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bTheShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.goodfont.co.kr0IShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.goodfont.co.krrShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers?Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                  		high
                  http://www.ascendercorp.com/typeShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.654396019.0000000005FFC000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.sandoll.co.kr.Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.churchsw.org/repository/Bibles/Shipping Documents Original BL, Invoice & Pa.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.sandoll.co.kra-dShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.goodfont.co.krKShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.sandoll.co.kreShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmpfalse
                      		high
                      http://www.carterandcone.comlShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/cTheShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.659032488.0000000005FFB000.00000004.00000001.sdmp, Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.658535409.0000000005FFC000.00000004.00000001.sdmp, Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-user.htmlShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/cabarga.htmlShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.656756517.0000000005FFC000.00000004.00000001.sdmpfalse
                            		high
                            http://www.sandoll.co.krcomShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.652728425.0000000005FFF000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comoShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670478696.0000000001520000.00000004.00000040.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cntShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.653276119.0000000006005000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                              		high
                              http://www.churchsw.org/church-projector-projectShipping Documents Original BL, Invoice & Pa.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-user.html8Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.656074649.0000000005FFC000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fonts.comShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.651499309.000000000600B000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.657239356.0000000005FFC000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.670534502.0000000002DD1000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sakkal.comShipping Documents Original BL, Invoice & Pa.exe, 00000000.00000002.676141960.0000000006160000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/Shipping Documents Original BL, Invoice & Pa.exe, 00000000.00000003.655221857.0000000005FFC000.00000004.00000001.sdmpfalse
                                      		high

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      172.93.166.26
                                      		unknownUnited States
                                      		22653GLOBALCOMPASSUStrue

                                      General Information

                                      Joe Sandbox Version:32.0.0 Black Diamond
                                      Analysis ID:403691
                                      Start date:04.05.2021
                                      Start time:10:29:25
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 10m 31s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:Shipping Documents Original BL, Invoice & Pa.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:12
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@15/14@0/1
                                      EGA Information:Failed
                                      HDC Information:
                                      • Successful, ratio: 5.2% (good quality ratio 4.5%)
                                      • Quality average: 38.1%
                                      • Quality standard deviation: 20%
                                      HCA Information:
                                      • Successful, ratio: 96%
                                      • Number of executed functions: 173
                                      • Number of non-executed functions: 32
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      Warnings:
                                      Show All
                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                      • Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.139.144, 52.147.198.201, 168.61.161.212
                                      • Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      10:30:22API Interceptor1x Sleep call for process: Shipping Documents Original BL, Invoice & Pa.exe modified
                                      10:30:28Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" s>$(Arg0)
                                      10:30:28API Interceptor970x Sleep call for process: MSBuild.exe modified
                                      10:30:30AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                      10:30:31Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      GLOBALCOMPASSUS5zc9vbGBo3.exeGet hashmaliciousBrowse
                                      • 69.61.16.162
                                      pieChart2.exeGet hashmaliciousBrowse
                                      • 142.202.205.89
                                      #Ud83d#Udd04nick.ulycz- domesticandgeneral.com OKeep.htmGet hashmaliciousBrowse
                                      • 69.61.20.27
                                      parcel_images.exeGet hashmaliciousBrowse
                                      • 69.61.59.215
                                      a4588f57322665c795bdf720abc23ffc.exeGet hashmaliciousBrowse
                                      • 69.61.52.111
                                      Mf1iDAE6bE.exeGet hashmaliciousBrowse
                                      • 69.61.52.111
                                      Buchung.docGet hashmaliciousBrowse
                                      • 69.61.42.251
                                      Buchung.docGet hashmaliciousBrowse
                                      • 69.61.42.251
                                      Buchung.docGet hashmaliciousBrowse
                                      • 69.61.42.251
                                      P64.exeGet hashmaliciousBrowse
                                      • 69.61.38.132
                                      http://v.ht/v6GDGet hashmaliciousBrowse
                                      • 69.61.26.121

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeZiraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                                        SN-346.exeGet hashmaliciousBrowse
                                          insurance certificate , BL.exeGet hashmaliciousBrowse
                                            E5ew8dBzdN.exeGet hashmaliciousBrowse
                                              kHisp6Vo3M.exeGet hashmaliciousBrowse
                                                aVzenPkPSm.exeGet hashmaliciousBrowse
                                                  GT42536.scr.exeGet hashmaliciousBrowse
                                                    NEWPO-243769001.exeGet hashmaliciousBrowse
                                                      Purchase Order-877.exeGet hashmaliciousBrowse
                                                        W29wJd8rZ5.exeGet hashmaliciousBrowse
                                                          INV#6534524.exeGet hashmaliciousBrowse
                                                            xWwkCdgUxd.exeGet hashmaliciousBrowse
                                                              t5R60D503x.exeGet hashmaliciousBrowse
                                                                GT_0397337_03987638BNG.exeGet hashmaliciousBrowse
                                                                  CCF20032021_0003.exeGet hashmaliciousBrowse
                                                                    1PH37n4Gva.exeGet hashmaliciousBrowse
                                                                      E0029876556_209876689.exeGet hashmaliciousBrowse
                                                                        BGD_03987365_0398736DSC.exeGet hashmaliciousBrowse
                                                                          1XCQ1u2Q59.exeGet hashmaliciousBrowse
                                                                            ROdimkVzMC9cn4X.exeGet hashmaliciousBrowse

                                                                              Created / dropped Files

                                                                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):261728
                                                                              Entropy (8bit):6.1750840449797675
                                                                              Encrypted:false
                                                                              SSDEEP:3072:Mao0QHGUQWWimj9q/NLpj/WWqvAw2XpFU4rwOe4ubZSif02RFi/x2uv9FeP:boZTTWxxqVpqWVRXfr802biprVu
                                                                              MD5:D621FD77BD585874F9686D3A76462EF1
                                                                              SHA1:ABCAE05EE61EE6292003AABD8C80583FA49EDDA2
                                                                              SHA-256:2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6
                                                                              SHA-512:2D85A81D708ECC8AF9A1273143C94DA84E632F1E595E22F54B867225105A1D0A44F918F0FAE6F1EB15ECF69D75B6F4616699776A16A2AA8B5282100FD15CA74C
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              Joe Sandbox View:
                                                                              • Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse
                                                                              • Filename: SN-346.exe, Detection: malicious, Browse
                                                                              • Filename: insurance certificate , BL.exe, Detection: malicious, Browse
                                                                              • Filename: E5ew8dBzdN.exe, Detection: malicious, Browse
                                                                              • Filename: kHisp6Vo3M.exe, Detection: malicious, Browse
                                                                              • Filename: aVzenPkPSm.exe, Detection: malicious, Browse
                                                                              • Filename: GT42536.scr.exe, Detection: malicious, Browse
                                                                              • Filename: NEWPO-243769001.exe, Detection: malicious, Browse
                                                                              • Filename: Purchase Order-877.exe, Detection: malicious, Browse
                                                                              • Filename: W29wJd8rZ5.exe, Detection: malicious, Browse
                                                                              • Filename: INV#6534524.exe, Detection: malicious, Browse
                                                                              • Filename: xWwkCdgUxd.exe, Detection: malicious, Browse
                                                                              • Filename: t5R60D503x.exe, Detection: malicious, Browse
                                                                              • Filename: GT_0397337_03987638BNG.exe, Detection: malicious, Browse
                                                                              • Filename: CCF20032021_0003.exe, Detection: malicious, Browse
                                                                              • Filename: 1PH37n4Gva.exe, Detection: malicious, Browse
                                                                              • Filename: E0029876556_209876689.exe, Detection: malicious, Browse
                                                                              • Filename: BGD_03987365_0398736DSC.exe, Detection: malicious, Browse
                                                                              • Filename: 1XCQ1u2Q59.exe, Detection: malicious, Browse
                                                                              • Filename: ROdimkVzMC9cn4X.exe, Detection: malicious, Browse
                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z.........."...0..|...B......n.... ........@.. ....................................`.....................................O........>..............`>.......................................................... ............... ..H............text....z... ...|.................. ..`.rsrc....>.......@...~..............@..@.reloc..............................@..B................P.......H.......8)...................|.........................................*.{.......*v.(=....r...p({...-..+..}....*....0..%........(....-..*....(z.....&..}.........*.*....................0..5........(....-..*.-.r+..ps>...z.....i(z.....&..}.........*.*............%......>....(?...(....*N..(@....oA...(....*:...(B...(....*:...(C...(....**....(....*....0..G........(....,..*..(....-...}.....*.r...p(x...&.(v.....}......&..}.........*.*..........7.......0..f........-.r7..ps>...z .....
                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:modified
                                                                              Size (bytes):841
                                                                              Entropy (8bit):5.356220854328477
                                                                              Encrypted:false
                                                                              SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoIvEE4xDqE4j:MxHKXwYHKhQnoPtHoxHwvEHxDqHj
                                                                              MD5:486580834B084C92AE1F3866166C9C34
                                                                              SHA1:C8EB7E1CEF55A6C9EB931487E9AA4A2098AACEDF
                                                                              SHA-256:65C5B1213E371D449E2A239557A5F250FEA1D3473A1B5C4C5FF7492085F663FB
                                                                              SHA-512:2C54B638A52AA87F47CAB50859EFF98F07DA02993A596686B5617BA99E73ABFCD104F0F33209E24AFB32E66B4B8A225D4DB2CC79631540C21E7E8C4573DFD457
                                                                              Malicious:false
                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Documents Original BL, Invoice & Pa.exe.log
                                                                              Process:C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1314
                                                                              Entropy (8bit):5.350128552078965
                                                                              Encrypted:false
                                                                              SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                              MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                              SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                              SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                              SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                              Malicious:true
                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:modified
                                                                              Size (bytes):1037
                                                                              Entropy (8bit):5.371216502395632
                                                                              Encrypted:false
                                                                              SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7KvEE4xDqE4j:MxHKXwYHKhQnoPtHoxHhAHKzvKvEHxD0
                                                                              MD5:C7F28B87C2CAD111D929CB9A0FF822F8
                                                                              SHA1:C2CF9E7A3F6EFD9000FE76EBE54E4E9AE5754267
                                                                              SHA-256:D1B02C20EACF464229AB063FA947A525E2ED7772259A8F70C7205DC13599EAE6
                                                                              SHA-512:E0F35874E02AB672CFF0553A0DA0864DAB14C05733D06395E4D0C9CDFC6F445E940310F8D01E3E1B28895F636DFBC1F510E103D1C46818400BA4E7371D8F254D
                                                                              Malicious:false
                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Build, Version=4.0.0.0, Culture=neutral,
                                                                              C:\Users\user\AppData\Local\Temp\tmpF57E.tmp
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1320
                                                                              Entropy (8bit):5.137611098420233
                                                                              Encrypted:false
                                                                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0moxtn:cbk4oL600QydbQxIYODOLedq3Zoj
                                                                              MD5:3E2B26ED8B75AE83A269595180E84EF6
                                                                              SHA1:D30A0335FCCE406BCA8BA5764288235E6192F608
                                                                              SHA-256:108BE30AEB8EB31C185A39A6726F26DACBC4E4124951C61A29ADE4B7038C71EA
                                                                              SHA-512:B6981C68FCB886CC8379A068B96931B9D4F5CC5AA9BDC467E36C4168FE6C5273A2A84D8850B12C11703EC03AC6B1F1950D1E669EFCB59FC2402CE4BBA9DC03D3
                                                                              Malicious:true
                                                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                              C:\Users\user\AppData\Local\Temp\tmpF909.tmp
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):1310
                                                                              Entropy (8bit):5.109425792877704
                                                                              Encrypted:false
                                                                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                              Malicious:false
                                                                              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):1856
                                                                              Entropy (8bit):7.109925499344649
                                                                              Encrypted:false
                                                                              SSDEEP:48:IkXEUg6ikXEUg6ikXEUg6ikXEUg6ikXEUg6ikXEUg6ikXEUg6ikXEUg6Z:06y6y6y6y6y6y6y6Z
                                                                              MD5:B75C7318FEA570C38EC018F2E906702F
                                                                              SHA1:05B91D7DFF32A62966BA7C58BD42C60E70C8C54B
                                                                              SHA-256:828C3ECDFC1F82F6D579A4FA1D140D1AFF98A986D5B10A5B94BD0EC19C8D3BB6
                                                                              SHA-512:75FF9ACA7EF41FE7ED8D9FAD0CB11A68F002AF79A3D7AB79314D473D6F5A30B557A7D9FD470B6F3FF75F690D70446FC5286CC5015DBF8AFCF73FBE725EEECB0C
                                                                              Malicious:false
                                                                              Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....`*kZ..JR<..e.8....z...O......f..m.PQ>Y...}.....K.,Kl..G.....qA..#.w.&..7m..B.I.....in..<5J....z).H?....6..*2Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....`*kZ..JR<..e.8....z...O......f..m.PQ>Y...}.....K.,Kl..G.....qA..#.w.&..7m..B.I.....in..<5J....z).H?....6..*2Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....`*kZ..JR<..e.8....z...O......f..m.PQ>Y...}.....K.,Kl..G.....qA..#.w.&..7m..B.I.....in..<5J....z).H?....6..*2Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....`*kZ..JR<..e.8....z...O......f..m.PQ>Y...}.....K.,Kl..G.....qA..#.w.&..7m..B.I.....in..<5J....z).H?....6..*2Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                                                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):8
                                                                              Entropy (8bit):3.0
                                                                              Encrypted:false
                                                                              SSDEEP:3:Pcn:0n
                                                                              MD5:DE7A67A3040AC701DA32B2080CBB7529
                                                                              SHA1:8F9F4EC574D3C30BBD666DF38D513CA1E9B234FC
                                                                              SHA-256:0B977E561E1A854A31E242E5E68D143D677A9EB875A5D5FB49C30C547DF2D6FD
                                                                              SHA-512:B4ACF0DBD66C30C84B85C656B6A83AF8A088A74679CE26196698BF38271AF78F2BC9F002647171B1C298B12230EF69BA6199BD2C33256C44E67E121A5E4013EA
                                                                              Malicious:true
                                                                              Preview: .v^....H
                                                                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):40
                                                                              Entropy (8bit):5.221928094887364
                                                                              Encrypted:false
                                                                              SSDEEP:3:9bzY6oRDMjmPl:RzWDMCd
                                                                              MD5:AE0F5E6CE7122AF264EC533C6B15A27B
                                                                              SHA1:1265A495C42EED76CC043D50C60C23297E76CCE1
                                                                              SHA-256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
                                                                              SHA-512:DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
                                                                              Malicious:false
                                                                              Preview: 9iH...}Z.4..f..... 8.j....|.&X..e.F.*.
                                                                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):315512
                                                                              Entropy (8bit):7.999402922203056
                                                                              Encrypted:true
                                                                              SSDEEP:6144:m8aeVE5MlgWfxwY/8uvJYRDMVpXUhXShjVd/WNXlMjwmZ/zVR5X7HZEKiMIqrjG:mfwiMdxwYEYyWVjVpW7mZBDCgrjG
                                                                              MD5:787AEB1604A638B138739ED060141E9D
                                                                              SHA1:A2D0680883E8C6FF3DDE0A177263B03E7644D4AA
                                                                              SHA-256:DCCB67209560E2E27A4F284CD7E412926303ABD4E77927F9A1BAF8B0B8994B45
                                                                              SHA-512:9E49E851465F07ABA6AB44AD6B7561004AD61C4794FE167C6C724994159714AF8D2AC8ECCCE128F84BC6A7607BA05CD891CFD2C9EDE9D9EFA860346F6004360E
                                                                              Malicious:false
                                                                              Preview: ..f# ....)1\*.....5....;.T..u.. .3.Xd... ....u(..._.V.{L..Y.8....~...S79.f0V...=.}...SJg|.lh.J..^Ge.........3h?n..:..r....,o."a.I....\..0Z.D..........^....[..f.I....@/_..".5+...I...J`./s..p-.....c..?...*.. .&.....>.Ye$=.pG.....9D...'7.w.a.[3.d.-..V..]..B.b.zA?..M..3...%A....K5@.. j.U.h.B....'...0."..u.V...d..c,r"..@9.9.>..cDgP~d9..St...{..24.s.'.....9.D..P4.....I...G..G5......u.-2...z1[.....C..n.6.!..'.%@&.l4..P..rc+vq..C5B.b*..j.W,..T..z......)BX4...>A.*~#..A....8..B....5....w....GC..........y......7...?.T.....!.....7A.........C.3......A.....hC..5'..42..zS.*2.m7....A.'/.R..X....}e...>........}...n.A...4..?.P.l..n.0.I`...".d1.(e|..f.....i.9.#...n..+..l....Xz.q...6".Hl...+...1^pgs...%.FR.T....(...=.rHX.d.9%...?..f?.Q.yi.D9/>....V..5......q...nP'...S.Y.....pu.!..-..\..|/....V.......NX....../.8..V.0.5`m$.{b..lw.K.3-..C3...-.2.Qb.....o...6z....`H...(..o.ag.-7../F..RoI..O#.u|.U.@....$;.....s.~.M...j?...q#.l..y..M.[../.....=T.......5HX.QJ...
                                                                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              File Type:ASCII text, with no line terminators
                                                                              Category:dropped
                                                                              Size (bytes):57
                                                                              Entropy (8bit):4.887726803973036
                                                                              Encrypted:false
                                                                              SSDEEP:3:oMty8WddSJ8:oMLW6C
                                                                              MD5:6ECAFC0490DAB08E4A288E0042B6B613
                                                                              SHA1:4A4529907588505FC65CC9933980CFE6E576B3D6
                                                                              SHA-256:DC5F76FBF44B3E6CDDC14EA9E5BB9B6BD3A955197FE13F33F7DDA7ECC08E79E0
                                                                              SHA-512:7DA2B02627A36C8199814C250A1FBD61A9C18E098F8D691C11D75044E7F51DBD52C31EC2E1EA8CDEE5077ADCCB8CD247266F191292DB661FE7EA1B613FC646F8
                                                                              Malicious:false
                                                                              Preview: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              \Device\ConDrv
                                                                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):298
                                                                              Entropy (8bit):4.943030742860529
                                                                              Encrypted:false
                                                                              SSDEEP:6:zx3M1tFAbQtU1R30qyMstwYVoRRZBXVN+J0fFdCsq2UTiMdH8stCal+n:zK13I30ZMt9BFN+QdCT2UftCM+
                                                                              MD5:6A9888952541A41F033EB114C24DC902
                                                                              SHA1:41903D7C8F31013C44572E09D97B9AAFBBCE77E6
                                                                              SHA-256:41A61D0084CD7884BEA1DF02ED9213CB8C83F4034F5C8156FC5B06D6A3E133CE
                                                                              SHA-512:E6AC898E67B4052375FDDFE9894B26D504A7827917BF3E02772CFF45C3FA7CC5E0EFFDC701D208E0DB89F05E42F195B1EC890F316BEE5CB8239AB45444DAA65E
                                                                              Malicious:false
                                                                              Preview: Microsoft (R) Build Engine version 4.7.3056.0..[Microsoft .NET Framework, version 4.0.30319.42000]..Copyright (C) Microsoft Corporation. All rights reserved.....MSBUILD : error MSB1003: Specify a project or solution file. The current working directory does not contain a project or solution file...

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):7.673145545979894
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              File name:Shipping Documents Original BL, Invoice & Pa.exe
                                                                              File size:734208
                                                                              MD5:b89d3e7dd6ee20a09506365497f6cc3a
                                                                              SHA1:d5a40ae65560da802d5c5135d024d5fa8e840ff4
                                                                              SHA256:c2af0dcf4558a32fde15405648d8dd6410c51d319812755fcb8e4f742723bad7
                                                                              SHA512:9ffdf6633cc35a4cf2817ab9033d30d9377c83944e6b013aea5697a53c8d0772bf992305fcbbe18810bd4fa41aafcf7e31f517323f78eb0b637254a740281e09
                                                                              SSDEEP:12288:O2g1o0ezIROKMTSXHlIp8maopsxu05K6zAyLe6NPBmFBdWM/QXPZ:bg1o9mOKSA9bzhLnNgXv/QB
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..*...........I... ...`....@.. ....................................@................................

