Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report IDeVaZ8ESy.exe

Overview

General Information

Sample Name:IDeVaZ8ESy.exe
Analysis ID:452411
MD5:b0876b8da9dcb8a3b22d2cbf2b6a4711
SHA1:80e619da78e64bf6845f284c50bfacf17c55a274
SHA256:d6215a4b16d74db6dafc28a78f15885de77570347acfbac416f18b223ba08e26
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • IDeVaZ8ESy.exe (PID: 5976 cmdline: 'C:\Users\user\Desktop\IDeVaZ8ESy.exe' MD5: B0876B8DA9DCB8A3B22D2CBF2B6A4711)
    • IDeVaZ8ESy.exe (PID: 1384 cmdline: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe MD5: B0876B8DA9DCB8A3B22D2CBF2B6A4711)
    • IDeVaZ8ESy.exe (PID: 5056 cmdline: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe MD5: B0876B8DA9DCB8A3B22D2CBF2B6A4711)
      • schtasks.exe (PID: 6064 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • IDeVaZ8ESy.exe (PID: 5972 cmdline: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe 0 MD5: B0876B8DA9DCB8A3B22D2CBF2B6A4711)
    • IDeVaZ8ESy.exe (PID: 1276 cmdline: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe MD5: B0876B8DA9DCB8A3B22D2CBF2B6A4711)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "0bb207a5-6f92-4ff1-abb5-35e0dc25", "Group": "AUGUST", "Domain1": "asweee.jumpingcrab.com", "Domain2": "tryweaswweee.ydns.eu", "Port": 8234, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "asweee.jumpingcrab.com", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x57b01:$x1: NanoCore.ClientPluginHost
    • 0x57b3e:$x2: IClientNetworkHost
    • 0x5b671:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x57869:$a: NanoCore
    • 0x57879:$a: NanoCore
    • 0x57aad:$a: NanoCore
    • 0x57ac1:$a: NanoCore
    • 0x57b01:$a: NanoCore
    • 0x578c8:$b: ClientPlugin
    • 0x57aca:$b: ClientPlugin
    • 0x57b0a:$b: ClientPlugin
    • 0x579ef:$c: ProjectData
    • 0x583f6:$d: DESCrypto
    • 0x59fab:$i: get_Connected
    • 0x5872c:$j: #=q
    • 0x5875c:$j: #=q
    • 0x58778:$j: #=q
    • 0x587a8:$j: #=q
    • 0x587c4:$j: #=q
    • 0x587e0:$j: #=q
    • 0x58810:$j: #=q
    • 0x5882c:$j: #=q
    • 0x58870:$j: #=q
    • 0x5888c:$j: #=q
    Click to see the 22 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    12.2.IDeVaZ8ESy.exe.3df0614.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    12.2.IDeVaZ8ESy.exe.3df0614.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    12.2.IDeVaZ8ESy.exe.3df0614.5.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0x287b9:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      • 0x287e6:$x2: IClientNetworkHost
      12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x287b9:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0x29894:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      • 0x287d3:$s5: IClientLoggingHost
      Click to see the 28 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe, ProcessId: 5056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe, ProcessId: 5056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe, ProcessId: 5056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe, ProcessId: 5056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "0bb207a5-6f92-4ff1-abb5-35e0dc25", "Group": "AUGUST", "Domain1": "asweee.jumpingcrab.com", "Domain2": "tryweaswweee.ydns.eu", "Port": 8234, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "asweee.jumpingcrab.com", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeVirustotal: Detection: 23%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeMetadefender: Detection: 20%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeReversingLabs: Detection: 32%
      Multi AV Scanner detection for submitted fileShow sources
      Source: IDeVaZ8ESy.exeVirustotal: Detection: 23%Perma Link
      Source: IDeVaZ8ESy.exeMetadefender: Detection: 20%Perma Link
      Source: IDeVaZ8ESy.exeReversingLabs: Detection: 32%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: IDeVaZ8ESy.exeJoe Sandbox ML: detected
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: IDeVaZ8ESy.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
      Source: IDeVaZ8ESy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49709 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49722 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49723 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49727 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49731 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49739 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49741 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 37.0.8.214:8234
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 37.0.8.214:8234
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: tryweaswweee.ydns.eu
      Source: Malware configuration extractorURLs: asweee.jumpingcrab.com
      Source: global trafficTCP traffic: 192.168.2.3:49709 -> 37.0.8.214:8234
      Source: unknownDNS traffic detected: queries for: asweee.jumpingcrab.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.IDeVaZ8ESy.exe.2e09668.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeCode function: 1_2_018CC2241_2_018CC224
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeCode function: 1_2_018CE5E11_2_018CE5E1
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeCode function: 1_2_018CE5F01_2_018CE5F0
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0091C22410_2_0091C224
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0091E5F010_2_0091E5F0
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0091E5E210_2_0091E5E2
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0655160010_2_06551600
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_06556FA810_2_06556FA8
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0655410F10_2_0655410F
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_065515F010_2_065515F0
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_07037FA010_2_07037FA0
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 12_2_0137E47112_2_0137E471
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 12_2_0137E48012_2_0137E480
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 12_2_0137BBD412_2_0137BBD4
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 12_2_01379EA812_2_01379EA8