                                                                              File Icon

                                                                              Icon Hash:00828e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x4b49a6
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                              Time Stamp:0x6090F8E4 [Tue May 4 07:33:56 2021 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:v4.0.30319
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb49540x4f.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000x404.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb80000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000xb29ac0xb2a00False0.817510606193data7.68387820085IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0xb60000x4040x600False0.285807291667data2.3669114928IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0xb80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountry
                                                                              RT_VERSION0xb60580x3a8data

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Version Infos

                                                                              DescriptionData
                                                                              Translation0x0000 0x04b0
                                                                              LegalCopyrightCopyright Felix Jeyareuben 2012
                                                                              Assembly Version2.0.0.0
                                                                              InternalNameManifestEnvelope.exe
                                                                              FileVersion2.0
                                                                              CompanyNamewww.churchsw.org
                                                                              LegalTrademarksChurch Software
                                                                              Comments
                                                                              ProductNameChurch Projector
                                                                              ProductVersion2.0
                                                                              FileDescriptionChurch Projector
                                                                              OriginalFilenameManifestEnvelope.exe

                                                                              Network Behavior

                                                                              Snort IDS Alerts

                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                              05/04/21-10:30:30.516363TCP2025019ET TROJAN Possible NanoCore C2 60B497224090192.168.2.4172.93.166.26
                                                                              05/04/21-10:30:38.726516TCP2025019ET TROJAN Possible NanoCore C2 60B497234090192.168.2.4172.93.166.26
                                                                              05/04/21-10:30:45.525830TCP2025019ET TROJAN Possible NanoCore C2 60B497244090192.168.2.4172.93.166.26
                                                                              05/04/21-10:30:51.542446TCP2025019ET TROJAN Possible NanoCore C2 60B497254090192.168.2.4172.93.166.26
                                                                              05/04/21-10:30:57.537521TCP2025019ET TROJAN Possible NanoCore C2 60B497264090192.168.2.4172.93.166.26
                                                                              05/04/21-10:31:02.522919TCP2025019ET TROJAN Possible NanoCore C2 60B497274090192.168.2.4172.93.166.26
                                                                              05/04/21-10:31:08.571572TCP2025019ET TROJAN Possible NanoCore C2 60B497284090192.168.2.4172.93.166.26
                                                                              05/04/21-10:31:15.430293TCP2025019ET TROJAN Possible NanoCore C2 60B497294090192.168.2.4172.93.166.26
                                                                              05/04/21-10:31:20.466887TCP2025019ET TROJAN Possible NanoCore C2 60B497304090192.168.2.4172.93.166.26
                                                                              05/04/21-10:31:26.477561TCP2025019ET TROJAN Possible NanoCore C2 60B497314090192.168.2.4172.93.166.26
                                                                              05/04/21-10:31:32.571814TCP2025019ET TROJAN Possible NanoCore C2 60B497324090192.168.2.4172.93.166.26
                                                                              05/04/21-10:31:37.631265TCP2025019ET TROJAN Possible NanoCore C2 60B497334090192.168.2.4172.93.166.26
                                                                              05/04/21-10:31:43.636714TCP2025019ET TROJAN Possible NanoCore C2 60B497344090192.168.2.4172.93.166.26
                                                                              05/04/21-10:31:49.661091TCP2025019ET TROJAN Possible NanoCore C2 60B497354090192.168.2.4172.93.166.26
                                                                              05/04/21-10:31:56.624315TCP2025019ET TROJAN Possible NanoCore C2 60B497364090192.168.2.4172.93.166.26
                                                                              05/04/21-10:32:03.661380TCP2025019ET TROJAN Possible NanoCore C2 60B497374090192.168.2.4172.93.166.26
                                                                              05/04/21-10:32:09.718870TCP2025019ET TROJAN Possible NanoCore C2 60B497384090192.168.2.4172.93.166.26
                                                                              05/04/21-10:32:15.719024TCP2025019ET TROJAN Possible NanoCore C2 60B497394090192.168.2.4172.93.166.26
                                                                              05/04/21-10:32:20.736724TCP2025019ET TROJAN Possible NanoCore C2 60B497404090192.168.2.4172.93.166.26

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              May 4, 2021 10:30:25.946350098 CEST4968580192.168.2.42.20.142.209
                                                                              May 4, 2021 10:30:30.304523945 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:30.452847958 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:30.452972889 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:30.516362906 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:30.676390886 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:30.684725046 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:30.833106995 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:30.887154102 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:30.900424957 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.093060017 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.104357958 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.104378939 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.104394913 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.104412079 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.104429007 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.104444981 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.104463100 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.104480028 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.104491949 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.104513884 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.104531050 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.104576111 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.104603052 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.254400015 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.254445076 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.254487038 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.254544020 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.254587889 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.254587889 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.254622936 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.254627943 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.254667044 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.254688025 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.254705906 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.254744053 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.254762888 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.254791021 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.254837036 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.254838943 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.254889965 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.254931927 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.254967928 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.254968882 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.255007982 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.255016088 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.255089998 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.255127907 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.255141020 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.255175114 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.255217075 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.255227089 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.255265951 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.255323887 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.405056000 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405106068 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405147076 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405184031 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405209064 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.405220985 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405252934 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.405260086 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405308008 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405308008 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.405350924 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405400991 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.405420065 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405457973 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405495882 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405509949 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.405534029 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405570984 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405585051 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.405610085 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405648947 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405662060 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.405695915 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405739069 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405744076 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.405777931 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405816078 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405827045 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.405854940 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405891895 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405911922 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.405930996 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405977964 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.405983925 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.406014919 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406070948 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406109095 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406120062 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.406153917 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.406166077 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406210899 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406249046 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406286955 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406296015 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.406323910 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406342030 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.406361103 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406399012 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406414032 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.406435966 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406483889 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406486034 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.406527042 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406563044 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406579971 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.406600952 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406637907 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406675100 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.406676054 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.406873941 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.555000067 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.555062056 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.555119038 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.555149078 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.555161953 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.555190086 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.555217028 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.555217981 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.555246115 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.555272102 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.555274010 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.555311918 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.555718899 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.555788040 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.555819988 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.555839062 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.555847883 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.555876970 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.555896044 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.555917978 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.555952072 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.555963039 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.555995941 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556026936 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556041956 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556056023 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556101084 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556118011 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556133986 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556170940 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556190968 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556199074 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556226015 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556252003 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556252956 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556286097 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556303024 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556317091 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556345940 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556368113 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556372881 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556401014 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556411982 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556437016 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556463957 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556476116 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556493044 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556521893 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556531906 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556550026 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556576967 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556591034 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556611061 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556642056 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556652069 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556669950 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556698084 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556714058 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556725025 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556752920 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556766033 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556781054 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556807995 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556819916 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556842089 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556873083 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556885958 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556901932 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556930065 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556941032 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.556958914 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.556998968 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.599118948 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.631361008 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.702924967 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.702943087 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.702980042 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.702996969 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.703016043 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.703031063 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.703052044 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.703063965 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.703082085 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.703095913 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.703109980 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.703123093 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.703135967 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.703161955 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.706096888 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706115961 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706131935 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706150055 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.706151009 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706167936 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706177950 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.706183910 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706193924 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.706199884 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706212044 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.706216097 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706232071 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706240892 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.706252098 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706264019 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.706269979 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706285954 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706288099 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.706302881 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706304073 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.706319094 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706330061 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.706334114 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706351995 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.706353903 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706371069 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706376076 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.706386089 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706398010 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.706402063 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706417084 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.706434011 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.706465006 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.747549057 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747567892 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747584105 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747600079 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747607946 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.747618914 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747637987 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747637987 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.747653008 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747665882 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747682095 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747700930 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747701883 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.747718096 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747733116 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747735023 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.747747898 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747764111 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747766972 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.747778893 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747795105 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747801065 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.747809887 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747828960 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747829914 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.747845888 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747860909 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.747874022 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.747919083 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.827652931 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.851454973 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.851500034 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.851547003 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.851574898 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.851589918 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.851628065 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.851643085 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.851666927 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.851705074 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.851722956 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.851742983 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.851790905 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.854207039 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854249954 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854286909 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854317904 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.854335070 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854377985 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854387045 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.854417086 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854454994 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854490042 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.854494095 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854531050 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854545116 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.854569912 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854608059 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854619026 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.854660034 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854702950 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854715109 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.854739904 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854777098 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854792118 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.854815960 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854854107 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854866028 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.854892015 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854931116 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.854945898 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.854991913 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.855051994 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.895935059 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.895968914 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.895991087 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896023989 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896064043 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896085024 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896106958 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896136045 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896162033 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896183968 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.896192074 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896200895 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.896214008 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.896222115 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896250010 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896255970 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.896280050 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896307945 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896325111 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.896337986 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896367073 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896369934 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.896398067 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896419048 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.896426916 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896452904 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896475077 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.896480083 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.896528959 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.999552011 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.999574900 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.999598026 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.999614954 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.999634027 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.999639034 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.999651909 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.999664068 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.999669075 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.999686956 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:31.999697924 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:31.999725103 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.003206015 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003232956 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003254890 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003277063 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003284931 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.003298044 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003315926 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.003319979 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003343105 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003361940 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003365993 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.003391027 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003400087 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.003412962 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003432989 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003448963 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.003460884 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003488064 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003500938 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.003510952 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003530979 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003549099 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.003550053 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003570080 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003585100 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003587961 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.003607035 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003626108 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.003626108 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.003722906 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.044336081 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044367075 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044387102 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044404984 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044423103 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044447899 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044475079 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044476986 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.044501066 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044504881 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.044527054 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044553995 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044554949 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.044574976 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044593096 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044595957 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.044611931 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044636011 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.044636965 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044656992 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044680119 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.044734001 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044754028 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044770956 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:32.044778109 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:32.044811964 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:33.376013994 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:33.576353073 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:33.968341112 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:34.163238049 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:34.248421907 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:34.324992895 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:34.442943096 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:34.473598957 CEST409049722172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:34.473743916 CEST497224090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:38.577336073 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:38.724638939 CEST409049723172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:38.724922895 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:38.726516008 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:38.886789083 CEST409049723172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:38.887197018 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:39.035007000 CEST409049723172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:39.036472082 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:39.233889103 CEST409049723172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:39.316463947 CEST409049723172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:39.317768097 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:39.464983940 CEST409049723172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:39.465079069 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:39.658615112 CEST409049723172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:39.658730984 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:39.806049109 CEST409049723172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:39.856702089 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:39.863756895 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:40.003369093 CEST409049723172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:40.044173002 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:40.052006960 CEST409049723172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:40.052084923 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:40.239783049 CEST409049723172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:40.421859980 CEST409049723172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:40.466047049 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:40.637718916 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:40.839270115 CEST409049723172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:40.878513098 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:41.079965115 CEST409049723172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:41.357626915 CEST497234090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:45.374497890 CEST497244090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:45.524478912 CEST409049724172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:45.524600983 CEST497244090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:45.525830030 CEST497244090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:45.691822052 CEST409049724172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:45.692152977 CEST497244090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:45.841711044 CEST409049724172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:45.842899084 CEST497244090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:46.042056084 CEST409049724172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:46.124382019 CEST409049724172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:46.143079996 CEST497244090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:46.292232990 CEST409049724172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:46.293519974 CEST497244090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:46.442735910 CEST409049724172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:46.443008900 CEST497244090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:46.592803955 CEST409049724172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:46.638731003 CEST497244090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:47.359127998 CEST497244090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:51.389565945 CEST497254090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:51.541017056 CEST409049725172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:51.541184902 CEST497254090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:51.542445898 CEST497254090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:51.701612949 CEST409049725172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:51.702147007 CEST497254090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:51.849906921 CEST409049725172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:51.852691889 CEST497254090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:52.042478085 CEST409049725172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:52.141556978 CEST409049725172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:52.157203913 CEST497254090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:52.303715944 CEST409049725172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:52.352377892 CEST497254090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:52.501571894 CEST409049725172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:52.501673937 CEST497254090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:52.648128033 CEST409049725172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:52.701462030 CEST497254090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:53.358604908 CEST497254090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:57.382998943 CEST497264090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:57.536439896 CEST409049726172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:57.536570072 CEST497264090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:57.537520885 CEST497264090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:57.692429066 CEST409049726172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:57.733243942 CEST497264090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:57.886379957 CEST409049726172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:57.886920929 CEST497264090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:58.041739941 CEST409049726172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:58.043205023 CEST497264090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:58.241977930 CEST409049726172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:58.323748112 CEST409049726172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:58.326818943 CEST497264090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:58.359172106 CEST497264090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:30:58.478341103 CEST409049726172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:30:58.480035067 CEST497264090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:02.375967026 CEST497274090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:02.521645069 CEST409049727172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:02.521859884 CEST497274090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:02.522918940 CEST497274090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:02.679518938 CEST409049727172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:02.680061102 CEST497274090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:02.825643063 CEST409049727172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:02.827369928 CEST497274090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:03.013988972 CEST409049727172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:03.114691019 CEST409049727172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:03.123881102 CEST497274090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:03.268881083 CEST409049727172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:03.270265102 CEST497274090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:03.415539026 CEST409049727172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:03.415625095 CEST497274090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:03.560834885 CEST409049727172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:03.561127901 CEST497274090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:03.687283039 CEST4969780192.168.2.48.248.149.254
                                                                              May 4, 2021 10:31:03.731149912 CEST80496978.248.149.254192.168.2.4
                                                                              May 4, 2021 10:31:03.731225967 CEST4969780192.168.2.48.248.149.254
                                                                              May 4, 2021 10:31:03.747843027 CEST409049727172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:04.406333923 CEST497274090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:05.297071934 CEST804970093.184.220.29192.168.2.4
                                                                              May 4, 2021 10:31:05.297198057 CEST4970080192.168.2.493.184.220.29
                                                                              May 4, 2021 10:31:08.424514055 CEST497284090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:08.570945978 CEST409049728172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:08.571027994 CEST497284090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:08.571572065 CEST497284090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:08.728746891 CEST409049728172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:08.729051113 CEST497284090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:08.875494003 CEST409049728172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:08.877145052 CEST497284090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:09.075829983 CEST409049728172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:09.158078909 CEST409049728172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:09.159385920 CEST497284090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:09.306797028 CEST409049728172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:09.306952000 CEST497284090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:09.507217884 CEST409049728172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:09.507373095 CEST497284090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:09.656421900 CEST409049728172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:09.703041077 CEST497284090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:09.853499889 CEST409049728172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:09.906156063 CEST497284090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:10.268439054 CEST497284090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:10.465473890 CEST409049728172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:11.266613960 CEST497284090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:15.282874107 CEST497294090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:15.429320097 CEST409049729172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:15.429579973 CEST497294090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:15.430293083 CEST497294090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:15.580141068 CEST409049729172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:15.625474930 CEST497294090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:15.771696091 CEST409049729172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:15.775015116 CEST497294090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:15.922396898 CEST409049729172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:15.924020052 CEST497294090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:16.111323118 CEST409049729172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:16.209935904 CEST409049729172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:16.211642027 CEST497294090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:16.298254967 CEST497294090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:16.360383987 CEST409049729172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:16.360474110 CEST497294090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:20.318392992 CEST497304090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:20.465991974 CEST409049730172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:20.466167927 CEST497304090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:20.466886997 CEST497304090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:20.626770973 CEST409049730172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:20.627787113 CEST497304090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:20.774744987 CEST409049730172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:20.777182102 CEST497304090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:20.967406034 CEST409049730172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:21.081954002 CEST409049730172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:21.083997965 CEST497304090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:21.230871916 CEST409049730172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:21.231936932 CEST497304090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:21.378985882 CEST409049730172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:21.379208088 CEST497304090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:21.527663946 CEST409049730172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:21.581058025 CEST497304090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:22.314608097 CEST497304090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:26.330758095 CEST497314090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:26.476629019 CEST409049731172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:26.476819038 CEST497314090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:26.477560997 CEST497314090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:26.666013956 CEST409049731172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:26.666332960 CEST497314090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:26.813456059 CEST409049731172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:26.815262079 CEST497314090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:27.003890038 CEST409049731172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:27.102068901 CEST409049731172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:27.103403091 CEST497314090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:27.248760939 CEST409049731172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:27.250261068 CEST497314090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:27.396991014 CEST409049731172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:27.397186041 CEST497314090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:27.543698072 CEST409049731172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:27.595166922 CEST497314090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:28.330421925 CEST497314090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:30.580351114 CEST44349709184.30.25.218192.168.2.4
                                                                              May 4, 2021 10:31:30.580394030 CEST44349709184.30.25.218192.168.2.4
                                                                              May 4, 2021 10:31:30.580535889 CEST49709443192.168.2.4184.30.25.218
                                                                              May 4, 2021 10:31:30.580583096 CEST49709443192.168.2.4184.30.25.218
                                                                              May 4, 2021 10:31:32.424896002 CEST497324090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:32.570939064 CEST409049732172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:32.571075916 CEST497324090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:32.571814060 CEST497324090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:32.719899893 CEST409049732172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:32.767324924 CEST497324090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:32.913734913 CEST409049732172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:32.914024115 CEST497324090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:33.062191010 CEST409049732172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:33.064532042 CEST497324090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:33.259711027 CEST409049732172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:33.342276096 CEST409049732172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:33.343563080 CEST497324090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:33.424598932 CEST497324090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:33.489495993 CEST409049732172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:33.489702940 CEST497324090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:37.440989017 CEST497334090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:37.587558985 CEST409049733172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:37.587740898 CEST497334090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:37.631264925 CEST497334090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:37.794121981 CEST409049733172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:37.794784069 CEST497334090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:37.941131115 CEST409049733172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:37.943909883 CEST497334090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:38.136151075 CEST409049733172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:38.237102032 CEST409049733172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:38.248321056 CEST497334090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:38.394504070 CEST409049733172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:38.396787882 CEST497334090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:38.543276072 CEST409049733172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:38.543359995 CEST497334090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:38.689363956 CEST409049733172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:38.736634970 CEST497334090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:39.476342916 CEST497334090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:43.488668919 CEST497344090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:43.635685921 CEST409049734172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:43.635838985 CEST497344090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:43.636713982 CEST497344090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:43.798434973 CEST409049734172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:43.799437046 CEST497344090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:43.945616007 CEST409049734172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:43.960227966 CEST497344090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:44.145701885 CEST409049734172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:44.258930922 CEST409049734172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:44.261246920 CEST497344090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:44.406738997 CEST409049734172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:44.407723904 CEST497344090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:44.553096056 CEST409049734172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:44.553478956 CEST497344090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:44.698949099 CEST409049734172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:44.752706051 CEST497344090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:45.024703979 CEST409049734172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:45.080879927 CEST497344090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:45.457299948 CEST497344090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:49.513714075 CEST497354090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:49.660393953 CEST409049735172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:49.660501003 CEST497354090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:49.661091089 CEST497354090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:49.819246054 CEST409049735172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:49.820077896 CEST497354090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:49.967642069 CEST409049735172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:49.970613956 CEST497354090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:50.159158945 CEST409049735172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:50.243624926 CEST409049735172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:50.254894018 CEST497354090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:50.401673079 CEST409049735172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:50.404234886 CEST497354090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:50.553037882 CEST409049735172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:50.553304911 CEST497354090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:50.700809002 CEST409049735172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:50.753237009 CEST497354090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:51.457665920 CEST497354090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:51.648694992 CEST409049735172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:52.458748102 CEST497354090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:56.474613905 CEST497364090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:56.623600006 CEST409049736172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:56.623723030 CEST497364090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:56.624315023 CEST497364090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:56.789181948 CEST409049736172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:56.797938108 CEST497364090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:56.947124958 CEST409049736172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:56.949033976 CEST497364090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:57.152452946 CEST409049736172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:57.234920025 CEST409049736172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:57.235982895 CEST497364090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:57.386943102 CEST409049736172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:57.388300896 CEST497364090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:57.537406921 CEST409049736172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:57.537599087 CEST497364090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:57.687767982 CEST409049736172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:57.738226891 CEST497364090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:58.458127022 CEST497364090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:31:58.652658939 CEST409049736172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:31:59.458302021 CEST497364090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:03.513237953 CEST497374090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:03.659683943 CEST409049737172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:03.660058022 CEST497374090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:03.661380053 CEST497374090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:03.820178032 CEST409049737172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:03.821738005 CEST497374090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:03.969537020 CEST409049737172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:03.970937014 CEST497374090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:04.158521891 CEST409049737172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:04.245661020 CEST409049737172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:04.262826920 CEST497374090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:04.416132927 CEST409049737172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:04.417521954 CEST497374090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:04.567048073 CEST409049737172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:04.567218065 CEST497374090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:04.713618994 CEST409049737172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:04.713856936 CEST497374090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:04.901803970 CEST409049737172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:05.118531942 CEST44349694204.79.197.200192.168.2.4
                                                                              May 4, 2021 10:32:05.552028894 CEST497374090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:06.732991934 CEST804970093.184.220.29192.168.2.4
                                                                              May 4, 2021 10:32:06.733169079 CEST4970080192.168.2.493.184.220.29
                                                                              May 4, 2021 10:32:06.768243074 CEST44349690204.79.197.200192.168.2.4
                                                                              May 4, 2021 10:32:07.255409002 CEST44349688204.79.197.200192.168.2.4
                                                                              May 4, 2021 10:32:07.698188066 CEST44349692204.79.197.200192.168.2.4
                                                                              May 4, 2021 10:32:08.523700953 CEST44349693204.79.197.200192.168.2.4
                                                                              May 4, 2021 10:32:09.570668936 CEST497384090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:09.717627048 CEST409049738172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:09.717776060 CEST497384090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:09.718869925 CEST497384090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:09.883462906 CEST409049738172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:09.888633966 CEST44349695204.79.197.200192.168.2.4
                                                                              May 4, 2021 10:32:09.893712997 CEST497384090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:10.041614056 CEST409049738172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:10.043330908 CEST497384090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:10.243288994 CEST409049738172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:10.328805923 CEST409049738172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:10.329907894 CEST497384090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:10.475783110 CEST409049738172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:10.506793022 CEST497384090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:10.653757095 CEST409049738172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:10.654002905 CEST497384090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:10.800779104 CEST409049738172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:10.848666906 CEST497384090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:10.899842978 CEST44349689204.79.197.200192.168.2.4
                                                                              May 4, 2021 10:32:10.904537916 CEST44349686204.79.197.200192.168.2.4
                                                                              May 4, 2021 10:32:10.904567957 CEST44349698204.79.197.200192.168.2.4
                                                                              May 4, 2021 10:32:11.553087950 CEST497384090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:11.689546108 CEST44349691204.79.197.200192.168.2.4
                                                                              May 4, 2021 10:32:13.689754009 CEST44349699204.79.197.200192.168.2.4
                                                                              May 4, 2021 10:32:15.570005894 CEST497394090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:15.718059063 CEST409049739172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:15.718246937 CEST497394090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:15.719023943 CEST497394090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:15.869739056 CEST409049739172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:15.911736965 CEST497394090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:16.060189962 CEST409049739172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:16.096817017 CEST497394090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:16.245620012 CEST409049739172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:16.248133898 CEST497394090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:16.447127104 CEST409049739172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:16.537826061 CEST409049739172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:16.538979053 CEST497394090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:16.568782091 CEST497394090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:16.685839891 CEST409049739172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:16.685909986 CEST497394090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:18.876641989 CEST804970093.184.220.29192.168.2.4
                                                                              May 4, 2021 10:32:18.876780987 CEST4970080192.168.2.493.184.220.29
                                                                              May 4, 2021 10:32:20.585411072 CEST497404090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:20.734349966 CEST409049740172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:20.736424923 CEST497404090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:20.736723900 CEST497404090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:20.887481928 CEST409049740172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:20.927654982 CEST497404090192.168.2.4172.93.166.26
                                                                              May 4, 2021 10:32:21.076299906 CEST409049740172.93.166.26192.168.2.4
                                                                              May 4, 2021 10:32:21.079679966 CEST497404090192.168.2.4172.93.166.26