      Source: IDeVaZ8ESy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: IDeVaZ8ESy.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: IDeVaZ8ESy.exe, 00000001.00000003.241816461.0000000007F51000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.259661598.0000000007A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNlljmbtp.dll" vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000001.00000003.238305194.000000000429A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCdmugmphdzemkomhbdp.dllH vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.259352009.00000000078F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.252510635.0000000003271000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000001.00000002.259331908.00000000078E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000005.00000002.247120178.000000000032A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000006.00000000.249621020.000000000092A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 00000006.00000003.262207809.00000000010D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.301424388.0000000006A10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000003.272026021.0000000003B2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNlljmbtp.dll" vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000000.259450434.000000000017A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.279145617.000000000093A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.301092213.0000000006510000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282775886.0000000003591000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCdmugmphdzemkomhbdp.dllH vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282461490.000000000266F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282461490.000000000266F000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.302461302.0000000005320000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000C.00000000.274586312.00000000009BA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exeBinary or memory string: OriginalFilenamenputty.exe0 vs IDeVaZ8ESy.exe
      Source: IDeVaZ8ESy.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.2739974.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.IDeVaZ8ESy.exe.2e09668.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.IDeVaZ8ESy.exe.2e09668.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: IDeVaZ8ESy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: IDeVaZ8ESy.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@11/9@16/1
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IDeVaZ8ESy.exe.logJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{0bb207a5-6f92-4ff1-abb5-35e0dc25fe5d}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2476:120:WilError_01
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeFile created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeJump to behavior
      Source: IDeVaZ8ESy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: IDeVaZ8ESy.exeVirustotal: Detection: 23%
      Source: IDeVaZ8ESy.exeMetadefender: Detection: 20%
      Source: IDeVaZ8ESy.exeReversingLabs: Detection: 32%
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeFile read: C:\Users\user\Desktop\IDeVaZ8ESy.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\IDeVaZ8ESy.exe 'C:\Users\user\Desktop\IDeVaZ8ESy.exe'
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe 0
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp'Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: IDeVaZ8ESy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: IDeVaZ8ESy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_06553A80 push es; ret 10_2_06553A90
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_065538BD push es; ret 10_2_065538C0
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_0703350E push edi; retf 10_2_07033511
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeCode function: 10_2_070334C9 pushfd ; retf 10_2_070334CC
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeFile created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeFile opened: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: IDeVaZ8ESy.exe, 00000001.00000002.252510635.0000000003271000.00000004.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.282461490.000000000266F000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWindow / User API: threadDelayed 3532Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWindow / User API: threadDelayed 5665Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWindow / User API: foregroundWindowGot 633Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWindow / User API: foregroundWindowGot 756Jump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exe TID: 4736Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe TID: 5800Thread sleep time: -10145709240540247s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe TID: 2792Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe TID: 1236Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282461490.000000000266F000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
      Source: IDeVaZ8ESy.exeBinary or memory string: O0PB48cIQE+Aahd/1wcPs5nkxCd3ttVD96nPUhBrCftt+ytj6cvcNmeDFcluzQy/p0Ha64AQYO16w0HKrg0qr\7g8bgP8Xu1h1nv9xcs8Fyehy6TwKJ6FeWfkcQLwPeXAxLK2tBpWVfX1z6gHOBOdSOCjr6Ct0VakG2jqVwRLvj9Ylh1kRgf3svkI0Fn\7QoePt/T3ZHgFso+OCTK5CkyBusGDQEIUIMHZ68DsDwYJT2NoBkByDrO8LQIfYCy8d2IAUp
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282461490.000000000266F000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: IDeVaZ8ESy.exeBinary or memory string: YYBYAAAEIANxuL4gAgAAAGMgfUTToVkgw9faTWGAWQAAB\7CC76T5QIPsF2iRhILtpL5phIC7sQpVhgFoAAAQgUiHGqmZlIFMhxqphgFsAAAQgenMfbyD3kvwFWCAEAAAAYiAQZ8BRYYBcAAAEID\7aIoItlIAQAAABjIHz3RQdhgF0AAAQgI+rDuCD+kzKnWSAlVpERYYBeAAAEIORvO5ZlIMAsawZhgF8AAAQgvS4RniDBMp55WSAyhFw\75WCAugM
      Source: IDeVaZ8ESy.exeBinary or memory string: xGMLd4jB4kXoMR2iPOZ6vuQE10mq98lihjE0p\7cigdT8KCHhTKSSYuReIA7oXg85RsJdHIgHsBaZJ8Hr/E5eqWbiSTYim965lo0jpzjX//L6DJzwUv46CW7DHaWY7OKT592QSu/bTKq\7a9YYtjXr1X2MeuIt+oz3A6DuVu9zLPI9wnXuMcG0s4Y4KJFC0JW4bJOBc9giLBAXozcpc0a2fozV+qEMufcmI0+OnLfcentgntiUN\7FgHoLzYhFlswcSY
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282461490.000000000266F000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
      Source: IDeVaZ8ESy.exe, 00000006.00000003.322069086.00000000010B8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeMemory written: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeMemory written: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe base: 400000 value starts with: 4D5AJump to behavior
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeMemory written: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe base: 400000Jump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeMemory written: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe base: 402000Jump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeMemory written: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe base: 420000Jump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeMemory written: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe base: 422000Jump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeMemory written: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe base: A3B008Jump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp'Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeProcess created: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Users\user\Desktop\IDeVaZ8ESy.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\IDeVaZ8ESy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORY

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: IDeVaZ8ESy.exe, 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: IDeVaZ8ESy.exe, 00000006.00000003.262207809.00000000010D7000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: IDeVaZ8ESy.exe, 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: IDeVaZ8ESy.exe, 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3df4c3d.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.IDeVaZ8ESy.exe.3deb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.IDeVaZ8ESy.exe.3ad9e00.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5972, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: IDeVaZ8ESy.exe PID: 5976, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection211Masquerading1Input Capture11Query Registry1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection211NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452411 Sample: IDeVaZ8ESy.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 38 asweee.jumpingcrab.com 2->38 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 8 other signatures 2->56 9 IDeVaZ8ESy.exe 5 2->9         started        13 IDeVaZ8ESy.exe 2 2->13         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\IDeVaZ8ESy.exe, PE32 9->32 dropped 34 C:\Users\...\IDeVaZ8ESy.exe:Zone.Identifier, ASCII 9->34 dropped 36 C:\Users\user\AppData\...\IDeVaZ8ESy.exe.log, ASCII 9->36 dropped 58 Writes to foreign memory regions 9->58 60 Injects a PE file into a foreign processes 9->60 15 IDeVaZ8ESy.exe 11 9->15         started        20 IDeVaZ8ESy.exe 9->20         started        22 IDeVaZ8ESy.exe 2 13->22         started        signatures6 process7 dnsIp8 40 asweee.jumpingcrab.com 37.0.8.214, 49709, 49722, 49723 WKD-ASIE Netherlands 15->40 28 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 15->28 dropped 30 C:\Users\user\AppData\Local\...\tmpBB0F.tmp, XML 15->30 dropped 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->42 24 schtasks.exe 1 15->24         started        44 Multi AV Scanner detection for dropped file 20->44 46 Machine Learning detection for dropped file 20->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 20->48 file9 signatures10 process11 process12 26 conhost.exe 24->26         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      IDeVaZ8ESy.exe24%VirustotalBrowse
      IDeVaZ8ESy.exe23%MetadefenderBrowse
      IDeVaZ8ESy.exe32%ReversingLabsByteCode-MSIL.Coinminer.BitCoinMiner
      IDeVaZ8ESy.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe24%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe23%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe32%ReversingLabsByteCode-MSIL.Coinminer.BitCoinMiner