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              May 4, 2021 10:30:08.362804890 CEST6151653192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:08.414283037 CEST53615168.8.8.8192.168.2.4
                                                                              May 4, 2021 10:30:09.153835058 CEST4918253192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:09.203901052 CEST53491828.8.8.8192.168.2.4
                                                                              May 4, 2021 10:30:09.926547050 CEST5992053192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:09.975424051 CEST53599208.8.8.8192.168.2.4
                                                                              May 4, 2021 10:30:10.701407909 CEST5745853192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:10.751379967 CEST53574588.8.8.8192.168.2.4
                                                                              May 4, 2021 10:30:11.596306086 CEST5057953192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:11.649147987 CEST53505798.8.8.8192.168.2.4
                                                                              May 4, 2021 10:30:12.713280916 CEST5170353192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:12.764913082 CEST53517038.8.8.8192.168.2.4
                                                                              May 4, 2021 10:30:13.953927040 CEST6524853192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:14.002691984 CEST53652488.8.8.8192.168.2.4
                                                                              May 4, 2021 10:30:14.819376945 CEST5372353192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:14.868194103 CEST53537238.8.8.8192.168.2.4
                                                                              May 4, 2021 10:30:15.610141993 CEST6464653192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:15.658852100 CEST53646468.8.8.8192.168.2.4
                                                                              May 4, 2021 10:30:16.914283991 CEST6529853192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:16.963977098 CEST53652988.8.8.8192.168.2.4
                                                                              May 4, 2021 10:30:17.848736048 CEST5912353192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:17.900161028 CEST53591238.8.8.8192.168.2.4
                                                                              May 4, 2021 10:30:18.729810953 CEST5453153192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:18.779098988 CEST53545318.8.8.8192.168.2.4
                                                                              May 4, 2021 10:30:19.625092983 CEST4971453192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:19.674388885 CEST53497148.8.8.8192.168.2.4
                                                                              May 4, 2021 10:30:22.860003948 CEST5802853192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:22.909003019 CEST53580288.8.8.8192.168.2.4
                                                                              May 4, 2021 10:30:23.656889915 CEST5309753192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:23.706955910 CEST53530978.8.8.8192.168.2.4
                                                                              May 4, 2021 10:30:24.475920916 CEST4925753192.168.2.48.8.8.8
                                                                              May 4, 2021 10:30:24.541471004 CEST53492578.8.8.8192.168.2.4

                                                                              Code Manipulations

                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              Analysis Process: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936 Parent PID: 6028

                                                                              General

                                                                              Start time:10:30:14
                                                                              Start date:04/05/2021
                                                                              Path:C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Users\user\Desktop\Shipping Documents Original BL, Invoice & Pa.exe'
                                                                              Imagebase:0xac0000
                                                                              File size:734208 bytes
                                                                              MD5 hash:B89D3E7DD6EE20A09506365497F6CC3A
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Yara matches:
                                                                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, Author: Florian Roth
                                                                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, Author: Joe Security
                                                                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.673275544.0000000003DD9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.670633702.0000000002E4C000.00000004.00000001.sdmp, Author: Joe Security
                                                                              Reputation:low

                                                                              Chronological Activities

                                                                              Analysis Process: MSBuild.exe PID: 5764 Parent PID: 5936

                                                                              General

                                                                              Start time:10:30:24
                                                                              Start date:04/05/2021
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              Imagebase:0xb10000
                                                                              File size:261728 bytes
                                                                              MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Reputation:moderate

                                                                              Chronological Activities

                                                                              Analysis Process: schtasks.exe PID: 5792 Parent PID: 5764

                                                                              General

                                                                              Start time:10:30:26
                                                                              Start date:04/05/2021
                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF57E.tmp'
                                                                              Imagebase:0x1310000
                                                                              File size:185856 bytes
                                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: conhost.exe PID: 5788 Parent PID: 5792

                                                                              General

                                                                              Start time:10:30:27
                                                                              Start date:04/05/2021
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff724c50000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: schtasks.exe PID: 1680 Parent PID: 5764

                                                                              General

                                                                              Start time:10:30:27
                                                                              Start date:04/05/2021
                                                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF909.tmp'
                                                                              Imagebase:0x1310000
                                                                              File size:185856 bytes
                                                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: conhost.exe PID: 1492 Parent PID: 1680

                                                                              General

                                                                              Start time:10:30:28
                                                                              Start date:04/05/2021
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff724c50000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: MSBuild.exe PID: 1556 Parent PID: 968

                                                                              General

                                                                              Start time:10:30:28
                                                                              Start date:04/05/2021
                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe 0
                                                                              Imagebase:0x1e0000
                                                                              File size:261728 bytes
                                                                              MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Reputation:moderate

                                                                              Chronological Activities

                                                                              Analysis Process: conhost.exe PID: 1364 Parent PID: 1556

                                                                              General

                                                                              Start time:10:30:28
                                                                              Start date:04/05/2021
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff724c50000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: dhcpmon.exe PID: 980 Parent PID: 968

                                                                              General

                                                                              Start time:10:30:31
                                                                              Start date:04/05/2021
                                                                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                              Imagebase:0x5c0000
                                                                              File size:261728 bytes
                                                                              MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Antivirus matches:
                                                                              • Detection: 0%, Metadefender, Browse
                                                                              • Detection: 0%, ReversingLabs
                                                                              Reputation:moderate

                                                                              Chronological Activities

                                                                              Analysis Process: conhost.exe PID: 4116 Parent PID: 980

                                                                              General

                                                                              Start time:10:30:32
                                                                              Start date:04/05/2021
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff724c50000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high

                                                                              Chronological Activities

                                                                              Analysis Process: dhcpmon.exe PID: 5728 Parent PID: 3424

                                                                              General

                                                                              Start time:10:30:39
                                                                              Start date:04/05/2021
                                                                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                              Imagebase:0xf80000
                                                                              File size:261728 bytes
                                                                              MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:.Net C# or VB.NET
                                                                              Reputation:moderate

                                                                              Chronological Activities

                                                                              Analysis Process: conhost.exe PID: 4804 Parent PID: 5728

                                                                              General

                                                                              Start time:10:30:39
                                                                              Start date:04/05/2021
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff724c50000
                                                                              File size:625664 bytes
                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language

                                                                              Chronological Activities

                                                                              Disassembly

                                                                              Code Analysis

                                                                              Reset < >

                                                                                Analysis Process: Shipping Documents Original BL, Invoice & Pa.exe PID: 5936 Parent PID: 6028 Shipping Documents Original BL, Invoice & Pa.exeCOMMON