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      12.2.IDeVaZ8ESy.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      asweee.jumpingcrab.com4%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      asweee.jumpingcrab.com4%VirustotalBrowse
      asweee.jumpingcrab.com0%Avira URL Cloudsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.typography.netD0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      tryweaswweee.ydns.eu2%VirustotalBrowse
      tryweaswweee.ydns.eu0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      asweee.jumpingcrab.com
      		37.0.8.214
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      asweee.jumpingcrab.comtrue
      • 4%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      tryweaswweee.ydns.eutrue
      • 2%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.apache.org/licenses/LICENSE-2.0IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
        		high
        http://www.fontbureau.comIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.com/designersGIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designers/?IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
              		high
              http://www.founder.com.cn/cn/bTheIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designers?IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                		high
                http://www.tiro.comIDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersIDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                  		high
                  http://www.goodfont.co.krIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.carterandcone.comlIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.sajatypeworks.comIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.typography.netDIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/cabarga.htmlNIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/cTheIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/frere-jones.htmlIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                      		high
                      http://www.jiyu-kobo.co.jp/IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/DPleaseIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers8IDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fonts.comIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                          		high
                          http://www.sandoll.co.krIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleaseIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comIDeVaZ8ESy.exe, 00000001.00000002.256701758.00000000062C0000.00000002.00000001.sdmp, IDeVaZ8ESy.exe, 0000000A.00000002.298101613.0000000005510000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          37.0.8.214
                          		asweee.jumpingcrab.comNetherlands
                          		198301WKD-ASIEtrue

                          General Information

                          Joe Sandbox Version:33.0.0 White Diamond
                          Analysis ID:452411
                          Start date:22.07.2021
                          Start time:10:11:18
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 12m 57s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:IDeVaZ8ESy.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:29
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@11/9@16/1
                          EGA Information:Failed
                          HDC Information:Failed
                          HCA Information:
                          • Successful, ratio: 95%
                          • Number of executed functions: 97
                          • Number of non-executed functions: 2
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .exe
                          Warnings:
                          Show All
                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.147.198.201, 13.88.21.125, 23.211.4.86, 40.88.32.150, 20.50.102.62, 173.222.108.226, 173.222.108.210, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.82.209.183
                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          10:12:13API Interceptor903x Sleep call for process: IDeVaZ8ESy.exe modified
                          10:12:32Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe" s>$(Arg0)

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASN

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IDeVaZ8ESy.exe.log
                          Process:C:\Users\user\Desktop\IDeVaZ8ESy.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):1119
                          Entropy (8bit):5.356708753875314
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                          MD5:3197B1D4714B56F2A6AC9E83761739AE
                          SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                          SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                          SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                          Malicious:true
                          Reputation:unknown
                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                          C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Process:C:\Users\user\Desktop\IDeVaZ8ESy.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):565248
                          Entropy (8bit):6.2839101385440355
                          Encrypted:false
                          SSDEEP:12288:3FBH6YCzj8MFiAInR2MDDT/lgCc+zElDiUQm:1/Czjli14m8ym
                          MD5:B0876B8DA9DCB8A3B22D2CBF2B6A4711
                          SHA1:80E619DA78E64BF6845F284C50BFACF17C55A274
                          SHA-256:D6215A4B16D74DB6DAFC28A78F15885DE77570347ACFBAC416F18B223BA08E26
                          SHA-512:3B52E3ABA69434D0B13E26B359F28493C303593BFDB254D86D3F91F7BFDE8F318BB11FFB3A9EE26547EE389EF181EB61E863E2060F2A950F6EBF0AF94D26A146
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: Virustotal, Detection: 24%, Browse
                          • Antivirus: Metadefender, Detection: 23%, Browse
                          • Antivirus: ReversingLabs, Detection: 32%
                          Reputation:unknown
                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t .`.................l...2......2.... ........@.. ....................................@....................................W.......</........................................................................... ............... ..H............text...8j... ...l.................. ..`.rsrc...</.......0...n..............@..@.reloc..............................@..B........................H........n..0....... ....1...=...........................................0.............-.&(....+.&+.*....0..........s....(....t.....-.&+......+.*....~....*..0..%........(.......-.&&...-.&&+.}....+.}....+.*....0..\........(.... .U...-.&.s.....,.&&(....~....%-/+.(....+.}....+.&~..........s....%.-.&+......+.o....*.0..).........s.....-.&..(....-.+..+..{.....o.....*.*....0..$.........(.....-.&.,.+..+..{.....o....&.*.*.0.............-.&{.......-.&o....+.&+.&+.*..0.............-.&{.
                          C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe:Zone.Identifier
                          Process:C:\Users\user\Desktop\IDeVaZ8ESy.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Reputation:unknown
                          Preview: [ZoneTransfer]....ZoneId=0
                          C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp
                          Process:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1311
                          Entropy (8bit):5.12366956692759
                          Encrypted:false
                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0aLxtn:cbk4oL600QydbQxIYODOLedq3BLj
                          MD5:48241E0061B6E8208F2B28FF3896C16B
                          SHA1:7A3C99770473C1F92E22D5CF3666E84F23815F10
                          SHA-256:2C2AF82671F7D1F7835E843CFFD29F4FA334B997649BA0E823A4C532B62DD6CC
                          SHA-512:CB9640388D552237FE1BAA52CEC19ABAD2E18FDFB229B43B0B42F5E42E86CA519F496F074F86BE3CD28428EDC8ACC6067099030FC7E3A64430B5500302AD0551
                          Malicious:true
                          Reputation:unknown
                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                          Process:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1856
                          Entropy (8bit):7.024371743172393
                          Encrypted:false
                          SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCr
                          MD5:838CD9DBC78EA45A5406EAE23962086D
                          SHA1:C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C
                          SHA-256:6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
                          SHA-512:F7D25EF1FA6F50667DD6785CC774E0AA6BC52A2231FE96E7C59D14EFDFDDA076F6399288CF6EAC8EFA8A75727893432AA155DA0E392F8CD1F26C5C5871EAC6B5
                          Malicious:false
                          Reputation:unknown
                          Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                          Process:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          File Type:ISO-8859 text, with no line terminators
                          Category:dropped
                          Size (bytes):8
                          Entropy (8bit):3.0
                          Encrypted:false
                          SSDEEP:3:Zt:T
                          MD5:B298CDF095904A184461B5CF41DDBFD8
                          SHA1:7CD28EFCCF3896A7B1F29BD5FA141BCA4D987155