                                                                                Executed Functions

                                                                                Function 09520040, Relevance: 2.6, Instructions: 2589COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a1a905c310d9b2e2dae5bb3a0f5c1df4f2b4372da8cb336df3af5630143a6508
                                                                                • Instruction ID: 79e886289537cd43eb0ef3fe9cd097308107872097140facfdd271387249b622
                                                                                • Opcode Fuzzy Hash: a1a905c310d9b2e2dae5bb3a0f5c1df4f2b4372da8cb336df3af5630143a6508
                                                                                • Instruction Fuzzy Hash: AF430074A01229CFCB28DF29C984A9DB7B2BF89314F158195E419DB3A5DB31ED91CF40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952BBB0, Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: y{c{
                                                                                • API String ID: 0-3872401259
                                                                                • Opcode ID: adf98a904763e7b2daffd3c461469b6891d0dd97b16af958d794028c3e76fd1b
                                                                                • Instruction ID: 69e3dea8e72f66241fbf7577d747ddbc3f851c2e4cb6e6aabdf074342e79bc4b
                                                                                • Opcode Fuzzy Hash: adf98a904763e7b2daffd3c461469b6891d0dd97b16af958d794028c3e76fd1b
                                                                                • Instruction Fuzzy Hash: A951F970E1521A8FDB08CF96D5416AEFBF2FB8A340F14D429D419F7294D7349A418FA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A4C138, Relevance: .6, Instructions: 629COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 515de53f6734172287f5a8baf60274c93169bff519c29ca3d4f52ed19d2a8c19
                                                                                • Instruction ID: c932fd5be11477dae7c8be51b4dca978ca45ddac42a7228d5dd17331b1fa8473
                                                                                • Opcode Fuzzy Hash: 515de53f6734172287f5a8baf60274c93169bff519c29ca3d4f52ed19d2a8c19
                                                                                • Instruction Fuzzy Hash: 2232CEB17022059FDB18EB69C550BAEB7F6AFC9614F14806DE119DB3A0CB36ED01CB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09528BAA, Relevance: .3, Instructions: 333COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c0506cefcee0374f9b8ad9d59913a41d73499a89398085e69bdb9e41b3b56a97
                                                                                • Instruction ID: 5b67a0af1396ed5731886d487da16ba6d77a651a27c84ce2c8e5d36277b6bd25
                                                                                • Opcode Fuzzy Hash: c0506cefcee0374f9b8ad9d59913a41d73499a89398085e69bdb9e41b3b56a97
                                                                                • Instruction Fuzzy Hash: E8D13D71A00129DFCB14DFAAC988AADBBF2BF8A350F158465F505EB3A1D734E845CB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952D55E, Relevance: .3, Instructions: 301COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cc1c1cd87ccca55d87e522e3c41353dd5328e8308ce7d8a40b3312803cfb127a
                                                                                • Instruction ID: a9579b07252abd7e0ee0353d9c77188db92f83c0e91286abccce5ccdc2878d86
                                                                                • Opcode Fuzzy Hash: cc1c1cd87ccca55d87e522e3c41353dd5328e8308ce7d8a40b3312803cfb127a
                                                                                • Instruction Fuzzy Hash: EDD12A70E1421ADFCB14DFA6C4818AEFBB2FF8A340B15C559D515EB294D738AA42CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952D590, Relevance: .3, Instructions: 290COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f282208dd4941c2dc67478084ea4afe8cb08e10b73089e235c9b6fbec7501051
                                                                                • Instruction ID: 1f9648b907605b99358315281eb42fdf7758cd0f3625a644096caa06651902c7
                                                                                • Opcode Fuzzy Hash: f282208dd4941c2dc67478084ea4afe8cb08e10b73089e235c9b6fbec7501051
                                                                                • Instruction Fuzzy Hash: 54D13970E1421ADFCB14DF96D4818AEFBB2FF8A340B25C565D415EB294D738AA42CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A4ACE8, Relevance: .3, Instructions: 274COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3f0ce095cb94241e3489ce5510a9c13a884ee79a934291caa30d48b6b5686310
                                                                                • Instruction ID: 6ca910cdebec08e8f967e8b3cfc574d8ea702b4ef5e25a2ec92731c2ef03577d
                                                                                • Opcode Fuzzy Hash: 3f0ce095cb94241e3489ce5510a9c13a884ee79a934291caa30d48b6b5686310
                                                                                • Instruction Fuzzy Hash: D8B18DB1A40215CFCB15CF69C884A9DBBF5BFC4314F16C069E925AB2A1DB32ED41CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952B3F8, Relevance: .2, Instructions: 207COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 453e8579df46009349df0c60662cd7cf474bdbb637302fc608463c0c78432fb8
                                                                                • Instruction ID: c99a90875f740b296026bbb531969b6d8c51d1b2bc96d86d60c3a4a6f499bdec
                                                                                • Opcode Fuzzy Hash: 453e8579df46009349df0c60662cd7cf474bdbb637302fc608463c0c78432fb8
                                                                                • Instruction Fuzzy Hash: EF91D074E052198FDB08CFEAC9846EEBBB2FF89310F24942AD415BB264D7349946CF50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A4B700, Relevance: .1, Instructions: 110COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2e4ef7f0a57aaf2a930df3f3eae16f3fe1fe8cf1138479f81e140fe574833ee5
                                                                                • Instruction ID: a291f503ac37ca3a2d32011d4fcd01a49759cd601b305e7709312a95ce6f1960
                                                                                • Opcode Fuzzy Hash: 2e4ef7f0a57aaf2a930df3f3eae16f3fe1fe8cf1138479f81e140fe574833ee5
                                                                                • Instruction Fuzzy Hash: DE313EF0D1A21A9BCB14CFA9D4546FDBAF4BBCA241F105425E426F3240EB76D9418F34
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952C620, Relevance: .1, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d8c80b2766d06fbcfe95ff6d172bb37f332683d748182f374f22b8d2dc6a1b8a
                                                                                • Instruction ID: ec08e410b0b3048f53d5ed5796859541521f725639c192a38b56f70ae5c2b8d0
                                                                                • Opcode Fuzzy Hash: d8c80b2766d06fbcfe95ff6d172bb37f332683d748182f374f22b8d2dc6a1b8a
                                                                                • Instruction Fuzzy Hash: 3421E671E106188BDB18CFABD8406DEFBB7AFC9310F24C07AD909A6254DB741A45CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952DBA1, Relevance: 2.6, Strings: 2, Instructions: 70COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: *w'%$*w'%
                                                                                • API String ID: 0-831113700
                                                                                • Opcode ID: ba04490eb21522385988ae07d0a294ba8c762da91b611a3535c88819f017c9b4
                                                                                • Instruction ID: ddbf012fb5b9e8d4c32cfc99c3677be801fa08fb118e871c3b0cce30cfa79ebe
                                                                                • Opcode Fuzzy Hash: ba04490eb21522385988ae07d0a294ba8c762da91b611a3535c88819f017c9b4
                                                                                • Instruction Fuzzy Hash: 5E214B70D09209DFDB44CFA5C59059EBFF2BF8A340F25C4AAD405EB294E7749A418B51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952DBB0, Relevance: 2.6, Strings: 2, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: *w'%$*w'%
                                                                                • API String ID: 0-831113700
                                                                                • Opcode ID: 3afb4ec0bf1fd21fcee3597e297296dc9848311dab0d83a48cbf7120fed35420
                                                                                • Instruction ID: 6f27cec724abd3807f7836af1cbbe8dd05f9fc59f74afa09f1eded621c942fee
                                                                                • Opcode Fuzzy Hash: 3afb4ec0bf1fd21fcee3597e297296dc9848311dab0d83a48cbf7120fed35420
                                                                                • Instruction Fuzzy Hash: 14214970D08219EFCB04CFAAC5905AEFBF5BF89340F21C4A9C419EB294E7709A418F51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A47FA0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07A481D6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CreateProcess
                                                                                • String ID:
                                                                                • API String ID: 963392458-0
                                                                                • Opcode ID: cb7aba9cc5f52eb4b6aa7b7b1d62d6002907a6c4a4dd58855258dae769ac95dd
                                                                                • Instruction ID: b72248df164230c12f5e144ff5570c8d53d0c68a54b13228cf7373f4b1d9eae0
                                                                                • Opcode Fuzzy Hash: cb7aba9cc5f52eb4b6aa7b7b1d62d6002907a6c4a4dd58855258dae769ac95dd
                                                                                • Instruction Fuzzy Hash: 69918BB1D00619CFDF20CFA9D845BEDBBB2BF88314F148569D828A7240DB799985CF91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014FBBC8, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 014FBE0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 28d265b2e11ad6b2d141d537223c2c4b15ca1f6ef3842b0533ee7fc9b47ffdc8
                                                                                • Instruction ID: 3db7e7b3e460f95e85f37587f3ebf5c12dd926ee8f27c5e246eabc116f84ce91
                                                                                • Opcode Fuzzy Hash: 28d265b2e11ad6b2d141d537223c2c4b15ca1f6ef3842b0533ee7fc9b47ffdc8
                                                                                • Instruction Fuzzy Hash: DB712370A00B058FE724DF2AC44075BBBF1FF89214F00892ED69AD7B60DB75E8068B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014FB214, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014FDD8A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: 7d91a0a00cdadb3049597374b78cacbd87836799e08c4c888deaa903a374d101
                                                                                • Instruction ID: c840ba242ae38562ca2977bf9ce8d1ce455b9102088a4a073be6322b42ddf1f7
                                                                                • Opcode Fuzzy Hash: 7d91a0a00cdadb3049597374b78cacbd87836799e08c4c888deaa903a374d101
                                                                                • Instruction Fuzzy Hash: AA51B0B1D003099FDF14CF99D884ADEBBB5BF48314F24812AE919AB360D7759845CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014FDC6D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014FDD8A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: CreateWindow
                                                                                • String ID:
                                                                                • API String ID: 716092398-0
                                                                                • Opcode ID: 2e50288d990c81d61e9a72adf085317e792b29e1dce4abcbd51ffd9879877ce6
                                                                                • Instruction ID: 429b5b1abee62e592abc398bfb5f86ccc5e7a47b45bd646edad69d109a7fa39b
                                                                                • Opcode Fuzzy Hash: 2e50288d990c81d61e9a72adf085317e792b29e1dce4abcbd51ffd9879877ce6
                                                                                • Instruction Fuzzy Hash: 4F51A0B1D003099FDF14CF9AD884ADEBBB5BF48314F24812AE919AB360D7759945CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014F6D49, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014F6E47
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: 9d746a359057de11ae2c69c79cedd544e9171b7cd055aa45286f1af3492cdb14
                                                                                • Instruction ID: dbbc8cde45ea120bcf885dac74e9577fd4d0fa00c09a80bdd78bbc3aba227a99
                                                                                • Opcode Fuzzy Hash: 9d746a359057de11ae2c69c79cedd544e9171b7cd055aa45286f1af3492cdb14
                                                                                • Instruction Fuzzy Hash: BE415A76900208AFDF01CF99D844ADEBFF9FB48320F15801AEA14A7320D7359954DFA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014FF980, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1d4c93810b96460591e9e07dbf373784be022135e54f7952e3e0f1b3234a2787
                                                                                • Instruction ID: d381f4cce199a785389f24a29e3bf73a8e1b8e4a297abdb5b7610f714b37e12b
                                                                                • Opcode Fuzzy Hash: 1d4c93810b96460591e9e07dbf373784be022135e54f7952e3e0f1b3234a2787
                                                                                • Instruction Fuzzy Hash: C82125736047856FE7328B6ED844BA7BFE49B80224F18806FD385C7362D638944DC750
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014FF888, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DrawTextExW.USER32(?,?,?,?,?,?), ref: 014FF927
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: DrawText
                                                                                • String ID:
                                                                                • API String ID: 2175133113-0
                                                                                • Opcode ID: ef484f1545b6483b75991faaafc3f9f10de4d684c2b6bf20fdc76ddd17364aea
                                                                                • Instruction ID: 13883eb6adcf8356b43cd7bffba7402f7a8bc2e724968f7dd0831603705ccd32
                                                                                • Opcode Fuzzy Hash: ef484f1545b6483b75991faaafc3f9f10de4d684c2b6bf20fdc76ddd17364aea
                                                                                • Instruction Fuzzy Hash: 7031C2B6900209AFDB10CF9AD884ADEBBF5FB58324F14842EE915A7350D774A945CFA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A47D18, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07A47DA8
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID: MemoryProcessWrite
                                                                                • String ID:
                                                                                • API String ID: 3559483778-0
                                                                                • Opcode ID: 1c56b4dfa48374f1f48e83c49e029ad9403173a4679db2d8061065e75b751ee6
                                                                                • Instruction ID: 7ecb383e83fe40f739b6cbc06a00545a282b54a42f92a6fbd25e818e75ef113c
                                                                                • Opcode Fuzzy Hash: 1c56b4dfa48374f1f48e83c49e029ad9403173a4679db2d8061065e75b751ee6
                                                                                • Instruction Fuzzy Hash: 132115B19002599FDF10CFA9C884BEEBBF5FB88314F10842AE918A7250D7799944CFA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014FF890, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DrawTextExW.USER32(?,?,?,?,?,?), ref: 014FF927
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: DrawText
                                                                                • String ID:
                                                                                • API String ID: 2175133113-0
                                                                                • Opcode ID: 7cf0080ffb3211ed1333fd9bb8547600c7f0598fd62cd65d10a08d256c168799
                                                                                • Instruction ID: 14b21019370645cf3c5beade4045703a87009ae348343da9670a3fd1b8071ed3
                                                                                • Opcode Fuzzy Hash: 7cf0080ffb3211ed1333fd9bb8547600c7f0598fd62cd65d10a08d256c168799
                                                                                • Instruction Fuzzy Hash: A621C0B69002099FDB10CF9AD884A9EBBF4FB48324F14842EE915A7320D774A944CFA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014F6DB8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014F6E47
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: a6f83c10c32c75d678c3182db1497e90666659bee8153ef2dcd7a950b505862a
                                                                                • Instruction ID: 727db069f66614a22f723491deac83a1f35602950665d740823ee53c463c4bb1
                                                                                • Opcode Fuzzy Hash: a6f83c10c32c75d678c3182db1497e90666659bee8153ef2dcd7a950b505862a
                                                                                • Instruction Fuzzy Hash: CE21E3B6900208AFDB10CFAAD984BDEBBF5FB48324F15841AE914B3310D374A954CFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A47B80, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetThreadContext.KERNEL32(?,00000000), ref: 07A47BFE
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ContextThread
                                                                                • String ID:
                                                                                • API String ID: 1591575202-0
                                                                                • Opcode ID: da4f1ef4986d8463b8065cb19095223d313cbbe33a8c24774043cadbec7155aa
                                                                                • Instruction ID: aabcd2868ab91044dd9ccffe88a83cfcd00129c499ddafd67964f387e0a53528
                                                                                • Opcode Fuzzy Hash: da4f1ef4986d8463b8065cb19095223d313cbbe33a8c24774043cadbec7155aa
                                                                                • Instruction Fuzzy Hash: 832129B19003499FDB10CFAAC4857EEBBF5EF88324F14842AD519A7240CB79A945CFA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A47E08, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07A47E88
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID: MemoryProcessRead
                                                                                • String ID:
                                                                                • API String ID: 1726664587-0
                                                                                • Opcode ID: 07c48c6334db3386db17c6f1457cbf6fec763983e9378ba9300d048734e923c8
                                                                                • Instruction ID: 6c0a03de701498a38e4764c1b913852d1749e6b2b59c96501d81fdbbcf90c708
                                                                                • Opcode Fuzzy Hash: 07c48c6334db3386db17c6f1457cbf6fec763983e9378ba9300d048734e923c8
                                                                                • Instruction Fuzzy Hash: 702116B18002599FCB10CFAAC8857DEBBF5FF48314F10842AE918A7250C7799945CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014F6DC0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014F6E47
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: DuplicateHandle
                                                                                • String ID:
                                                                                • API String ID: 3793708945-0
                                                                                • Opcode ID: baa182bc8237af74b904523670b7158666a0a926f5f0601807cbd230ab57c374
                                                                                • Instruction ID: 89ba2b680f93552bfdc262839b95044774e0d1e467371ebb9db068016f8ffb64
                                                                                • Opcode Fuzzy Hash: baa182bc8237af74b904523670b7158666a0a926f5f0601807cbd230ab57c374
                                                                                • Instruction Fuzzy Hash: 9721C4B59002089FDB10CFAAD984ADEBBF5FB48324F14841AE914B3310D374A954CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A432E9, Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualProtect.KERNEL32(?,?,?,?), ref: 07A43363
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: 5fdd369de8e6bd47aee818bd98dd1cfa79da6764770f6375c115f744a6961208
                                                                                • Instruction ID: 09ce217339319339d37890f1d852c010cdf859bebfebb98ac21013af5e050e73
                                                                                • Opcode Fuzzy Hash: 5fdd369de8e6bd47aee818bd98dd1cfa79da6764770f6375c115f744a6961208
                                                                                • Instruction Fuzzy Hash: FD2108B59002099FDB10CF9AD484BDEFBF5FB48324F10842AE468B3650D775A544CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A432F0, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualProtect.KERNEL32(?,?,?,?), ref: 07A43363
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ProtectVirtual
                                                                                • String ID:
                                                                                • API String ID: 544645111-0
                                                                                • Opcode ID: 8d74703bb0ec0c4fcd080bcb528c914371bf031f10e92152e65c499e2cad92b9
                                                                                • Instruction ID: 72d47d30c7e945d658130f32e61aa2886c6a4dcd1bef2d3e014265b29bccdd6a
                                                                                • Opcode Fuzzy Hash: 8d74703bb0ec0c4fcd080bcb528c914371bf031f10e92152e65c499e2cad92b9
                                                                                • Instruction Fuzzy Hash: CA21F9B59002099FDB10CF9AD484BDEFBF4FB48324F108429E968B7250D779A545CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014FB0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,014FBE89,00000800,00000000,00000000), ref: 014FC09A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 9b980ef31fc80ee715c06885aa517bbbb833a2e442faa9440b1b712c2db38a9c
                                                                                • Instruction ID: 57629ddd8a3d4c14941ede240a73af39eeabb05bd289b9e885d076ae7bfbd711
                                                                                • Opcode Fuzzy Hash: 9b980ef31fc80ee715c06885aa517bbbb833a2e442faa9440b1b712c2db38a9c
                                                                                • Instruction Fuzzy Hash: A71103B69002089FDB14CF9AD484B9EFBF4EB49324F14842EDA15B7710C375A945CFA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A47C58, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07A47CC6
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID:
                                                                                • API String ID: 4275171209-0
                                                                                • Opcode ID: 4ced65e04cd9469c9b6d01d70c7167c0e5241d2f64a13eab26384fdf31b597b7
                                                                                • Instruction ID: d5003010750041752b875f79e16246c141467c70fb0e85c291be7ff258ecafa8
                                                                                • Opcode Fuzzy Hash: 4ced65e04cd9469c9b6d01d70c7167c0e5241d2f64a13eab26384fdf31b597b7
                                                                                • Instruction Fuzzy Hash: 481137719002499FDF10DFAAD8447DFBBF5EF88324F148819E525A7250C775A954CFA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014FC028, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,014FBE89,00000800,00000000,00000000), ref: 014FC09A
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 1029625771-0
                                                                                • Opcode ID: 2cdf47b983d4c1d15d409037b50c8a4039103f0c9ea80542afa893a5f4b168b6
                                                                                • Instruction ID: 6e249ce39647f2ab7545c8e2dc7768f7a8076e2ed09aca37977b9185c792e42f
                                                                                • Opcode Fuzzy Hash: 2cdf47b983d4c1d15d409037b50c8a4039103f0c9ea80542afa893a5f4b168b6
                                                                                • Instruction Fuzzy Hash: D51130B68002088FDB14CFAAD484BDEFBF4AB49324F14842ED919B7710C375A54ACFA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A47AD0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID: ResumeThread
                                                                                • String ID:
                                                                                • API String ID: 947044025-0
                                                                                • Opcode ID: a5cf07a10c188b576ec032fbb47cbeea3c406b82197a113709f953c3ce0681b6
                                                                                • Instruction ID: 201bffb6740aaae9d5c1fc6ebef316602699210cf2193244eca6d5f90749752c
                                                                                • Opcode Fuzzy Hash: a5cf07a10c188b576ec032fbb47cbeea3c406b82197a113709f953c3ce0681b6
                                                                                • Instruction Fuzzy Hash: B0113AB19002488BDB10DFAAD4447DEFBF5EB98224F148419D515B7240CB79A945CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A434E0, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A4B13D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID: MessagePost
                                                                                • String ID:
                                                                                • API String ID: 410705778-0
                                                                                • Opcode ID: 4b84615a768fb7c100198e49bf84a96f0d383f9735c2de7b19f1f5aeaa572255
                                                                                • Instruction ID: 3052f667aacc67082caa05d481cb80ac873dca759f5e1f7d5e840c7c6f658d78
                                                                                • Opcode Fuzzy Hash: 4b84615a768fb7c100198e49bf84a96f0d383f9735c2de7b19f1f5aeaa572255
                                                                                • Instruction Fuzzy Hash: 281106B58003499FDB10CF99D889BDEBBF8EB48324F108419E925B7700D375A944CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014FBDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(00000000), ref: 014FBE0E
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: HandleModule
                                                                                • String ID:
                                                                                • API String ID: 4139908857-0
                                                                                • Opcode ID: 0f59e431f35b773fabfa28a1f8b3a6817a3005b2fe1fc13ebf50b4131e38ee4e
                                                                                • Instruction ID: 2443c0ef5dc4c7f1d6659899c85378c4a7f2e5ec0bec2d49c5c04331f21fe7dd
                                                                                • Opcode Fuzzy Hash: 0f59e431f35b773fabfa28a1f8b3a6817a3005b2fe1fc13ebf50b4131e38ee4e
                                                                                • Instruction Fuzzy Hash: 3111DFB6C002498FDB14CF9AD444BDEFBF5EB89224F14842AD929B7710C379A545CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014FDEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowLongW.USER32(?,?,?), ref: 014FDF1D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: LongWindow
                                                                                • String ID:
                                                                                • API String ID: 1378638983-0
                                                                                • Opcode ID: 3b21828e017ded10ab2ca26e18591d79822505dac9e834a371be1a1ce2d7dff2
                                                                                • Instruction ID: 1311e7cf09b8053af5eca606ee3c940c6b9df94755d947656c6e5afba582e231
                                                                                • Opcode Fuzzy Hash: 3b21828e017ded10ab2ca26e18591d79822505dac9e834a371be1a1ce2d7dff2
                                                                                • Instruction Fuzzy Hash: A911E2B58002099FDB10DF9AD585BDEBBF8EB48324F10851AE919B7710C375A944CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014FDEB9, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SetWindowLongW.USER32(?,?,?), ref: 014FDF1D
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID: LongWindow
                                                                                • String ID:
                                                                                • API String ID: 1378638983-0
                                                                                • Opcode ID: 96c5ea61ad8fe3220a85ba0cced8b5f981c27166809865843233c5860078f5ac
                                                                                • Instruction ID: 89a063825c6d73f4e0a01f873e53e33e4ec87fabffb0d6787b43e7e253c21aef
                                                                                • Opcode Fuzzy Hash: 96c5ea61ad8fe3220a85ba0cced8b5f981c27166809865843233c5860078f5ac
                                                                                • Instruction Fuzzy Hash: D411D3B59002098FDB10CF99D585BDEBBF4EB48324F24851AD959B7750C374A944CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 095249C0, Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID: 0-3916222277
                                                                                • Opcode ID: 0ad2e2494c86ad09e31e4b2008c24bf60ffb0a504ef29e987b25c16fe56c56ed
                                                                                • Instruction ID: 4ac47053f25fbbb5b13474486d616a8504a1c1a77b63134e695fe8ecd8d0223d
                                                                                • Opcode Fuzzy Hash: 0ad2e2494c86ad09e31e4b2008c24bf60ffb0a504ef29e987b25c16fe56c56ed
                                                                                • Instruction Fuzzy Hash: B931C675E142289BDF24CF6AD845B9DFBB2BF8A300F04C0A9E918A7355DB705A84CF51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 095278E8, Relevance: .4, Instructions: 446COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bbe162a65af89973176c56b619cf6cd37786f7a867beb33eed9d8e4996c88aac
                                                                                • Instruction ID: 7662db7a9c7a2b73d704bc607d3a9b3b854c3c751d829123cc7aa82511d1033e
                                                                                • Opcode Fuzzy Hash: bbe162a65af89973176c56b619cf6cd37786f7a867beb33eed9d8e4996c88aac
                                                                                • Instruction Fuzzy Hash: 46F1ED347002259FDB18EF69C899B7E7BA6BB8A354F148428E506DB3C4DF74EC018B91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09526F80, Relevance: .2, Instructions: 233COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cd51526510a909d3ddd7e37e408b86d384ff3732ba72014a70d37b831a385cd5
                                                                                • Instruction ID: ea522ccefef0f4c2ba9fd3d1cd045f2e88ea75fc8e71e38cbb60f3baa1780217
                                                                                • Opcode Fuzzy Hash: cd51526510a909d3ddd7e37e408b86d384ff3732ba72014a70d37b831a385cd5
                                                                                • Instruction Fuzzy Hash: 2381DE3150E3D65FCB13AB3898605CA3F72AF13214F0904D7D991CB6E3EA28985DD7A2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09527F29, Relevance: .2, Instructions: 227COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 669f31b4a21faa8edf6a528892f01da4cde80579946bec45adb3d77f009ee0cd
                                                                                • Instruction ID: dddc8692d8ddad34afc69d0ca81726355d51b8a8579fed241922d5dc074f7588
                                                                                • Opcode Fuzzy Hash: 669f31b4a21faa8edf6a528892f01da4cde80579946bec45adb3d77f009ee0cd
                                                                                • Instruction Fuzzy Hash: BF81A034A04626CFDB14DFAAC884A6AB7F2BF8A350F158169D605D73E1D731EC41CB51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09524AA9, Relevance: .2, Instructions: 175COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 389b605c658bba926391430d9184bec735d774c6ed26737258e66da719344d6a
                                                                                • Instruction ID: beab32d92f5e25652f4e1adae6274448442077634ecef710919c11f9ae5081c1
                                                                                • Opcode Fuzzy Hash: 389b605c658bba926391430d9184bec735d774c6ed26737258e66da719344d6a
                                                                                • Instruction Fuzzy Hash: 27712B74A042698FCB04DFA9C881BAEBBB2BF89314F15C4A4D918EB355D730D981CF61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09524F51, Relevance: .2, Instructions: 171COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f5754c044afd8ffbb9460fe2396e606fc0826beef39d85bbd74c189205e0d0dc
                                                                                • Instruction ID: d0b40973f191f1a75fc2a2a5e49a7e833339ddbbad0459067a83d3b4e76ac265
                                                                                • Opcode Fuzzy Hash: f5754c044afd8ffbb9460fe2396e606fc0826beef39d85bbd74c189205e0d0dc
                                                                                • Instruction Fuzzy Hash: 6E713A74A042658FCB04DFA9C880A9EFBF2BF4A354F15C595E958DB346E734D842CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09523C28, Relevance: .1, Instructions: 111COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 30a591e3b0f31e0d22af7570e7a0b7b84e9f98abb2f40b12ad0b007b4cc33f93
                                                                                • Instruction ID: 53966132adb2fb9d58a47759faab7067c198ae32885ec2e26e4bd8615eca8d3d
                                                                                • Opcode Fuzzy Hash: 30a591e3b0f31e0d22af7570e7a0b7b84e9f98abb2f40b12ad0b007b4cc33f93
                                                                                • Instruction Fuzzy Hash: FB413C74E05229DFCB10DFAAD5855ADBBF4BF0A780F11986AE816F3340E7389A418F54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09528A68, Relevance: .1, Instructions: 108COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c2682756500acea3820d1a7c48d9e964395170d19397b1cf1029ba3ee6eab9e0
                                                                                • Instruction ID: 4bf629ca7cb88c1c6a428809e4b7cfcaa2c1f7fdeaa55e55e0aa7aea3e3ae717
                                                                                • Opcode Fuzzy Hash: c2682756500acea3820d1a7c48d9e964395170d19397b1cf1029ba3ee6eab9e0
                                                                                • Instruction Fuzzy Hash: F141CF716002189FDB149F95C844BAEBBF6FB86314F048429FA15CB681DB75EC14CB60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09529E60, Relevance: .1, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f8e7afba7e9dee24b1b127294bbaae49b044b6b0fde7847670f89b3fdbb9e554
                                                                                • Instruction ID: ccf93bd25f122665138b767726e4838c6ae38dfcb732fe3cf18846e8a63116ba
                                                                                • Opcode Fuzzy Hash: f8e7afba7e9dee24b1b127294bbaae49b044b6b0fde7847670f89b3fdbb9e554
                                                                                • Instruction Fuzzy Hash: 5131D031B002149FDB19AB78D9557AE7BF6BF89324F144069E606EB390DF349C01CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09523557, Relevance: .1, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 81b94ac31ce56daf73bf06f076d289116d04defc511a3e4933eae679947b9ba2
                                                                                • Instruction ID: fad59c83eb8fd61b710a69f2b551f83d44cd5e977d5a62c8c2e82681aff47a89
                                                                                • Opcode Fuzzy Hash: 81b94ac31ce56daf73bf06f076d289116d04defc511a3e4933eae679947b9ba2
                                                                                • Instruction Fuzzy Hash: 4841D375E012189FDB08DFA9E894AEEBBF2FF89300F10802AE515A7354EB356901CF50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09523568, Relevance: .1, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 215e1b7ac17e6191a3c5e7a83103e666306136bf938ffb448ad536c89f93344a
                                                                                • Instruction ID: beb9746662c6acc328844151cb479d8bcaf6b3bfbb46d15bb5224917af3de366
                                                                                • Opcode Fuzzy Hash: 215e1b7ac17e6191a3c5e7a83103e666306136bf938ffb448ad536c89f93344a
                                                                                • Instruction Fuzzy Hash: CE41C275E012189FDB08DFAAE994AEEBBF2FF89310F10802AE515A7354DB346941CF50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09526BA0, Relevance: .1, Instructions: 86COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f9c92a271d85925fd8ce81c7465db0a05f7cd60642a59195df6f496fc3cf8acd
                                                                                • Instruction ID: aaa562c5da6a27083c768e9f686b3baff0c273d73dc82e3111e458e5703003d2
                                                                                • Opcode Fuzzy Hash: f9c92a271d85925fd8ce81c7465db0a05f7cd60642a59195df6f496fc3cf8acd
                                                                                • Instruction Fuzzy Hash: CB21F6343051146FE728662A4C5AF3F3A67EBC57A5F248425F606EF2C4CE799C024794
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09526B90, Relevance: .1, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 74db630328d70ecbd707c9e4562fd6f9ad75a363b8b9ec8380be45d774be86cf
                                                                                • Instruction ID: 62e800a8e91560ec3b65df392c56dc07ae87539588ae05888942a623e57bf915
                                                                                • Opcode Fuzzy Hash: 74db630328d70ecbd707c9e4562fd6f9ad75a363b8b9ec8380be45d774be86cf
                                                                                • Instruction Fuzzy Hash: 5D213A353051206FE3286A294C66B7F2AA7EBC6795F258065E607DF7C4DE7C8C024395
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 095243AD, Relevance: .1, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7e8d06a9a25cc7b2766d946ec12f2d89318bf353590fb04c71044db08a841d65
                                                                                • Instruction ID: e0a4cdaf5005b041a071a36748c3ebdd85f1ef71edb880ec1cf4363b1fae09bc
                                                                                • Opcode Fuzzy Hash: 7e8d06a9a25cc7b2766d946ec12f2d89318bf353590fb04c71044db08a841d65
                                                                                • Instruction Fuzzy Hash: 2F31B574E0025ACBCB14CFA5C485AAEBBF5BF5A304F208469D919EB3A4E734D841CF50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952F1B2, Relevance: .1, Instructions: 77COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f5328b4143a243e6dc4a20749255582d9c7e19ef7b12c794441752e785737715
                                                                                • Instruction ID: 4cdd4441adbb369bc1ef14ff18038bed82b0ee8d07061faee6b2d667cdd09689
                                                                                • Opcode Fuzzy Hash: f5328b4143a243e6dc4a20749255582d9c7e19ef7b12c794441752e785737715
                                                                                • Instruction Fuzzy Hash: 43317A749042999FCB01CFA9D8559AEFFF1BF4A200B1581AAE944E7292C3349944CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952BF18, Relevance: .1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: aac772dffc92b8717528bc8a71f000a44d1f868c94894987645003fafdf8dd7d
                                                                                • Instruction ID: 646619de0abdbb4c9a1f333113e1aea8762fd38cef791cb7d54ae8462bdb7757
                                                                                • Opcode Fuzzy Hash: aac772dffc92b8717528bc8a71f000a44d1f868c94894987645003fafdf8dd7d
                                                                                • Instruction Fuzzy Hash: B931E670E04219DFCB48CFAAC58199EFBF2BB8A340F14C5AAD419E7254D7349A418F91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952BF20, Relevance: .1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e5a38ba899bc6d78634d7d87c584abebd2252197660a487a3a70eb3f6c23f64d
                                                                                • Instruction ID: 9f0e7be7e9157b6e13b0661d7af8165163443d9479c4fdc5848699257b6cc7c6
                                                                                • Opcode Fuzzy Hash: e5a38ba899bc6d78634d7d87c584abebd2252197660a487a3a70eb3f6c23f64d
                                                                                • Instruction Fuzzy Hash: 5D31F670E04219DFCB48CFAAC5819AEFBF2BB8A340F11C5A9D419E7354E7349A418F91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952BE00, Relevance: .1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d5c00fdbb29004d940a38e9a141862d7da462777c0a24d0f517e288fb3ce8120
                                                                                • Instruction ID: e704d2dbf388204b22cf36f6ac9cb0c674a2d7c989e5588e12f6de99d5b594cb
                                                                                • Opcode Fuzzy Hash: d5c00fdbb29004d940a38e9a141862d7da462777c0a24d0f517e288fb3ce8120
                                                                                • Instruction Fuzzy Hash: BE31B6B4E04219DFCB84CF9AC4816AEBBF2BF89300F10946AD919E7754D774A941CF54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0131D3EC, Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670264459.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 97606018c42a8c8de0fb9a5eca23310259f398c4aa2d341d60a452248128959c
                                                                                • Instruction ID: 6d5e919331f18d1e77faf2b6f55a11f44fd1d084aebd88c621f5054c46e90adf
                                                                                • Opcode Fuzzy Hash: 97606018c42a8c8de0fb9a5eca23310259f398c4aa2d341d60a452248128959c
                                                                                • Instruction Fuzzy Hash: 98219AB1144204DFDB09DF44C8C4B66BF65FB89328F20C569E8091B60BCB36E446C7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0131D4D8, Relevance: .1, Instructions: 75COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670264459.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 85ec6a9f9c3c5dce306978b2946ef834733d99ecc5392bf2b98ae93429efbc8a
                                                                                • Instruction ID: 4aeebc78d4819b96f6bb686e3fe11825fb558e130236580d5da48d7e8252e7ff
                                                                                • Opcode Fuzzy Hash: 85ec6a9f9c3c5dce306978b2946ef834733d99ecc5392bf2b98ae93429efbc8a
                                                                                • Instruction Fuzzy Hash: 542137B1504204DFDB09CF94D9C8B27BF65FB8932CF248569E9050B61EC336D846CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0132D1D4, Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670282970.000000000132D000.00000040.00000001.sdmp, Offset: 0132D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5b8b426e6e5a74d0b9479c69d7f0812ea129278d20e630ac0261d4a1cb85f0bc
                                                                                • Instruction ID: e643ef04179f313e9a53d84ded382425460a8e6fbd79988b41ecf88af6d592f4
                                                                                • Opcode Fuzzy Hash: 5b8b426e6e5a74d0b9479c69d7f0812ea129278d20e630ac0261d4a1cb85f0bc
                                                                                • Instruction Fuzzy Hash: 47214971504304DFDB05EF94D9C0B26BB65FB85328F24C5ADE8094B746C736D846CB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0132D01C, Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670282970.000000000132D000.00000040.00000001.sdmp, Offset: 0132D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e562081bde54834ad5ae1e5ba64052627124035a2402bb61eb9dd373e9d2e823
                                                                                • Instruction ID: 5450c51d8aa41453816d344b9ce16872928ee8af96b4b5454dd0ed8b4f9a834c
                                                                                • Opcode Fuzzy Hash: e562081bde54834ad5ae1e5ba64052627124035a2402bb61eb9dd373e9d2e823
                                                                                • Instruction Fuzzy Hash: B5213471604244DFCB15EF54D8C0B26BB65FB84358F24C9ADE80A4B766C73AD847CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952416B, Relevance: .1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 578b7df58bdf2e7f7cd2d5f6f4c51abc5c56296409435a3d8d3edf83cbf916b3
                                                                                • Instruction ID: 5ec20e195850d7231d4f95080476037db816b11c80cb732c0b21191c03bf6f20
                                                                                • Opcode Fuzzy Hash: 578b7df58bdf2e7f7cd2d5f6f4c51abc5c56296409435a3d8d3edf83cbf916b3
                                                                                • Instruction Fuzzy Hash: C931B274E10228DFCB64DFA9D885A9CBBB1FF49315F1081AAE919E7361DB309941CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09523D7F, Relevance: .1, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 508569a25a10dae4b805e76f7a316319bbd4367214b3d9a69d34d704986e9d90
                                                                                • Instruction ID: 908acd8d2b075ef3a064f464bf89043a946c602800326f06a84aad4f0c2e90ab
                                                                                • Opcode Fuzzy Hash: 508569a25a10dae4b805e76f7a316319bbd4367214b3d9a69d34d704986e9d90
                                                                                • Instruction Fuzzy Hash: D321AF74E08219DFCB10CFAAD5855EDBBF1BF49790F14986AE816F7240E73899418F14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 095278D8, Relevance: .1, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: aa0529fd3b97eb210c1e76429db107c13ba5570912437d0289809aedb2879edc
                                                                                • Instruction ID: ad8cf02b6e8c1f84b8a8175b59c2b25eee20f713e1171f46069d2cb6746410ed
                                                                                • Opcode Fuzzy Hash: aa0529fd3b97eb210c1e76429db107c13ba5570912437d0289809aedb2879edc
                                                                                • Instruction Fuzzy Hash: 5C112231A04725DFC714DF2AD44875DBBA2FB8A720F05846AE80ACB390DB30E941CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0132D006, Relevance: .1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670282970.000000000132D000.00000040.00000001.sdmp, Offset: 0132D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 206a8b8ffcb7d3223662346cfe752bd7d3327d2c8dbf04c62d83757e20409654
                                                                                • Instruction ID: f99cc2b52b378d720a9aceccafba1dd8988d1b4f06269bbcdc4a9162d89d60be
                                                                                • Opcode Fuzzy Hash: 206a8b8ffcb7d3223662346cfe752bd7d3327d2c8dbf04c62d83757e20409654
                                                                                • Instruction Fuzzy Hash: 2E2180754083809FCB03DF24D994B11BF71EB46214F28C5DAD8458F267C33A9856CB62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09524431, Relevance: .1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a686e862f262724afe99e9cf711067c04cb82e6436f8be6e766fe0302bc46f7f
                                                                                • Instruction ID: 4f06cfc5fa626bf6a88e57c0502be6d9938cd1fa860d339b29ecf12cbbdb78ed
                                                                                • Opcode Fuzzy Hash: a686e862f262724afe99e9cf711067c04cb82e6436f8be6e766fe0302bc46f7f
                                                                                • Instruction Fuzzy Hash: 53111974E0421ACBCB10DFA5C4849AEBBF5BB4A344F11C865D829EB3A4E735E841CF50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0131D3E7, Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670264459.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7f2d7abb4ea573dc4272d1d1297febae5df7ea2cbaac5dfea36eff2362cb1c82
                                                                                • Instruction ID: aaadc3757e650bab451fda561a571aeeb8613f547c63d71e027bde56f0acb3c2
                                                                                • Opcode Fuzzy Hash: 7f2d7abb4ea573dc4272d1d1297febae5df7ea2cbaac5dfea36eff2362cb1c82
                                                                                • Instruction Fuzzy Hash: F8110676444240CFCB06CF44D5C4B56BF71FB85324F24C5A9D8090B61BC73AD456CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0131D4D3, Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670264459.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7f2d7abb4ea573dc4272d1d1297febae5df7ea2cbaac5dfea36eff2362cb1c82
                                                                                • Instruction ID: d9e2a756bb00c0343d9122455ea5571e0664bc75cd3c4abdeaf9a715b1ddd7e2
                                                                                • Opcode Fuzzy Hash: 7f2d7abb4ea573dc4272d1d1297febae5df7ea2cbaac5dfea36eff2362cb1c82
                                                                                • Instruction Fuzzy Hash: E411D376404280CFCB16CF54D5C4B16BF71FB85328F2886AAD8050B61BC33AD456CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 095238A0, Relevance: .1, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3d24308dd3bea92da26d8c4e0af8870491adb69a4b75c94a1ffb2518eb0d759c
                                                                                • Instruction ID: 4027d562065b6edf9bb9809eee0619e6ba51ce6b84f5ca9c9a5c6b7755e330dc
                                                                                • Opcode Fuzzy Hash: 3d24308dd3bea92da26d8c4e0af8870491adb69a4b75c94a1ffb2518eb0d759c
                                                                                • Instruction Fuzzy Hash: 69111374D0521ADBCB00DFA5E8849EEBBB1FB4A344F105865E512B7364DB342A59CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0132D1CF, Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670282970.000000000132D000.00000040.00000001.sdmp, Offset: 0132D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 91e860cb5a7871082774ffe63bb4ce02d758a3c26150911dda51d41a7e1a49a4
                                                                                • Instruction ID: 1ca23a55d2a97c5ae3045d4f9f251b1688b9d32701ccaac610e8a5c72934f47b
                                                                                • Opcode Fuzzy Hash: 91e860cb5a7871082774ffe63bb4ce02d758a3c26150911dda51d41a7e1a49a4
                                                                                • Instruction Fuzzy Hash: B311B875904280DFDB02DF54D5C4B15BBB1FB86228F28C6AAD8494B656C33AD84ACB62
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952F238, Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cfedd0ff6dbb6fecaee3b88e5261b727dd82e6732cab069db03123d032a48f8c
                                                                                • Instruction ID: 037710609f8095a2785d37225cc39c6a4987ba041c9c921ec6994151e24d970d
                                                                                • Opcode Fuzzy Hash: cfedd0ff6dbb6fecaee3b88e5261b727dd82e6732cab069db03123d032a48f8c
                                                                                • Instruction Fuzzy Hash: 17113A74D0425A8FCB01DFA9D5556EEBFF5BF49300F5480AAE944E7291D7389A40CBB0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0131D7E9, Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670264459.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1b9837a65a9791c934fb5397db8ce316669da0c864478aab042f253a83e35089
                                                                                • Instruction ID: ad1c29fac251db374bfd11ba9bca5d49d76e607c3472e21ab5a82ef377e76d70
                                                                                • Opcode Fuzzy Hash: 1b9837a65a9791c934fb5397db8ce316669da0c864478aab042f253a83e35089
                                                                                • Instruction Fuzzy Hash: 8D01DB71408344AAE7195E56DC88766BF9CEF4763CF08C45AED0C1B68AC779D844C6B1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952F248, Relevance: .0, Instructions: 44COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1fd459448736145acde66b6f8f66811e7c01bb70964df982e392bc5e4aca589f
                                                                                • Instruction ID: 25de227551cc5096cef3cfe5e78c536242b60f8bbf86e62e0ea9b7f1eaf8a39e
                                                                                • Opcode Fuzzy Hash: 1fd459448736145acde66b6f8f66811e7c01bb70964df982e392bc5e4aca589f
                                                                                • Instruction Fuzzy Hash: 84113974D0015A8FCB00DFA9D841AEEBFF5BF49300F108166E954E7280D738AA40CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952DCB8, Relevance: .0, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f2792979f687d1d80a76fc6cd4e003828c3a1c84e5b7694daacd884f4fc461aa
                                                                                • Instruction ID: 505fe4be5b8aef92eef9c2391274e1f1de7f7acf286c465c8fc743eb9bb1eff4
                                                                                • Opcode Fuzzy Hash: f2792979f687d1d80a76fc6cd4e003828c3a1c84e5b7694daacd884f4fc461aa
                                                                                • Instruction Fuzzy Hash: 9E01D634E00208AFDB44EFA9D595A9DBFF1FF49210F06C1A9E908EB365DA759941CF10
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952A768, Relevance: .0, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c87724c524037c272b2ee4020e581ac012653312c72309002bdb489b3f0aed59
                                                                                • Instruction ID: 1894ada1b255f2b066b213138db0b850e21ba9b3f072247c5db285a374d33381
                                                                                • Opcode Fuzzy Hash: c87724c524037c272b2ee4020e581ac012653312c72309002bdb489b3f0aed59
                                                                                • Instruction Fuzzy Hash: 53F0C230E25208DFD708DFB5D68925DBFF6FB8A301F24C4A5D90AD3284EB349A40DA45
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0131D7E8, Relevance: .0, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670264459.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 195eb37caf28438342aecb411356c3361718b70aa12fee564cb0e246f365566a
                                                                                • Instruction ID: 142530f62abdd5af63de91b24722f078ebfe50e05bc97adbe82c823b2cbaac13
                                                                                • Opcode Fuzzy Hash: 195eb37caf28438342aecb411356c3361718b70aa12fee564cb0e246f365566a
                                                                                • Instruction Fuzzy Hash: A6F09C714043449EEB158E16DCC4762FF98EF82734F18C45AED0C5F286C3799844CAB1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952DCC8, Relevance: .0, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fdd5db5efd494a7d82ff85ef266649ecd42cfa6271c2c846b0eda208b497a73f
                                                                                • Instruction ID: 0d91c8f9786ccc725bdf3213bbf69ebf5108c2716bf594c3056a4737693fcaa4
                                                                                • Opcode Fuzzy Hash: fdd5db5efd494a7d82ff85ef266649ecd42cfa6271c2c846b0eda208b497a73f
                                                                                • Instruction Fuzzy Hash: 8401B274A00208AFDB04DFA9D589A9DBFF2FF48200F05C0A5E908AB365EA34A941CF40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952CD60, Relevance: .0, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 80a232c731ea3587a2ea03fb8208fb45ebbfc1bd49f074e65aeae8423ce894a7
                                                                                • Instruction ID: c4848134fb9372d27f8e111228c7ecaa537e62faa0745459cc2b019988b6fa69
                                                                                • Opcode Fuzzy Hash: 80a232c731ea3587a2ea03fb8208fb45ebbfc1bd49f074e65aeae8423ce894a7
                                                                                • Instruction Fuzzy Hash: 01112B78A01368DFCB65CF64C980B9DBBB2BB49300F1050E9E849A7360DB35AE80CF01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952410F, Relevance: .0, Instructions: 28COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f7a324e0415b4dff9146ecb57ef4156417c1ec86b66491d892d180470bca51bd
                                                                                • Instruction ID: c2b312eefef3ddec6a105e21e4c132e15c13fb3f27a0ad8d57b1dd86daa9eae6
                                                                                • Opcode Fuzzy Hash: f7a324e0415b4dff9146ecb57ef4156417c1ec86b66491d892d180470bca51bd
                                                                                • Instruction Fuzzy Hash: B6F03AB4A0D3959FCB468FB98845488BFB0FF07360B0505AAD492DB6A2E6385E46CB11
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952AABD, Relevance: .0, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5601b8234618095cbf6459251063d62afcdfcb7830c9ef0a75f8616888fc2b0d
                                                                                • Instruction ID: e69b3b4f27cbaaac04d8e1dc65441e1b3881017e210a473efbb61e7d84a4fc36
                                                                                • Opcode Fuzzy Hash: 5601b8234618095cbf6459251063d62afcdfcb7830c9ef0a75f8616888fc2b0d
                                                                                • Instruction Fuzzy Hash: 53F0F870D0926CCFDB64DBA9C84078DBBB2BB95210F1086D6C428E7394E7305A85CF51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09524048, Relevance: .0, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ef199de29d57851f9bb447ca8b6fcb4674817e02e3ccf1c32962da8387fcf73e
                                                                                • Instruction ID: 4d65cbd62df0b5b8f89ddb3133264111b410a33ba0d8f32dc570518e2779470f
                                                                                • Opcode Fuzzy Hash: ef199de29d57851f9bb447ca8b6fcb4674817e02e3ccf1c32962da8387fcf73e
                                                                                • Instruction Fuzzy Hash: 35E04F30901208AFC714EF68E4459ADBF75FB46311F108169EC4427290DB305A54DA44
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952AA86, Relevance: .0, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5c6e58aa74a626f973961d97166408bf6aacd85d022aaa18327026b9bb3b6770
                                                                                • Instruction ID: 1daffa408b07887ca333c9e406b3eb8ba2ca506ba02d74fff3031a12a72db0c4
                                                                                • Opcode Fuzzy Hash: 5c6e58aa74a626f973961d97166408bf6aacd85d022aaa18327026b9bb3b6770
                                                                                • Instruction Fuzzy Hash: FCF08230D097298BCB54CBAAC880A88FBF1FB89200F14999AC40AE7291E3314580CF14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952B29D, Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0b4ebfa8028519535ba97356d826727b5eef05e78d1a3cc4374f319982b4354a
                                                                                • Instruction ID: ce2f77be9a9f2654d6f7bc8dde95979a5fca6fa4403b62d2475f53bf66949f17
                                                                                • Opcode Fuzzy Hash: 0b4ebfa8028519535ba97356d826727b5eef05e78d1a3cc4374f319982b4354a
                                                                                • Instruction Fuzzy Hash: 3AE06D30E06129CFEB04DBA9D840F8DBBB2FF85300F1085AAD109E7254D7344D418F21
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 095281D8, Relevance: .0, Instructions: 18COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 171495f4fa34601d967ff241fb17933b0d0fd51c1cc87ee0e7c5c7474816fef0
                                                                                • Instruction ID: adccc212f9814b5dad10ff0ec00cac35e4d625c1876edf1c7f2fa2ad5692196c
                                                                                • Opcode Fuzzy Hash: 171495f4fa34601d967ff241fb17933b0d0fd51c1cc87ee0e7c5c7474816fef0
                                                                                • Instruction Fuzzy Hash: F3D02B7107534D0FD3C5B728B80041E3B7ADBC25147404831D4188B32BEF240D2947D6
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09529F1D, Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 817731ca063ba45252d6ac5f46a9ee2ad4fa2b3b9ae485f887b804206f63dd2e
                                                                                • Instruction ID: 29304106ea914a373d9283d5fe020085408688d233278d0259b8036d4dceb503
                                                                                • Opcode Fuzzy Hash: 817731ca063ba45252d6ac5f46a9ee2ad4fa2b3b9ae485f887b804206f63dd2e
                                                                                • Instruction Fuzzy Hash: D7D0673AB100089FCB149F98EC408DDB776FB98225B458116EA15A7265C631A961DB60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09524156, Relevance: .0, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8ed5af915183945ee83f45ca35918719f64853ffd8077d0e500bf8304ffda835
                                                                                • Instruction ID: 87d9a277b017a06a70c573ead36bf1156d7586bfb17500adcb8f5f0ce0d32173
                                                                                • Opcode Fuzzy Hash: 8ed5af915183945ee83f45ca35918719f64853ffd8077d0e500bf8304ffda835
                                                                                • Instruction Fuzzy Hash: 2DE017789083A8CFCB45CFA1D48189D7FF1FB16340F110455D84AAB390DA346C42CF00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952A955, Relevance: .0, Instructions: 15COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9891b1b91490f4865a89f7ca8e892c6cfb945e17fce043f802d203f41e058eb1
                                                                                • Instruction ID: 4779e9ad9cd3d93652b8b63c99097c4ad3722df1b4c4b15951f36a250a707e40
                                                                                • Opcode Fuzzy Hash: 9891b1b91490f4865a89f7ca8e892c6cfb945e17fce043f802d203f41e058eb1
                                                                                • Instruction Fuzzy Hash: 93E0E5309121189FEB94DF64CC91A8CB7B2BF48204F4086D5C109A32A4DB301A898F14
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 095281E8, Relevance: .0, Instructions: 12COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 47cd948972fe1c254f098c8101b559e7bd6fb21923859ddcb3a172716c38e4c6
                                                                                • Instruction ID: 60ca7568d34bbe68902be5e459e70857cd9e444163e0daccf3d676567c032d49
                                                                                • Opcode Fuzzy Hash: 47cd948972fe1c254f098c8101b559e7bd6fb21923859ddcb3a172716c38e4c6
                                                                                • Instruction Fuzzy Hash: 24C012751716094AC288BB69E441459377BEBC0509340883090150B62CDF7859294BDA
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952C9B3, Relevance: .0, Instructions: 11COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9628ec88f2e661747f5fa13df6beda22df5ac26dd3c1bb1a7a47886c86c85bfd
                                                                                • Instruction ID: 29e1412560b6fd7bc9c700bcdebe19287ca63329bf79e61cd2227600978a4f09
                                                                                • Opcode Fuzzy Hash: 9628ec88f2e661747f5fa13df6beda22df5ac26dd3c1bb1a7a47886c86c85bfd
                                                                                • Instruction Fuzzy Hash: 8DD04278900258CFCB15CF94C9849ADBBB2BB49306F2045D5E905A7350C731AE81CE01
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952D19C, Relevance: .0, Instructions: 10COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 210ad732fb8fd4ed3bde6b4a14b921c8d69ae8edd16d8f3717816bca2cfd54a2
                                                                                • Instruction ID: 02525376d5513c45563c8661f92cce6f2a778d5221532654a62c0524c8af9933
                                                                                • Opcode Fuzzy Hash: 210ad732fb8fd4ed3bde6b4a14b921c8d69ae8edd16d8f3717816bca2cfd54a2
                                                                                • Instruction Fuzzy Hash: 55D0C970601395CFC749CFA5E680488BFB2FB89311B6054A9D80A9B2A5D734EA40CE00
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 095242D6, Relevance: .0, Instructions: 4COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 50bd9c7cae13fce5679a3e9c4f0a0c3863d3e5201dec03d2a6e94eab91b6190b
                                                                                • Instruction ID: 782694ecef14abbfd2fa5a109958e0af77d143e2c4130b9b2162745467d144c7
                                                                                • Opcode Fuzzy Hash: 50bd9c7cae13fce5679a3e9c4f0a0c3863d3e5201dec03d2a6e94eab91b6190b
                                                                                • Instruction Fuzzy Hash: 32A0026295E02596CE089E61C8614FC7A39BB5A688F011854E006611B2CA1D1800C510
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Function 07A45078, Relevance: 2.7, Strings: 2, Instructions: 246COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: '=1}$JHa
                                                                                • API String ID: 0-2303021935
                                                                                • Opcode ID: 04e37b13aeca8d4387d3325c5aadfa4e4cec0ed86c4a320f27e71c6511111d43
                                                                                • Instruction ID: c98f97f4370db5117e09f428c69a78ff9d50ca1f52a1c07b061f58c8ca874b44
                                                                                • Opcode Fuzzy Hash: 04e37b13aeca8d4387d3325c5aadfa4e4cec0ed86c4a320f27e71c6511111d43
                                                                                • Instruction Fuzzy Hash: 7CA105B4E052198FCB48DFAAC58459EFBF2BF89310F24C12AD415AB358E7359942CF64
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A45068, Relevance: 2.7, Strings: 2, Instructions: 245COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: '=1}$JHa
                                                                                • API String ID: 0-2303021935
                                                                                • Opcode ID: f0bf56691c7c0df4ea9093fb6da6c67eddcc3a0a71d06187f0337f904f613098
                                                                                • Instruction ID: 3d65ea5aa34cba8798c4909b5d32cbf13ac0f086b3aa3339213f1bad1d226bf2
                                                                                • Opcode Fuzzy Hash: f0bf56691c7c0df4ea9093fb6da6c67eddcc3a0a71d06187f0337f904f613098
                                                                                • Instruction Fuzzy Hash: B6A125B4E052198FCB08CFA9C58459EFBF2BF89310F24C12AD415AB359E7359942CFA4
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A45510, Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Hy{W$Hy{W
                                                                                • API String ID: 0-3351072055
                                                                                • Opcode ID: 57fa994b1d2da5bed64af0192fb010ae6388da42e60b44ba1249144f9ade1f63
                                                                                • Instruction ID: 6676146d0aeea5e3196bf412acfb8879feebbaf139cb20e7fdc61259836ff943
                                                                                • Opcode Fuzzy Hash: 57fa994b1d2da5bed64af0192fb010ae6388da42e60b44ba1249144f9ade1f63
                                                                                • Instruction Fuzzy Hash: 1F6159B0E1524A9FCB04CFA9C4416AEFBF2BF89310F14D426E564AB354D7349A51CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A45520, Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: Hy{W$Hy{W
                                                                                • API String ID: 0-3351072055
                                                                                • Opcode ID: 6c08ead2fa48092959926c04c9316950584b198bde6452d57e892b684ea6f7c4
                                                                                • Instruction ID: 3293703140d34ac3478da0c4647a8d7a9063099b09e92cb71dec714c432f9d6f
                                                                                • Opcode Fuzzy Hash: 6c08ead2fa48092959926c04c9316950584b198bde6452d57e892b684ea6f7c4
                                                                                • Instruction Fuzzy Hash: 606139B0E1520A9FCB04CFA9C4416AEFBF2BF89310F15D42AE524AB354D7359A51CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952C0A0, Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: H
                                                                                • API String ID: 0-752142702
                                                                                • Opcode ID: f9dabcc05f4eb6b091c5f5bc9ec8aaf723aba8a23f8d0bb3a04d787ef118ec2c
                                                                                • Instruction ID: 61f07946f469cecaabf79c696b2237bf1a40114661c13ca1b2b34f3487de12ea
                                                                                • Opcode Fuzzy Hash: f9dabcc05f4eb6b091c5f5bc9ec8aaf723aba8a23f8d0bb3a04d787ef118ec2c
                                                                                • Instruction Fuzzy Hash: 90712474E0121ADFCB04CF9AD4819AEFBB2FB8A350F11C569E445EB255D734AA81CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952C098, Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: H
                                                                                • API String ID: 0-752142702
                                                                                • Opcode ID: 5c98e5f5ed4515f9ff5cec52578e19825d26cb0c5a6af17af8a4954589d4c069
                                                                                • Instruction ID: 597db957331bee0cd79f2d290fb83c9a0d3075a5a5910092b0e7de40bf4f13e5
                                                                                • Opcode Fuzzy Hash: 5c98e5f5ed4515f9ff5cec52578e19825d26cb0c5a6af17af8a4954589d4c069
                                                                                • Instruction Fuzzy Hash: 91611574E0121ADFCB04CFAAD4819AEFBB2FB8A350F11C56AE445E7255D7349A81CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952F868, Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: "Dcx
                                                                                • API String ID: 0-1289903327
                                                                                • Opcode ID: 962740cc3dfbdfe53a49042a3f86b2e4517ca1e35f316e063708d5602c17030e
                                                                                • Instruction ID: 4228ef5603075cef5d621252721c41ee64f48a70e105d6cc6f7ad3b44b1aae6a
                                                                                • Opcode Fuzzy Hash: 962740cc3dfbdfe53a49042a3f86b2e4517ca1e35f316e063708d5602c17030e
                                                                                • Instruction Fuzzy Hash: 2161F274E05219CFCB08CFAAD6845EEFBF2BF89300F24942AD815F7294D7349A418B65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952F858, Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: "Dcx
                                                                                • API String ID: 0-1289903327
                                                                                • Opcode ID: b611bf29002c9801209da0287b94de423dcba3377bd5ab741145b287aedbc955
                                                                                • Instruction ID: 59f2446ba22cd4676c074597e5519fd4281c9ad3bb336b3fb47bb689a4b40302
                                                                                • Opcode Fuzzy Hash: b611bf29002c9801209da0287b94de423dcba3377bd5ab741145b287aedbc955
                                                                                • Instruction Fuzzy Hash: 4561E274E05219CFCB08CFAAD6815EEFBF2BF89310F24942AD805F7294D7349A418B65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952FAC0, Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ?yQ
                                                                                • API String ID: 0-2221724807
                                                                                • Opcode ID: 133a480983486328e8b62deb0e9d52b65d7f51403287901626503c9b77240815
                                                                                • Instruction ID: 8e2736deedc0fd02add18434249e4c47390a0ee742f3f6e943b1d0391ff3a5b9
                                                                                • Opcode Fuzzy Hash: 133a480983486328e8b62deb0e9d52b65d7f51403287901626503c9b77240815
                                                                                • Instruction Fuzzy Hash: 8341D3B0E0521A9BCB08CFAAD5815AEFBF2BF89300F24C56AC915F7244D7345A41CF95
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952FAB1, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: ?yQ
                                                                                • API String ID: 0-2221724807
                                                                                • Opcode ID: 0895e0679f4722ab4ab38b346cec78539ee1df72ad5d07d1a28fae830158c898
                                                                                • Instruction ID: d16119b51663e717d1c3fc53b9da02641a3748798018737dda359c11c8c61c4a
                                                                                • Opcode Fuzzy Hash: 0895e0679f4722ab4ab38b346cec78539ee1df72ad5d07d1a28fae830158c898
                                                                                • Instruction Fuzzy Hash: 06410470E0520A8BCB04CFAAD5815EEFBF2FF89310F24C56AC915B7254D7345A42CB95
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A457D8, Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 5<G
                                                                                • API String ID: 0-2020183743
                                                                                • Opcode ID: 669dd5ff34029c51f2b7ebe53288e30f4c3d4149796ebbae24eb1dd57fe2e421
                                                                                • Instruction ID: 32002393f95f4d9ad0a481fe8a68e7f2c914f82ec105a1dc97e1352eade3c804
                                                                                • Opcode Fuzzy Hash: 669dd5ff34029c51f2b7ebe53288e30f4c3d4149796ebbae24eb1dd57fe2e421
                                                                                • Instruction Fuzzy Hash: 84316DB1E112198BDF18CFAAD88169EFBF2FFC8200F14C16AE518A7254DB315A418F61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A457C8, Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: 5<G
                                                                                • API String ID: 0-2020183743
                                                                                • Opcode ID: f6f70edca6c87f04041ad97db66d5f9278c190bcef26e47603c8e7ea0ae53417
                                                                                • Instruction ID: b971cab54e3d809ca348cb7ba49c82f6ae3792476199394a3a0da014c2081834
                                                                                • Opcode Fuzzy Hash: f6f70edca6c87f04041ad97db66d5f9278c190bcef26e47603c8e7ea0ae53417
                                                                                • Instruction Fuzzy Hash: F1312DB1E112198BDB18CFAAD98169EFBF3BFC9200F14C16AD418A7354DB345A458F61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 095291A0, Relevance: .9, Instructions: 909COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5c842e4a0be66127d3442eb7ff467cff3d97b7df1aacf8ddae664ccb2384ec05
                                                                                • Instruction ID: 89b053a6f6b5154cb42a8ef4d14985da36d4805c181c2b9641f2559502a21ca4
                                                                                • Opcode Fuzzy Hash: 5c842e4a0be66127d3442eb7ff467cff3d97b7df1aacf8ddae664ccb2384ec05
                                                                                • Instruction Fuzzy Hash: FF823C31A042159FCB14DF69C6A4AAEBBF2FF8A314F158569E405EB3A1D730ED41CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014FC2B0, Relevance: .5, Instructions: 520COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 321e0d079d26c64418e24ed28fb934a864e73479d292ec1d78808cc7885511e7
                                                                                • Instruction ID: 04414c9f91b4576e54b4f4288f45453abd4a4f2efeecbffde89f3b839ac2cf1c
                                                                                • Opcode Fuzzy Hash: 321e0d079d26c64418e24ed28fb934a864e73479d292ec1d78808cc7885511e7
                                                                                • Instruction Fuzzy Hash: B3527CB25607068FD322CF14E4C85993BB1FB82319F924219D2725F6E9E3B8654EEF44
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 014F9990, Relevance: .3, Instructions: 265COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.670432742.00000000014F0000.00000040.00000001.sdmp, Offset: 014F0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9ac4967aa212ced8b31b6686dfaa73b496e19ea5bf7eef20e01a57eeb54edc94
                                                                                • Instruction ID: 090ff2842d47918447e48b211fd994f572e78b9b5b828ad394fcf7498c6a9e0e
                                                                                • Opcode Fuzzy Hash: 9ac4967aa212ced8b31b6686dfaa73b496e19ea5bf7eef20e01a57eeb54edc94
                                                                                • Instruction Fuzzy Hash: 63A16136E0061A8FCF15DFA5C8445DEBBB2FF85304B15856EEA05BB361EB31A945CB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 09523250, Relevance: .2, Instructions: 196COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0051b28d628d50cf9356bcec78c26101a0f321f8e0f6d1b3164b611798e66219
                                                                                • Instruction ID: bf87d5d672ef965bd31c4612f28b8cbdace75b06d793f71001249013299183c7
                                                                                • Opcode Fuzzy Hash: 0051b28d628d50cf9356bcec78c26101a0f321f8e0f6d1b3164b611798e66219
                                                                                • Instruction Fuzzy Hash: 9B710931A006628FCF19CF26C48466ABB72BF82B04F66C1A8D955DB295DB35FC42C7D1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A40B2B, Relevance: .2, Instructions: 192COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8e61b67afb570d6c523a638eae9cfe53ef82d1aa1105f8dbf535ceefbb1fa243
                                                                                • Instruction ID: 9b63142f47b0f9acb927d05e0530e836f8cb15198849808b358f3c9b41983a44
                                                                                • Opcode Fuzzy Hash: 8e61b67afb570d6c523a638eae9cfe53ef82d1aa1105f8dbf535ceefbb1fa243
                                                                                • Instruction Fuzzy Hash: 23611E72D056188FEB19DF669C842DAFFF3BFD9310F14C1AAC94896225DB301A468F41
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A440F8, Relevance: .2, Instructions: 165COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ab5da67a9ebc4738f5c1f2dd46aa7809d5730bbfdf0386f7e4b9aa6705248cc4
                                                                                • Instruction ID: 71daa05747559f90555b8004f3ec4283fef09a496061b46a4ab78771e1ccbbff
                                                                                • Opcode Fuzzy Hash: ab5da67a9ebc4738f5c1f2dd46aa7809d5730bbfdf0386f7e4b9aa6705248cc4
                                                                                • Instruction Fuzzy Hash: 62511EB1E052598FEB15CF69CC807DEFBB2BFC9210F1481A6D458AB216DB305942CF91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952E231, Relevance: .1, Instructions: 115COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9b9e4ac055d2e2c1af9558fb18c01caef50437ee7f744aaf366cc9c6b3ea9d77
                                                                                • Instruction ID: b1c8021227552351bf43c54c3ac49635f2b6faf4636adbe3e7040da654cba9bf
                                                                                • Opcode Fuzzy Hash: 9b9e4ac055d2e2c1af9558fb18c01caef50437ee7f744aaf366cc9c6b3ea9d77
                                                                                • Instruction Fuzzy Hash: E6414A70D0411ADBCB04CFEAC58259EFBB2BF86340F25D9A9C402EB298D7349A45CB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A40BD8, Relevance: .1, Instructions: 114COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a042c72ee21568ff3f2b60be7a4ec80c9537d4ee769c3eedfb1d7a9c92a594fc
                                                                                • Instruction ID: 7b7ebc295088d4d5f3a12f4693088095086bc5450b00a8a4f58120fec9b8b63e
                                                                                • Opcode Fuzzy Hash: a042c72ee21568ff3f2b60be7a4ec80c9537d4ee769c3eedfb1d7a9c92a594fc
                                                                                • Instruction Fuzzy Hash: A7514CB1E156188BEB58CF6BCD4579AFBF3BFC9300F14C1BA990CA6254DB3419858E11
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952E240, Relevance: .1, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 826d019bcf03b75e521713959402f98f3af04431429baf749b7b07a1dd0c4567
                                                                                • Instruction ID: 7904153f27eec87fbfc5ba70c038726839163dfebb61567377135c2967127187
                                                                                • Opcode Fuzzy Hash: 826d019bcf03b75e521713959402f98f3af04431429baf749b7b07a1dd0c4567
                                                                                • Instruction Fuzzy Hash: 49415C70D0411ADFCB04CFEAC5825AEFBB2BF86340F24D969C406EB298D734AA458F54
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952F630, Relevance: .1, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a49cdf6c42310138da942c9876dac87d000e11b1d9c6d87809e146221bdd3e6f
                                                                                • Instruction ID: cdb340d2dc42ab0ee9da189b6071c0c40e29b078abccb562a0919a0ae84dc049
                                                                                • Opcode Fuzzy Hash: a49cdf6c42310138da942c9876dac87d000e11b1d9c6d87809e146221bdd3e6f
                                                                                • Instruction Fuzzy Hash: 8841E870D0421A9FDB08CFAAD5815AEFBF2FF89340F24D42AC915E7264E33496528F94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952F621, Relevance: .1, Instructions: 112COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1b66f39bf07e7349e0ebe5550b63ec62487082de371a481fc2f2bfdde18a6fc0
                                                                                • Instruction ID: 60b196ceb334848f1244184f3e9f49d4e398484b8c10db897321981da09df3a3
                                                                                • Opcode Fuzzy Hash: 1b66f39bf07e7349e0ebe5550b63ec62487082de371a481fc2f2bfdde18a6fc0
                                                                                • Instruction Fuzzy Hash: 6D411B70D0421A9FCB04CFA6E5805AEFBF2FF99350F24D46AC915E7265E33496428F94
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A4DCA0, Relevance: .1, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 05e94b7044b22eb929c8e5e802f2ec6f9a72b4db0ab7139cbbcde5fafca1919b
                                                                                • Instruction ID: d049c59e1585f998a808851aa9a78df88a8bf8a3e0e56a02264a8e5098d0132b
                                                                                • Opcode Fuzzy Hash: 05e94b7044b22eb929c8e5e802f2ec6f9a72b4db0ab7139cbbcde5fafca1919b
                                                                                • Instruction Fuzzy Hash: E43101B1A06208CFCB15CF65D504BEDBBF1BF8A310F14C06AD515B7261C7358988CB65
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A40007, Relevance: .1, Instructions: 88COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7f4425e28bd5749ab0c7d32d72687c2f48ceb1471e6d0243c9e910d1bc46fe28
                                                                                • Instruction ID: c49b68c17b5b3888a808583962a9d5a65326e5ec799af8542a441ded1387fa5f
                                                                                • Opcode Fuzzy Hash: 7f4425e28bd5749ab0c7d32d72687c2f48ceb1471e6d0243c9e910d1bc46fe28
                                                                                • Instruction Fuzzy Hash: 40311EB1D057588FE74ACF6AC85069EBBF3AFC9200F05C1EAD548AB255D7340A458F51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A40040, Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 830c8bfa0f8df52f03ba94206db4ddab0ffb0740a95a5afcd33313bd6c24a52e
                                                                                • Instruction ID: 68e37678cd8bef336563ecb43095e93c7f6bf1a8c46c8f6c177ca316013dedad
                                                                                • Opcode Fuzzy Hash: 830c8bfa0f8df52f03ba94206db4ddab0ffb0740a95a5afcd33313bd6c24a52e
                                                                                • Instruction Fuzzy Hash: B721D1B1E056189BEB18CFABD84079EFBF7AFC8200F14C1BAD508A7254DB3409458F51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952A800, Relevance: .1, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a0a238a2143ac9633516a517ef971489dfe4d82d58cf3151367123a71ca93054
                                                                                • Instruction ID: 7d3f2157b6babd2d385aada332f733e16f18ac048a3e4fd004d7c6d0b11273f0
                                                                                • Opcode Fuzzy Hash: a0a238a2143ac9633516a517ef971489dfe4d82d58cf3151367123a71ca93054
                                                                                • Instruction Fuzzy Hash: F411DA71E006189BEB18CFABD84069EFBF7BFC9200F14C17AC918A6258EB3415458E51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A47068, Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 338b58d4f13a896e4170bd6fc74c8afe840c0e535ff09a7c766a6444c8d69b99
                                                                                • Instruction ID: 6dd80b12aaafa5fc609f031f30871adabb086ae1c709c62a812527e2278dede2
                                                                                • Opcode Fuzzy Hash: 338b58d4f13a896e4170bd6fc74c8afe840c0e535ff09a7c766a6444c8d69b99
                                                                                • Instruction Fuzzy Hash: 99115BB1E112599BDB19CF6BD9406EEFBF3AFC9200F24C07AD408A6254DB340A458B51
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A4CFA0, Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a12d500f53a3c6699b0cb513eb3442cfdda53dc79c2de684024f7dad37752210
                                                                                • Instruction ID: ef28d2658e677a232c29690f50d9b6ccca2061b89d236ce66011e5f700b36fac
                                                                                • Opcode Fuzzy Hash: a12d500f53a3c6699b0cb513eb3442cfdda53dc79c2de684024f7dad37752210
                                                                                • Instruction Fuzzy Hash: 83117CB1E052198BDB14CFA9C418BEEBAF0BB8E310F14906AD525B3290D77A4944CB78
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A4DB60, Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5ce5cc2ac838a355533fe6973e3810d3b7ac65a136968e97f095227505da9c59
                                                                                • Instruction ID: c16ff2dbe098254ac4b1c6b9a732b2cbbb647b33e7c455359b08fc8c82b7ee1c
                                                                                • Opcode Fuzzy Hash: 5ce5cc2ac838a355533fe6973e3810d3b7ac65a136968e97f095227505da9c59
                                                                                • Instruction Fuzzy Hash: F5117CB0E042189BDB15CFA5C404BEDBAF0BB8E311F149069D551B3290C7794944CF68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 07A4DAA0, Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.686284326.0000000007A40000.00000040.00000001.sdmp, Offset: 07A40000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 54f9c2245fbf3c9d4801c07e3dd830f4559d639c9569f690582760a22c4aff41
                                                                                • Instruction ID: c7b7a24dcf8abf5d9b7c22486f77c9e573920755141b1e0cbff9aec57c17dd69
                                                                                • Opcode Fuzzy Hash: 54f9c2245fbf3c9d4801c07e3dd830f4559d639c9569f690582760a22c4aff41
                                                                                • Instruction Fuzzy Hash: 6B117CB1E052198BDB14CFA9C408BEDFAF0BB8E310F149069D521B3290C7794944CF68
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0952B6F0, Relevance: 8.9, Strings: 7, Instructions: 196COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.687270506.0000000009520000.00000040.00000001.sdmp, Offset: 09520000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: pH$pH$pH$pH$pH$pH$pH
                                                                                • API String ID: 0-1218111654
                                                                                • Opcode ID: 353a6e4b300d0e78e8d3fb68eab1df051dbbb61740ac41864c20bfdc14b2c7e8
                                                                                • Instruction ID: 5825d4d8b7807db0bf89b3738abd44966abc0e8a88c4305b19a140df3564f5a6
                                                                                • Opcode Fuzzy Hash: 353a6e4b300d0e78e8d3fb68eab1df051dbbb61740ac41864c20bfdc14b2c7e8
                                                                                • Instruction Fuzzy Hash: EA91D674E1020A8BDB44EFA8C5809DDBBF2FF89314F208669D515AB354DB31AD46CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Analysis Process: MSBuild.exe PID: 1556 Parent PID: 968 MSBuild.exeCOMMON

                                                                                Executed Functions

                                                                                Function 00BE2148, Relevance: 1.6, Instructions: 1619COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 095f692aeb53e3f23ae83a385f9bf1c4f01164022096f7a8cb296568a15d5d6f
                                                                                • Instruction ID: 590d46c8393c2fdc2680d6c5d8bd34b638cfffafc515ac96d31e1a858ccf4dfc
                                                                                • Opcode Fuzzy Hash: 095f692aeb53e3f23ae83a385f9bf1c4f01164022096f7a8cb296568a15d5d6f
                                                                                • Instruction Fuzzy Hash: 0CE2AD31A10659ABE721EF20CC54BE9B376FF99304F528594E5083B395CFB06E85CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE2133, Relevance: 1.6, Instructions: 1598COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 476802911f1393b161d42ee1840a7a501c8b24a673d43b9b07599c58bd1c884e
                                                                                • Instruction ID: 9d5dbb8ba89bff0b2fc35d8a88f0c8311320901a6aaa90ca66e0b41f6c7ccea5
                                                                                • Opcode Fuzzy Hash: 476802911f1393b161d42ee1840a7a501c8b24a673d43b9b07599c58bd1c884e
                                                                                • Instruction Fuzzy Hash: 1EE2AC31A10659ABE721EF60CC44BE9B376FFA9304F528594E5083B395CFB06E85CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE4A20, Relevance: .6, Instructions: 605COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e681da17b3cffd5af1c79d70198053ab2a19f69245be9023397605d8c398c039
                                                                                • Instruction ID: 6f79ae16c876d3ca095e375dc79ce4ddcda36078b3abee118327c6c4e6f0b711
                                                                                • Opcode Fuzzy Hash: e681da17b3cffd5af1c79d70198053ab2a19f69245be9023397605d8c398c039
                                                                                • Instruction Fuzzy Hash: 58429D34600644DFCB14DF29C884AADBBF2FF89310F4684A9E41A9B661DB34ED45CF91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE5CF9, Relevance: .4, Instructions: 379COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: da1caa944049c1133acd3bc0d08f8f02c973f01ee948e32b064bd65a1e12a2b9
                                                                                • Instruction ID: 12e1ba0a6b5d9bb188a8be307e5e006ff6b06d51777c6a9022729daddfaa0465
                                                                                • Opcode Fuzzy Hash: da1caa944049c1133acd3bc0d08f8f02c973f01ee948e32b064bd65a1e12a2b9
                                                                                • Instruction Fuzzy Hash: DCE1CE307006518FDB34DF36C894B6AB7E2EF95348F1584ADD50A9B2A6DB39EC41CB80
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE532C, Relevance: .4, Instructions: 439COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c237bd608ab980b22b019d3777524d25421a6cfe3a674e991f3439ef6ef45c78
                                                                                • Instruction ID: 5d6ba8abe1d1a20d755d7361801f0375a77f1618fd11337926b003525a00e3e3
                                                                                • Opcode Fuzzy Hash: c237bd608ab980b22b019d3777524d25421a6cfe3a674e991f3439ef6ef45c78
                                                                                • Instruction Fuzzy Hash: F521D470E086988FDB15EBB6C4516ED7BF2EB8A308F444468C001EB694DF349D05CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE0C68, Relevance: .2, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0a8e41c7bf5fdb1aea5a2ee9d18a1c22013690c5a9c4d5a7003b1a50f4e4a373
                                                                                • Instruction ID: e4c8413ed927481e4a47506dc4f2c462d3158c0d476ebcc5d2a3fda4505cf3e5
                                                                                • Opcode Fuzzy Hash: 0a8e41c7bf5fdb1aea5a2ee9d18a1c22013690c5a9c4d5a7003b1a50f4e4a373
                                                                                • Instruction Fuzzy Hash: E9916971E006489FCB15EBE5D8549EEBBFAFF88300F14852AE501A7268DB749D46CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE4358, Relevance: .2, Instructions: 203COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 911476951fe77acca5cf7f4a38450733f25bcf46278a3a17c8713d4f87304301
                                                                                • Instruction ID: c5ab8a31ac64cc6ffbe5fee2d45192e6c2145e673a643a8309dc63ce14808c3b
                                                                                • Opcode Fuzzy Hash: 911476951fe77acca5cf7f4a38450733f25bcf46278a3a17c8713d4f87304301
                                                                                • Instruction Fuzzy Hash: 1F81AB30A012499FDB14DF6AE884B9EBBF6FF94304F1185A9E0059B365DB74EC46CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE1EB0, Relevance: .2, Instructions: 202COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6e74aad754e9ebb46e9869a5be184fea8b72773e998beb76d1ab9f7a5b48a446
                                                                                • Instruction ID: 3e60c020902ce4aca6b72bf472d03d08f2073ccc2b9397311d2c0cd671d0a0f9
                                                                                • Opcode Fuzzy Hash: 6e74aad754e9ebb46e9869a5be184fea8b72773e998beb76d1ab9f7a5b48a446
                                                                                • Instruction Fuzzy Hash: 3271AD31B002489FDB14DB75C850BAEB7FAEF88300F258569E502E7295DB74DD42CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE13C8, Relevance: .2, Instructions: 159COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5042e86854b7a3e9005e172c83f63ab9d906c0e9c0bbf0f0591b702481e47dd6
                                                                                • Instruction ID: 6cceeddfa33de549a2cc74b9a01383bf892fb5c047883e8bb13918690515aed3
                                                                                • Opcode Fuzzy Hash: 5042e86854b7a3e9005e172c83f63ab9d906c0e9c0bbf0f0591b702481e47dd6
                                                                                • Instruction Fuzzy Hash: 2E51BE31E042989FDB04EB799815AEEBBF2EF85310F1484BAD519D7251EB344E06CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE3CF8, Relevance: .2, Instructions: 152COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0ccb5a1a1b1ee1b50b4dcfad9ffd006b42d6bdf39f314305c8940a4b7d9212be
                                                                                • Instruction ID: 95f763c1a7684e339ca93372e0f2382da012ae87545765cd81913f4da4622f3c
                                                                                • Opcode Fuzzy Hash: 0ccb5a1a1b1ee1b50b4dcfad9ffd006b42d6bdf39f314305c8940a4b7d9212be
                                                                                • Instruction Fuzzy Hash: F5518E31A00299DFCB11CFAAC844AEDFBF1FF49710F1581A6E855AB251D734AE45CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE1593, Relevance: .1, Instructions: 138COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 99990b5276abe2b5bbc29c0cfb726ecfc0402cb7dfacfef3864fb9593a52419d
                                                                                • Instruction ID: ced98cf28c93c672aac260f25f774e9f310109156850ca6b0b8ec7151675d603
                                                                                • Opcode Fuzzy Hash: 99990b5276abe2b5bbc29c0cfb726ecfc0402cb7dfacfef3864fb9593a52419d
                                                                                • Instruction Fuzzy Hash: F1415572A00244CFDB249BB9C0597EE77F1EF84315F3808AAD0059B2A1CB398D46CB92
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE18C0, Relevance: .1, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5560511c1705fcca0a1ce24c3631f07634cf0b530942da2e826ecc65c1bbb80c
                                                                                • Instruction ID: e52a417e8b601f9cf8e035ddfca71bb85780c511533f8128f63274a734882022
                                                                                • Opcode Fuzzy Hash: 5560511c1705fcca0a1ce24c3631f07634cf0b530942da2e826ecc65c1bbb80c
                                                                                • Instruction Fuzzy Hash: 4D41E134A002448FDB18EF79D8549AD77F2FF8A31072181A6D419CB366DB30AC06CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE0448, Relevance: .1, Instructions: 114COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fe32a624938103fdf8a684b27f513afdea237c171aba13008d5aaf270cf6a4db
                                                                                • Instruction ID: aab3cc94d7e3063c5749dc78f33df2f44d0a8f7ad1b620098712c012cf9df156
                                                                                • Opcode Fuzzy Hash: fe32a624938103fdf8a684b27f513afdea237c171aba13008d5aaf270cf6a4db
                                                                                • Instruction Fuzzy Hash: A541A130E102499FCB14EBB8D455AADBBF2FF85308F118469E009AF365DB789D46CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE18B0, Relevance: .1, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 325bb9b5c8f21e1f1ad9ed27ed91f73ded5c352b885d2420a95ddb20dc172c8a
                                                                                • Instruction ID: 8000c4d506515e5aa5a7576b4d8f73e065a11ab7ce5fae7df74bbab86e3d52da
                                                                                • Opcode Fuzzy Hash: 325bb9b5c8f21e1f1ad9ed27ed91f73ded5c352b885d2420a95ddb20dc172c8a
                                                                                • Instruction Fuzzy Hash: E641AE34A00644DFC718DF39D8549AD7BF2FF8A350B2585AAE415CB369DB309D0ACB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE3E99, Relevance: .1, Instructions: 106COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9bb289b0eeda99e2bb35d3dbd6eadbc20a0fa0f09ca9fa3471dfdc35aca508e7
                                                                                • Instruction ID: 1cf64ffc9173adeb46ba4107ac4d8162c39d44dd7501a433ceee1695b1f4095d
                                                                                • Opcode Fuzzy Hash: 9bb289b0eeda99e2bb35d3dbd6eadbc20a0fa0f09ca9fa3471dfdc35aca508e7
                                                                                • Instruction Fuzzy Hash: 31312531B083C48FC7258B7940A52FDFBE29B99710F1881EDC4029B341DA644E49C7E2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE45CE, Relevance: .1, Instructions: 93COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bfbd24309528660d6a6859e829980a7a1411cbc4995dd1f9fc0d3ca40c0323e7
                                                                                • Instruction ID: 9d76afa6b7bf9f8461d30913e129965cc82fbb5a625f4a0e89579fff1b2151a9
                                                                                • Opcode Fuzzy Hash: bfbd24309528660d6a6859e829980a7a1411cbc4995dd1f9fc0d3ca40c0323e7
                                                                                • Instruction Fuzzy Hash: A6317C71B00104CFCB08EB79D495A6E73F2EF89314B2442A9E016DB3A5DB74DC06CB80
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE6190, Relevance: .1, Instructions: 84COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 07b3cc9e71b50e519adce333808d26d8df5a8aa719bf53783c6893c72ec7cb13
                                                                                • Instruction ID: 65f6031ab6f5537b07bef9914b20ef8131f0c5acf3aadcd9e20f637029bed4f4
                                                                                • Opcode Fuzzy Hash: 07b3cc9e71b50e519adce333808d26d8df5a8aa719bf53783c6893c72ec7cb13
                                                                                • Instruction Fuzzy Hash: 2721C131B002089FCB24EBB9D805ABFBBB6EFC5314F104479D219E7245EB305906CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE4A10, Relevance: .1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 80fc5497af2de3bfe28b41e4c1666086f9eb8874695a5c1c7176e07653ce7048
                                                                                • Instruction ID: 4394582ed62a12c2f199feda015fed11d55564047ed1579f26e3c51cc70f15f1
                                                                                • Opcode Fuzzy Hash: 80fc5497af2de3bfe28b41e4c1666086f9eb8874695a5c1c7176e07653ce7048
                                                                                • Instruction Fuzzy Hash: 16318D31A04294CFD7149F2AD984B697BE6FF45711F0588EAE509CB2A2C734DC45CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE1768, Relevance: .1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 286d8e640b2d962765172ef87a192efc7376b2bdb1ecc5617319598bad154ebb
                                                                                • Instruction ID: c3aa4d019ec4e8e851a6bc5068b8d046065b0b56b7d834a01cddd381c0611bcb
                                                                                • Opcode Fuzzy Hash: 286d8e640b2d962765172ef87a192efc7376b2bdb1ecc5617319598bad154ebb
                                                                                • Instruction Fuzzy Hash: C7315A75B002118FCB48EB78D498A6E77F2EF49708B2188A9E406DB3B1DB35DD41CB80
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE0439, Relevance: .1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4bc53ac01e208064bc1e838e2d1a3513d8d81f66dc590e325ff9e11bb2124afa
                                                                                • Instruction ID: 4f7a64e0ca653cd91895e8aa2198846b2fd5d55ad1331288abcdaf7b2432cac8
                                                                                • Opcode Fuzzy Hash: 4bc53ac01e208064bc1e838e2d1a3513d8d81f66dc590e325ff9e11bb2124afa
                                                                                • Instruction Fuzzy Hash: C8318F30A10249DFCB00EBB8E494A9DBBF2FF91308F159469E0146F765DB789C4ACB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE1778, Relevance: .1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ea9660535634660208b202c08f29d76a3da488b2594c57620781f7a65f67986c
                                                                                • Instruction ID: 9dc5fecd8d5bbf95b7c971af17a16648575b655dd96a1c64d831abbc0a094b30
                                                                                • Opcode Fuzzy Hash: ea9660535634660208b202c08f29d76a3da488b2594c57620781f7a65f67986c
                                                                                • Instruction Fuzzy Hash: 28212575A002158FCB48EB79C45996E73F2AF48708B2148A9E406DB3B1DB35DD41CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE6180, Relevance: .1, Instructions: 63COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 746b1669cf6240ad9221e6bf1d8b040077baf435864a781df942c91f78f22f3c
                                                                                • Instruction ID: 4fd2e17948bb45dc189853bc927bf020e1295702d6f022cd23085c1c97fdc7ed
                                                                                • Opcode Fuzzy Hash: 746b1669cf6240ad9221e6bf1d8b040077baf435864a781df942c91f78f22f3c
                                                                                • Instruction Fuzzy Hash: CF110831A08248AFC715DB799C05AAF7FB5EFC6214F0544FAD118DB252DB305C0ACBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE0699, Relevance: .0, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9f63ee31b3f32bdb4ac8c0521a36dbd91f7f81bf8663304f8597564689564045
                                                                                • Instruction ID: a2c514a757e8d5bffc39142ac3cd606c86789e3ff2864a7fcf0892d5bd54c8c6
                                                                                • Opcode Fuzzy Hash: 9f63ee31b3f32bdb4ac8c0521a36dbd91f7f81bf8663304f8597564689564045
                                                                                • Instruction Fuzzy Hash: 8101D6307083805FCB147775A825B2A3BE5AB42354B0414AAD541C72AAEBA88D41C7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE06A8, Relevance: .0, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 24ad29634e048cdbad1d0421aa3ff199df6064098a40b3b4fd082767e7ffdd1b
                                                                                • Instruction ID: 9b134586c8fce3c063c913db6fcd88b2a3130035e3bb0398f31adaa0c5240572
                                                                                • Opcode Fuzzy Hash: 24ad29634e048cdbad1d0421aa3ff199df6064098a40b3b4fd082767e7ffdd1b
                                                                                • Instruction Fuzzy Hash: C5F09030B102444BCB647B76A825B3B37D9AB81394B40146DA902C3299EFE8CD81C7D0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE5830, Relevance: .0, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 48f1d1cdd72e56374c90a43b7abbda1df603d47f85c9e858c7a0518cfc3162a9
                                                                                • Instruction ID: 79db87183d82e678c29470a39862f42704def3bc0ee7c1a0c45878cf89320144
                                                                                • Opcode Fuzzy Hash: 48f1d1cdd72e56374c90a43b7abbda1df603d47f85c9e858c7a0518cfc3162a9
                                                                                • Instruction Fuzzy Hash: 22E06D757002009BC318AB39E894CAAF7AAFBC9360750C13AA90EC7325DE719C06C7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE59D0, Relevance: .0, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bcba38fd84e8f433499eb1486dd584dfe88068db87f10fd3b32150f7d0cecd8b
                                                                                • Instruction ID: 6f63cfe4ef25215393948d1f0d54b8ecb98ba36e252259765862323357f606a2
                                                                                • Opcode Fuzzy Hash: bcba38fd84e8f433499eb1486dd584dfe88068db87f10fd3b32150f7d0cecd8b
                                                                                • Instruction Fuzzy Hash: 80E0DF3260225197E734327E8400B7A62DECFC8B18F19413EA00ED3284DE229C0282E5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE0FB0, Relevance: .0, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: db049a38e286d0b2a7b091469a28bc1877bf5f0ba6fd66a3eef9b1778e4ef70d
                                                                                • Instruction ID: 35c92d53e6b80a7dbaad662995a69a9b358d777ff0a8a528898bc35581cf6444
                                                                                • Opcode Fuzzy Hash: db049a38e286d0b2a7b091469a28bc1877bf5f0ba6fd66a3eef9b1778e4ef70d
                                                                                • Instruction Fuzzy Hash: F8F01778640201CFCB14EFB4D059AA8B7B1FF49308F2144A9D40A9B3B5CB399805CF40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE59E0, Relevance: .0, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 951c867e6e8151cd07f79931f31d3930783da6e5e75798c687b406a522510eca
                                                                                • Instruction ID: 6146f8223f9c77e731abdedac8592c8470abcd8088632772d9fd61540243c0f6
                                                                                • Opcode Fuzzy Hash: 951c867e6e8151cd07f79931f31d3930783da6e5e75798c687b406a522510eca
                                                                                • Instruction Fuzzy Hash: 07D0123271166057C735217E5404B6A62CECBC9B19B15457EA50AC7244DF659C4282F5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE0B70, Relevance: .0, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 90df4246e1270d60aa92493d159016dc6b60ff67d910fcff8583947155281a4b
                                                                                • Instruction ID: 844a951dac1af9bc52340c2d2a448630386545c1621695e84706bc6b8963b05d
                                                                                • Opcode Fuzzy Hash: 90df4246e1270d60aa92493d159016dc6b60ff67d910fcff8583947155281a4b
                                                                                • Instruction Fuzzy Hash: 2CE02B7152D3804FD3416776AD409513BE8EB06714B0204F7E858C7222E3949D8083D1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00BE0B38, Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000006.00000002.683100271.0000000000BE0000.00000040.00000001.sdmp, Offset: 00BE0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e0ba0e0075e73afce0f380e22ae5b07ba3447d548d87391211451aff3a2bb730
                                                                                • Instruction ID: 77b707dfda134abab61a90848dba47e176acda30b5daeffcc6178c2057fb8f3d
                                                                                • Opcode Fuzzy Hash: e0ba0e0075e73afce0f380e22ae5b07ba3447d548d87391211451aff3a2bb730
                                                                                • Instruction Fuzzy Hash: 3DD05E30A0010CEF8B40EFB8E9019ADB7B9FF45204B2088A9D908E3320EB716F049B81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Analysis Process: dhcpmon.exe PID: 980 Parent PID: 968 dhcpmon.exeCOMMON

                                                                                Executed Functions

                                                                                Function 00EC2148, Relevance: 1.6, Instructions: 1621COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8d2566e40d1de1838931cdf70abf0841c568e951b44a24d2d5f3e9f7e899ecb3
                                                                                • Instruction ID: 97fc04dbe0f8b672b5c83816237c25d65f6e37b7d1f4970fe618d8753edabfac
                                                                                • Opcode Fuzzy Hash: 8d2566e40d1de1838931cdf70abf0841c568e951b44a24d2d5f3e9f7e899ecb3
                                                                                • Instruction Fuzzy Hash: 19E29C31A102199BE721EF20CC44BD9B3B2EF99704F5585A5E5083B7A1DFB16E86CF81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC2133, Relevance: 1.6, Instructions: 1597COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c5f87c5ab835443aea16f364c1d1d87967458ffa4ae3c20378c67abeecf28748
                                                                                • Instruction ID: 5164b6e1b369f015ef315fc4fc167794395434f7bd758867be5366e570ad0bb5
                                                                                • Opcode Fuzzy Hash: c5f87c5ab835443aea16f364c1d1d87967458ffa4ae3c20378c67abeecf28748
                                                                                • Instruction Fuzzy Hash: 9DE29D31A102199BE721EF20CC44BD9B3B2EF99704F5585A5E5083B7A1DFB16E86CF81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC4580, Relevance: .6, Instructions: 608COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8e6dd153f51dbd8b3deffe2841760d686f3859046a8b9e98747478504396d5be
                                                                                • Instruction ID: 33b8ae830afb6acc618b3110bca3b78586878ccf289d89afcde611780eac8432
                                                                                • Opcode Fuzzy Hash: 8e6dd153f51dbd8b3deffe2841760d686f3859046a8b9e98747478504396d5be
                                                                                • Instruction Fuzzy Hash: 8F426A30601204CFDB14DF68C9A4FAEB7F2EF89304F468469E4169B6A1EB35ED56CB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC5868, Relevance: .4, Instructions: 371COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e8ee79d213fc8739399d265771efc1e2a43c706ed298d702cb8f792883f5c22f
                                                                                • Instruction ID: d419146c698a9ae99c11f868a311c860982bae94e330feb26fa77aa8285c7f4e
                                                                                • Opcode Fuzzy Hash: e8ee79d213fc8739399d265771efc1e2a43c706ed298d702cb8f792883f5c22f
                                                                                • Instruction Fuzzy Hash: BBD191327007018FD724DF35CA94F6AB7A2AF84308F14956DD516AB296DB36EC86CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC4E8C, Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: \R
                                                                                • API String ID: 0-787937317
                                                                                • Opcode ID: a95626067c97fd5198f533b1d5924d4dfc9e9ae7406d1224fd3ba3a62cdb5d53
                                                                                • Instruction ID: 0f8b9fd2ab2a6842506670f0c10b568599e9b70bf0e8a0492bc80c0a05ae45b9
                                                                                • Opcode Fuzzy Hash: a95626067c97fd5198f533b1d5924d4dfc9e9ae7406d1224fd3ba3a62cdb5d53
                                                                                • Instruction Fuzzy Hash: E1210132A042448BDB05EBA4D455BEDBBF2AF8A304F58446DC001F73A0EB35AD46CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC5190, Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: \R
                                                                                • API String ID: 0-787937317
                                                                                • Opcode ID: 33f03a16b9cfd1b965fffd2e5c7a2ff1a8ec4d70d1ba513a58be91fa8f8b3212
                                                                                • Instruction ID: 595da3328afdd8fa678103b3f36c74c54f5d8afba02068aeed66123e0d88f884
                                                                                • Opcode Fuzzy Hash: 33f03a16b9cfd1b965fffd2e5c7a2ff1a8ec4d70d1ba513a58be91fa8f8b3212
                                                                                • Instruction Fuzzy Hash: A111D331A006188BDB04EBB4C555BED77F2AB89308F54452CC401F73A0FF39A946CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC0C70, Relevance: .2, Instructions: 214COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fd8d7caa0cea3ed8fd56873a112a042b217ab2461dbb0df4f97e22fb736f33f0
                                                                                • Instruction ID: 7c8d29bab9151858b152e5bd5ff106d8b399c9230a01c5a11a71440ddc56f7aa
                                                                                • Opcode Fuzzy Hash: fd8d7caa0cea3ed8fd56873a112a042b217ab2461dbb0df4f97e22fb736f33f0
                                                                                • Instruction Fuzzy Hash: ED914271A00208DFCB05DFE5D954AEEBBFAEF48304F14852AE501A7265EB359906CF60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC0C62, Relevance: .2, Instructions: 201COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 026cee48e10ee4ab58dfd53e75f32ddd7fcf472edc916de86679b862ddc98718
                                                                                • Instruction ID: 147a949feff5182591a4d0865a3c860ba1562884f2bab7cfae72b24c60cdef44
                                                                                • Opcode Fuzzy Hash: 026cee48e10ee4ab58dfd53e75f32ddd7fcf472edc916de86679b862ddc98718
                                                                                • Instruction Fuzzy Hash: E0815371A00208DFCB15DFA5D954AEEB7FAEF88304F14852AE501E7265EB359906CF60
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC1EC0, Relevance: .2, Instructions: 198COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5ad95700af421bed3c1b20aa860859af55f1b6e5fa56ecd219d569b81e9b00ad
                                                                                • Instruction ID: 80bc5845fdcaf2162a69ba413e018299dc1786c378f762eeb55c67066242d826
                                                                                • Opcode Fuzzy Hash: 5ad95700af421bed3c1b20aa860859af55f1b6e5fa56ecd219d569b81e9b00ad
                                                                                • Instruction Fuzzy Hash: 7E7160317002499FDB14DB64C951FAEB7BAAF85304F24452EE502EB2A1EB75DD43CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC13C8, Relevance: .2, Instructions: 153COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c521a31f30692bd1d7677941a8b123a07a7328e9386d3bac00abce9d880aaa5c
                                                                                • Instruction ID: 67aa1ea09325402194b66d813cc82697d10fcc21058b182a456fb8607065807f
                                                                                • Opcode Fuzzy Hash: c521a31f30692bd1d7677941a8b123a07a7328e9386d3bac00abce9d880aaa5c
                                                                                • Instruction Fuzzy Hash: 38519F71E042589FDB05EB649910AEEBBF2EFC6300F0480BAD519E7252EB754A16CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC3CF8, Relevance: .2, Instructions: 150COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9954d7ec7d8e59cf2a35e5c4445d5c2392cf2cca0cff5ab749e0681c89606e57
                                                                                • Instruction ID: e7f96c0bcebd5f687f295fb237175a791876a6f1c5246d4c0040ec6183a980e2
                                                                                • Opcode Fuzzy Hash: 9954d7ec7d8e59cf2a35e5c4445d5c2392cf2cca0cff5ab749e0681c89606e57
                                                                                • Instruction Fuzzy Hash: 30517C31A00259DFCB01CFA9C940AEDFBB1FF49311F1581AAD855B7251D735AE46CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC18C0, Relevance: .1, Instructions: 121COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6dd5aa68b50b6281f80aca6d2f8c49e916e82b7f31861e1cd9289df912e32dd8
                                                                                • Instruction ID: 64228775be4db0600c939c3e091c0a0d0a7dbb8dddb32ebe8c48c14588b7dda1
                                                                                • Opcode Fuzzy Hash: 6dd5aa68b50b6281f80aca6d2f8c49e916e82b7f31861e1cd9289df912e32dd8
                                                                                • Instruction Fuzzy Hash: D2417035A00204CFDB05DF74D964AAAB7F2EF86340B1585AAD4159B376EF30AD06CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC0448, Relevance: .1, Instructions: 115COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 12a77696be339be805f8b04e93c75861b965d8d23d3941b8234c436fdee31805
                                                                                • Instruction ID: 992ae4f33206f8a4eedf887669506cffa2332d569299d5b42e235143a50dcb54
                                                                                • Opcode Fuzzy Hash: 12a77696be339be805f8b04e93c75861b965d8d23d3941b8234c436fdee31805
                                                                                • Instruction Fuzzy Hash: C1418F30A40208DFCB40EFB8D555BADB7F2EF84308F00842AD005AB361EB759D46CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC1768, Relevance: .1, Instructions: 104COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d0246fcf43f4590fc91d4ecd7172df2c0a6ab3ad93a9de441aef4709b893a376
                                                                                • Instruction ID: 144abd593261264180fab9ae9b06d2736a25aa865bcfbb3692d538f43d07f60e
                                                                                • Opcode Fuzzy Hash: d0246fcf43f4590fc91d4ecd7172df2c0a6ab3ad93a9de441aef4709b893a376
                                                                                • Instruction Fuzzy Hash: 08418A72A00210CFC718EBB4C559B6D77B1AF4A319B1544E9D4069B2B2DB36DD43CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC3EA8, Relevance: .1, Instructions: 101COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fb91ebe76b0ed2f708b59a51ecc0eba4f1a571920901b9a843df9ebd13525123
                                                                                • Instruction ID: d214a042ad8eb4852271eacf7dce80ea4b69ebcb462740c20ee46815723f3559
                                                                                • Opcode Fuzzy Hash: fb91ebe76b0ed2f708b59a51ecc0eba4f1a571920901b9a843df9ebd13525123
                                                                                • Instruction Fuzzy Hash: 8A314832B083858BC7159A7880517FEFBF69B99310F18D96DC002AB341DA665E4AC7E1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC18B2, Relevance: .1, Instructions: 98COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e790215760d3ebf95a74957298652265abf3740feee70ccfc0f28b119f46e360
                                                                                • Instruction ID: af4a0924492e49ccf4e895b773ec99820ed01b2aa6f4aac90d65b0177ea60f68
                                                                                • Opcode Fuzzy Hash: e790215760d3ebf95a74957298652265abf3740feee70ccfc0f28b119f46e360
                                                                                • Instruction Fuzzy Hash: 09415B35A00104CFCB14DF74D864EAEB7F6EF8935471581AAE4159B3B6EB30AD06CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC5CF0, Relevance: .1, Instructions: 81COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ebe41344cd3b13b970d7b13c154a6db709ca7f5bec2e81884b863bb74dc5958d
                                                                                • Instruction ID: 3e0ca7b0379947d5b28893f1b0cb6a54be3e7c1f34dc25021d04e4341527d5ef
                                                                                • Opcode Fuzzy Hash: ebe41344cd3b13b970d7b13c154a6db709ca7f5bec2e81884b863bb74dc5958d
                                                                                • Instruction Fuzzy Hash: BE21BD31A002099FCB14EBB8D850AAFBBB6EFC5214F54857ED119E7355EB345A06CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC4572, Relevance: .1, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 17a3d154450af14abf533d8b76a3499857df8b7dca89eb4bcaee85510702f342
                                                                                • Instruction ID: 3a21be9f3d306484708048beeef6590c2f0a195a45102169bfb2d4291d9470a3
                                                                                • Opcode Fuzzy Hash: 17a3d154450af14abf533d8b76a3499857df8b7dca89eb4bcaee85510702f342
                                                                                • Instruction Fuzzy Hash: C621DD71A01200CFD714DF28DA68FAABBF2AF45305F4690AEE405EB2A1E735DD42CB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC1778, Relevance: .1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 87d10543a8ed4ebf0132f1194704175253a3b7d0f518c67967577ce4c4aa2b1e
                                                                                • Instruction ID: c3a5b98617b226c8acce897b82d9145fc2a40d3c3d75864cbbac4cd0968b589e
                                                                                • Opcode Fuzzy Hash: 87d10543a8ed4ebf0132f1194704175253a3b7d0f518c67967577ce4c4aa2b1e
                                                                                • Instruction Fuzzy Hash: 41213776B002158FCB48EF78D555A6E73F2AF49708B2144A9E406DB3B2EB35DD42CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC3E9A, Relevance: .1, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c1c44a7ed4775c253268f4402f406c1d2031487f543bea5bae8bb27fe5cadb51
                                                                                • Instruction ID: da1136af3d152ffcf1a5dfed9eee0bf922e643b49e4cc5f93efbae1b646359a2
                                                                                • Opcode Fuzzy Hash: c1c44a7ed4775c253268f4402f406c1d2031487f543bea5bae8bb27fe5cadb51
                                                                                • Instruction Fuzzy Hash: 91115532F041944BCB299A7880A0AFEBBB6EFC9314F18856ED406EB345DA364D0787D1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC5CE0, Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6a7486fa78980ba37c9b02bac47c7d8f85e396402acaa288c132672e21c59753
                                                                                • Instruction ID: c804864aa7c0febcf1c639e394fdfbd9ac38bfac19ee2863ae22a513bcb48d51
                                                                                • Opcode Fuzzy Hash: 6a7486fa78980ba37c9b02bac47c7d8f85e396402acaa288c132672e21c59753
                                                                                • Instruction Fuzzy Hash: C4112535A083449FC711DB789860A9E7FB1DFC5204B0545AED114EB352EB305D09CB61
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC0698, Relevance: .0, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dbf7cc1381093ecd0890eba1e8911c5e0e039dfc3cc27a344979f100319e0807
                                                                                • Instruction ID: 94bf359e7c2d5606418b6eb53c53e377715c1f5d61c7d6b1d254a67b73a15a49
                                                                                • Opcode Fuzzy Hash: dbf7cc1381093ecd0890eba1e8911c5e0e039dfc3cc27a344979f100319e0807
                                                                                • Instruction Fuzzy Hash: 82F062307053448BDB146B70AA257AB33569B81359B44182FE942E76A6FF69CC43C7A0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC0610, Relevance: .0, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9fed7a6616acde486ce907a8aa38203d12814d388d96d27032ad935f661442b1
                                                                                • Instruction ID: c3beeeff957eb61043b5847ef73a14f6c69dac0fc89872f85d1f67293dc1dc8e
                                                                                • Opcode Fuzzy Hash: 9fed7a6616acde486ce907a8aa38203d12814d388d96d27032ad935f661442b1
                                                                                • Instruction Fuzzy Hash: 63F03672F001189FCB44EBBC941676E76E6EF48A14F104169D509DB351EF399D1187D1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC06A8, Relevance: .0, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 82b50a4449bb99896a76a5480d469ddbdeb3854744bf0095ae1d5a4cf0e147f8
                                                                                • Instruction ID: fef52bcbf82e97a18855b77eb01af84678ebe5a5059d2f2f0a77205259fb265a
                                                                                • Opcode Fuzzy Hash: 82b50a4449bb99896a76a5480d469ddbdeb3854744bf0095ae1d5a4cf0e147f8
                                                                                • Instruction Fuzzy Hash: BBF0963070530487DB146B74E52576B73999B80359B00042EE902D32A6FFA5CC4287E0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC4D7C, Relevance: .0, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 349dd58ad526330b31d2a60876d21f25000bc4b367d84d90a4ad11571f41b2ab
                                                                                • Instruction ID: e7b6fe13979b7f8028f383da655da683988d53144337b252cb3bf744143ed50f
                                                                                • Opcode Fuzzy Hash: 349dd58ad526330b31d2a60876d21f25000bc4b367d84d90a4ad11571f41b2ab
                                                                                • Instruction Fuzzy Hash: DDF0F0B2D09244AFCB01DBB59C659E9BF74EF81304B5481DAC062976B5E7794206CB40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC5380, Relevance: .0, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 34582f63200741ed35d00245d19b07388383647d5b627f7eb72569604f1900f3
                                                                                • Instruction ID: ea6b736fde63d22196c2193869b3a1fe977dfe50396a6e47c2e092876eb4387d
                                                                                • Opcode Fuzzy Hash: 34582f63200741ed35d00245d19b07388383647d5b627f7eb72569604f1900f3
                                                                                • Instruction Fuzzy Hash: B9F082353051408FC305DF64E8A488AFBA6EFC9351760816BE909C7366EE709C05C761
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC0B10, Relevance: .0, Instructions: 31COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: ecdcb68624b2dd14b6a49d8ad5b8975c9b9405cb740cf4f2f3f40932263948c3
                                                                                • Instruction ID: 6d4fa2a8af491098d68562573c390a2c1503aa912e45de03f3a5b5a31c33e04a
                                                                                • Opcode Fuzzy Hash: ecdcb68624b2dd14b6a49d8ad5b8975c9b9405cb740cf4f2f3f40932263948c3
                                                                                • Instruction Fuzzy Hash: B0F01D3150E3C88FC702EF74A9205997FB19F07204B0945E7D484CB2A3E6305E08DB52
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC0FB0, Relevance: .0, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 763e9b943a3e5c19711869ee476b788ad1d11c00b3656742f0e377feed32e782
                                                                                • Instruction ID: 2530ab82dd2169e3df9c5a069a6d5d0ccad0c7d2ea19fd6801d09ce8a265f5ad
                                                                                • Opcode Fuzzy Hash: 763e9b943a3e5c19711869ee476b788ad1d11c00b3656742f0e377feed32e782
                                                                                • Instruction Fuzzy Hash: CBF0F474640201CFCB04EFB4D269AA8B7B1FF49308F2045ADD4069B3B2DB799806CF41
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC5390, Relevance: .0, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1743e1ec2bfdbf1529fef423846d5d50a4b538151b4da9f1a7522732be41340d
                                                                                • Instruction ID: dc2d72ef37cd5b46c07a1d7fe14ba40a26b368ba42c06f2eecf45b0227e3c933
                                                                                • Opcode Fuzzy Hash: 1743e1ec2bfdbf1529fef423846d5d50a4b538151b4da9f1a7522732be41340d
                                                                                • Instruction Fuzzy Hash: 94E09B313011005BC714DF65E86488BFB9DEBC8351760813BA90EC3325DF709C06C7A1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 00EC0B38, Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.689679123.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 09e097b925c79c9b5329992292dccfd7f4a2bb98409ab1281e9949be0390a422
                                                                                • Instruction ID: da204420898ffd221b1826646841d84e34f9e44faa439f0eb6ba9caef248c7fb
                                                                                • Opcode Fuzzy Hash: 09e097b925c79c9b5329992292dccfd7f4a2bb98409ab1281e9949be0390a422
                                                                                • Instruction Fuzzy Hash: A5D01731A0110CEF8B40EFA8E91199DB7F9EB44204B1085EAE809D3321EA316F009F82
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions

                                                                                Analysis Process: dhcpmon.exe PID: 5728 Parent PID: 3424 dhcpmon.exeCOMMON

                                                                                Executed Functions

                                                                                Function 01732370, Relevance: 2.0, Instructions: 2018COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7e8ff3998dbb376c592ec2f9b0853cb51ad5ac7d34e0c1707a2888622d28600d
                                                                                • Instruction ID: 07536c4103c1ef3fc9711eb4482316a892bbc2a62bf55663dda6a18c2392b937
                                                                                • Opcode Fuzzy Hash: 7e8ff3998dbb376c592ec2f9b0853cb51ad5ac7d34e0c1707a2888622d28600d
                                                                                • Instruction Fuzzy Hash: 9D039E31A102199FE721DF64CC84BE9B377FF99300F5581A5E5096B2A1DB70AE86CF81
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01735208, Relevance: .5, Instructions: 503COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: edf23d32c09f2ae7f349f2c39c17f81e1319639f463a080ec5af5bcb36e49f34
                                                                                • Instruction ID: 6f1816e5794332e0614f983401dc6b4e5ac0d71dd41e31ad72add22b0af807a8
                                                                                • Opcode Fuzzy Hash: edf23d32c09f2ae7f349f2c39c17f81e1319639f463a080ec5af5bcb36e49f34
                                                                                • Instruction Fuzzy Hash: D1128D30B00205DFDB24DF79D894BAAB7B6AF88304F158469E906DB296DB75EC41CF90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01734460, Relevance: .2, Instructions: 218COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: e58fdbe19be19443dbdaeb2af589c811b9b2ac70b4e26a63d0d9ebd2f4a84bac
                                                                                • Instruction ID: f95c414b6e01b7e4ed0e8ee621299b10596726c9ce390f61ad11c44038c7962c
                                                                                • Opcode Fuzzy Hash: e58fdbe19be19443dbdaeb2af589c811b9b2ac70b4e26a63d0d9ebd2f4a84bac
                                                                                • Instruction Fuzzy Hash: 34912830600605CFC719DF18C884A69BBF6EF85351B4AC5A9D4568BA63D730FD89CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01730C70, Relevance: .2, Instructions: 214COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9c6b2c72d9a37a5efd8c079119770decc7d5b2f44af58593b160cc3329e388ac
                                                                                • Instruction ID: 0f33fa9d25c1a51e072b86e8a4d837fdcbbcec44e8eaf5ac59817439d5aabb12
                                                                                • Opcode Fuzzy Hash: 9c6b2c72d9a37a5efd8c079119770decc7d5b2f44af58593b160cc3329e388ac
                                                                                • Instruction Fuzzy Hash: E4913D71E002089FCB15DFE5D8549EEBBBAEF8C304F14816AE505A7265DB38AD05CFA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01730C62, Relevance: .2, Instructions: 202COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 43711c40b54cadd94dc82c7c00f3c9b3afb642d110037f30085f147f19a9a088
                                                                                • Instruction ID: 7d279465edfde3017e529d2c4cfddca828d7b3baf107ef7b5bea66b78b224fdd
                                                                                • Opcode Fuzzy Hash: 43711c40b54cadd94dc82c7c00f3c9b3afb642d110037f30085f147f19a9a088
                                                                                • Instruction Fuzzy Hash: 12813171E002089FCB15DFE5D8549EEBBFAEF88304F14816AE505AB265DB34AD05CF91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 017313C8, Relevance: .2, Instructions: 160COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9ebc24ce03039fc41fef9861a25dc5a64ab1be1e4a6546702deea6a6aafbd703
                                                                                • Instruction ID: f7c3067c1fb1be537c3f49bcd1f618582c6fb5b4612d64e652804fb19f068bd1
                                                                                • Opcode Fuzzy Hash: 9ebc24ce03039fc41fef9861a25dc5a64ab1be1e4a6546702deea6a6aafbd703
                                                                                • Instruction Fuzzy Hash: 8D51F171E002099FDB05DF69D8106FEBBF6EFC5210F1480BAD509EB251EB354A15CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 017318C0, Relevance: .1, Instructions: 122COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7b0d3c59dd0ada330479b90c4d4492ac7774d410d6b80096189cc6573634f0a5
                                                                                • Instruction ID: 8b977afdf6ea5bc6522ded9d1e986a6a9ecde840094f866bba58b9d645544e45
                                                                                • Opcode Fuzzy Hash: 7b0d3c59dd0ada330479b90c4d4492ac7774d410d6b80096189cc6573634f0a5
                                                                                • Instruction Fuzzy Hash: 02418B30A102098FDB58DF39D8549AEB7B6EF89350B11C1AAD4158B376EF34AD06CF91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01730448, Relevance: .1, Instructions: 119COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 11e400c55175e0bd31418625bffbc3d298ce1a8aa9897b26bb17142dace25369
                                                                                • Instruction ID: 026649ecf9b66c24216f73cfcfb2f83c08fc678017f6b9a3cffd2fb24ebb7f24
                                                                                • Opcode Fuzzy Hash: 11e400c55175e0bd31418625bffbc3d298ce1a8aa9897b26bb17142dace25369
                                                                                • Instruction Fuzzy Hash: 7A416D30A502099FCB44EFB8D455AADBBF2FF84304F14842AE1059B365DB79AC46CBD1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 017318B0, Relevance: .1, Instructions: 107COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 179db84f788d0a9f533ef6ab24370acdbb6acbf9919b26e820129c92dac21c01
                                                                                • Instruction ID: 647a425e1b5db0fc46cfc8fcef10d32c43eca92fbc74923da546cd3246dddd16
                                                                                • Opcode Fuzzy Hash: 179db84f788d0a9f533ef6ab24370acdbb6acbf9919b26e820129c92dac21c01
                                                                                • Instruction Fuzzy Hash: B8418A35A00209CFCB54DF69D8449AEB7B6EF89350B11C1AAE4158B375EB34AD06CF91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01731768, Relevance: .1, Instructions: 94COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2f85c194501c77f21dbd3784c7245dfc471289ecfd3a605223c1ab7e73d0d4d0
                                                                                • Instruction ID: 364e554d97663afc9afcbfcbeb2299de2769b660e70dadeb7aa1262cdc89d97c
                                                                                • Opcode Fuzzy Hash: 2f85c194501c77f21dbd3784c7245dfc471289ecfd3a605223c1ab7e73d0d4d0
                                                                                • Instruction Fuzzy Hash: BA318D71A00211CFCB58EF78C459A6EB7F2AF88318B6144A9D106CB372DB35DD42CB91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01735828, Relevance: .1, Instructions: 90COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: d886c80173efd2d9a900d0038f9529c117f5bc3557738c6aa469a581245141ab
                                                                                • Instruction ID: e7b32674e8934e9d1f755d47c2042ac17e761db5ed1f9dd3b7dacadfaed26f00
                                                                                • Opcode Fuzzy Hash: d886c80173efd2d9a900d0038f9529c117f5bc3557738c6aa469a581245141ab
                                                                                • Instruction Fuzzy Hash: 13210031E002095FCB24EBB9E8506FEBBBAEFC4314F14847AD509E7241EB341906CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 0173043C, Relevance: .1, Instructions: 81COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f3068c36cb1462dcd627f63c3e421e290c391d2331a894720bcddf692c4b923d
                                                                                • Instruction ID: c90c81ba26d8f70c672b4cb9bce1a5cde6d5fef09d4d7261faf57216afdd7844
                                                                                • Opcode Fuzzy Hash: f3068c36cb1462dcd627f63c3e421e290c391d2331a894720bcddf692c4b923d
                                                                                • Instruction Fuzzy Hash: C9316D309502099FCB44DFA8E554AEDB7F2EF85304F04942AE0146B661DB75AC4ACBA2
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01732360, Relevance: .1, Instructions: 78COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 82492df45224b9db0928695db04a6bf436b861b6e82f904dd010698d4ab48880
                                                                                • Instruction ID: 84279f69ab3a7eba3a01037d18fafb938a99a69682f859010993fc046e55b629
                                                                                • Opcode Fuzzy Hash: 82492df45224b9db0928695db04a6bf436b861b6e82f904dd010698d4ab48880
                                                                                • Instruction Fuzzy Hash: DD21AE31A01204DFD724DF29D888BAABBE6FF84241F5584AAE905DB2A7C734E845CB50
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01731778, Relevance: .1, Instructions: 69COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a1ec67dc5e1d8fd4ea8200eeb9d3c05ef8a9fe5b0370ce250bb087793c700782
                                                                                • Instruction ID: 55b147e5ca0828fd91e183df21fb19cb43482ac97a92ad52dbf1d9f0a8e2b524
                                                                                • Opcode Fuzzy Hash: a1ec67dc5e1d8fd4ea8200eeb9d3c05ef8a9fe5b0370ce250bb087793c700782
                                                                                • Instruction Fuzzy Hash: D2214975B002158FCB48EF78C4549AEB7F2AF88718B6144A9E506DB3B1DB35ED41CB90
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01735819, Relevance: .1, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 91f5b5b2993ff265104e785ffd9819a133534911f60949feea5ffe7eec670b7e
                                                                                • Instruction ID: cb892c601d146f8e69cd6631767c0f3884c5a8f211280dc96f6c2fc08677e2ea
                                                                                • Opcode Fuzzy Hash: 91f5b5b2993ff265104e785ffd9819a133534911f60949feea5ffe7eec670b7e
                                                                                • Instruction Fuzzy Hash: EB113230D043019FC7A28B38E8056EE7FF5EFC2220F0441AAC4189B212E7341C06CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01734B30, Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f49170a95aba29f8ede4afb6d72c61c7c5ae3afef2c6f20534701e79e85a244f
                                                                                • Instruction ID: e237507c790347812513d9ebd39c36f9ef51cf3d36339fa5dc869ea42c877e49
                                                                                • Opcode Fuzzy Hash: f49170a95aba29f8ede4afb6d72c61c7c5ae3afef2c6f20534701e79e85a244f
                                                                                • Instruction Fuzzy Hash: 2111B271A042299BDB1CDBB5C4917EEB6F6EBC8304F504428C402E7790EF38AD04CBA5
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01734B2A, Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 36cdc7064007f364e65b6f58cc26e5c3ab768929bb6fcc3ff873a45621d4f3c8
                                                                                • Instruction ID: 4df041fb4e2f7f26f41a42762130f5684fc8e2b1cd0b372aa01d61e5075abd93
                                                                                • Opcode Fuzzy Hash: 36cdc7064007f364e65b6f58cc26e5c3ab768929bb6fcc3ff873a45621d4f3c8
                                                                                • Instruction Fuzzy Hash: 4B11B231A042159BDB18DBA5C4917EDBAF6EBCC304F144429C406E77A0EB38AD05CBA1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01730698, Relevance: .0, Instructions: 39COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c08fbc20b957d872b1f69208b79f16dea18f6ccf16745dfeb362c167de6f6c38
                                                                                • Instruction ID: 2a609fef68eb0563c9dd72951d793b06c0ac458e1ae7d9ef02cd26d5719f02ff
                                                                                • Opcode Fuzzy Hash: c08fbc20b957d872b1f69208b79f16dea18f6ccf16745dfeb362c167de6f6c38
                                                                                • Instruction Fuzzy Hash: F0F0A430B003444FEB585774E51927F7769ABC0304F140069A942C72AADFACDC01C7D1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01735778, Relevance: .0, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 50a104731f5bf7a3795fdc0e960f4cfaaf14b591a01e3c032072c4c0e08b5cf6
                                                                                • Instruction ID: 633178bcbd1a587d065a1e1a86df8ba1ecfcefcdf35098001533c3e67fd8198b
                                                                                • Opcode Fuzzy Hash: 50a104731f5bf7a3795fdc0e960f4cfaaf14b591a01e3c032072c4c0e08b5cf6
                                                                                • Instruction Fuzzy Hash: 25F0B431700210AFC311AB39D8A8A7A7B99AFC86A5B144069E909CB351CE34DC01C7A0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01734D21, Relevance: .0, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 94bdde34529dea089f4780d93e8664aae0391f57826a014bc0d871d09e903d4a
                                                                                • Instruction ID: 0a04b174be31db8f8cced294874d71ff122f5300d99c826e740b14912650f283
                                                                                • Opcode Fuzzy Hash: 94bdde34529dea089f4780d93e8664aae0391f57826a014bc0d871d09e903d4a
                                                                                • Instruction Fuzzy Hash: B3F0B4352402048FC364CB35E85849EBFB9EFC9361720817AE405CB266DA748C06CBA0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01730610, Relevance: .0, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c76c15cc997604524b4eb988a589fe5b61ffe15d340cc90527c21ac0297d727d
                                                                                • Instruction ID: 0fc1fae44c0eaffa0408275b6d74bb2e4310a313504c0582ac707917683471de
                                                                                • Opcode Fuzzy Hash: c76c15cc997604524b4eb988a589fe5b61ffe15d340cc90527c21ac0297d727d
                                                                                • Instruction Fuzzy Hash: 90F09072F001289FCB84EBBC881276E76E2EF88A14F104069D509DB395EF389D1187D1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 017306A8, Relevance: .0, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 50c40d826a432c1a63f9676f334d2dc63a1cbd1cacf52df5ff860ba6f2860a68
                                                                                • Instruction ID: 4dbc0bf0a5035afdeae19184ec812ec88a22d51145eadc0751a8bee9144fd721
                                                                                • Opcode Fuzzy Hash: 50c40d826a432c1a63f9676f334d2dc63a1cbd1cacf52df5ff860ba6f2860a68
                                                                                • Instruction Fuzzy Hash: D4F09030B042048FEB586778E52522F7799ABC4344F140069BA42C72AADFACEC41C7E1
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01734D30, Relevance: .0, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 86c2e74170386d4cafc8645ff5ffc96133e959b1b0a0aa330f7861339e821f4a
                                                                                • Instruction ID: 652228830da7e4f3d3044e838d74b21700cae5de9dbb0c529513a0613afafcff
                                                                                • Opcode Fuzzy Hash: 86c2e74170386d4cafc8645ff5ffc96133e959b1b0a0aa330f7861339e821f4a
                                                                                • Instruction Fuzzy Hash: DDE09B353001049FC354DF65E45899AF79DEFCC361B208039E509C3315DE709C058BE0
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01730FB0, Relevance: .0, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3cd881cb1a8830670e6ef708be30dd418a2a916fabe5a45ceea5059267f7ea86
                                                                                • Instruction ID: 5e2568f3f804670c8db48de63cf1934c04981d5eebfa2db0c9dd049959c6dc5b
                                                                                • Opcode Fuzzy Hash: 3cd881cb1a8830670e6ef708be30dd418a2a916fabe5a45ceea5059267f7ea86
                                                                                • Instruction Fuzzy Hash: F5F0F4B0640205CFCB04DFB0D059A68B7B5EF89308F2044A9D4069B3A1CB39AC05CF40
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01730B28, Relevance: .0, Instructions: 25COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9e2d251368ade7b464a9877c294955938db02a5420e63a5ee31644c07fa04604
                                                                                • Instruction ID: e77699b2dc514f0328cf412a39002ad7d93c4c9187a4f6c36ad35d2c96018e18
                                                                                • Opcode Fuzzy Hash: 9e2d251368ade7b464a9877c294955938db02a5420e63a5ee31644c07fa04604
                                                                                • Instruction Fuzzy Hash: 2DE06530955248AFCB81DFB4E9010EDBBF9EF5A200B2085AAD808D7231E7351E098F91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Function 01730B38, Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 0000000A.00000002.703803232.0000000001730000.00000040.00000001.sdmp, Offset: 01730000, based on PE: false
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6df16c710b5e518094a1cf742214ac2b2a59a36490efd9ebbd172219e1d6232e
                                                                                • Instruction ID: 9b12f012d352f3ac1041ccf1265fb911675935f146d5f59d25ca768e26aa541f
                                                                                • Opcode Fuzzy Hash: 6df16c710b5e518094a1cf742214ac2b2a59a36490efd9ebbd172219e1d6232e
                                                                                • Instruction Fuzzy Hash: 4AD01770A0110CEF8B80EFA9E9404ADB7B9EB48204B2085AAD808D3220EB316E009F91
                                                                                Uniqueness

                                                                                Uniqueness Score: -1.00%

                                                                                Non-executed Functions