                          SHA-256:EB5E8C19784EECC2DCC1C974116E21E3E45A89331D8BE9F929CEB4F0120A7249
                          SHA-512:54C3E4B2E17403899C500FB01D2A2F97273B36A658145314FBE70BED2B8794F8398A39FD90D0C30AAAD4EB46251781A396551BADCE244DFE49D36171A010BE44
                          Malicious:true
                          Reputation:unknown
                          Preview: ..l.3M.H
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                          Process:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):40
                          Entropy (8bit):5.153055907333276
                          Encrypted:false
                          SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                          MD5:4E5E92E2369688041CC82EF9650EDED2
                          SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                          SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                          SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                          Malicious:false
                          Reputation:unknown
                          Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                          Process:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):327432
                          Entropy (8bit):7.99938831605763
                          Encrypted:true
                          SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                          MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                          SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                          SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                          SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                          Malicious:false
                          Reputation:unknown
                          Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                          Process:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):48
                          Entropy (8bit):4.55404701206774
                          Encrypted:false
                          SSDEEP:3:oNWXp5cViE2J5xAIs6AC:oNWXp+N23fz
                          MD5:6A1470C263611221341BBA42E51B85CE
                          SHA1:9F136F89C8F6C8D9238AD5BC4BE00662B7C8BDDC
                          SHA-256:771EAEEC47531B823EADBCD3E95EA80AA1D634848CA506B23FE3884C0279C7EE
                          SHA-512:3BA49F78789234C6BC16E5FD7FF9D693B342AF30B3829A46438A30818DEAC00F71F4FA98538EDA74ABA21CF868ED947E1E3C2A833567D6E71D0BBBE17126BFB4
                          Malicious:false
                          Reputation:unknown
                          Preview: C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):6.2839101385440355
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:IDeVaZ8ESy.exe
                          File size:565248
                          MD5:b0876b8da9dcb8a3b22d2cbf2b6a4711
                          SHA1:80e619da78e64bf6845f284c50bfacf17c55a274
                          SHA256:d6215a4b16d74db6dafc28a78f15885de77570347acfbac416f18b223ba08e26
                          SHA512:3b52e3aba69434d0b13e26b359f28493c303593bfdb254d86d3f91f7bfde8f318bb11ffb3a9ee26547ee389ef181eb61e863e2060f2a950f6ebf0af94d26a146
                          SSDEEP:12288:3FBH6YCzj8MFiAInR2MDDT/lgCc+zElDiUQm:1/Czjli14m8ym
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t .`.................l...2......2.... ........@.. ....................................@................................

                          File Icon

                          Icon Hash:499669d8d82916a8

                          Static PE Info

                          General

                          Entrypoint:0x488a32
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Time Stamp:0x60F82074 [Wed Jul 21 13:26:12 2021 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:v4.0.30319
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x889d80x57.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x2f3c.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x86a380x86c00False0.746072008349data6.20385416645IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          .rsrc0x8a0000x2f3c0x3000False0.69677734375data6.71663956615IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x8e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_ICON0x8a1f00x1b8ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                          RT_ICON0x8bd800x668dBase III DBT, version number 0, next free block index 40
                          RT_ICON0x8c3e80x2e8data
                          RT_ICON0x8c6d00x1e8data
                          RT_ICON0x8c8b80x128GLS_BINARY_LSB_FIRST
                          RT_GROUP_ICON0x8c9e00x4cdata
                          RT_VERSION0x8ca2c0x35cdata
                          RT_MANIFEST0x8cd880x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Version Infos

                          DescriptionData
                          Translation0x0000 0x04b0
                          LegalCopyright(C) 2021 AnyDesk Software GmbH
                          Assembly Version6.3.2.0
                          InternalNamenputty.exe
                          FileVersion6.3.2.0
                          CompanyNameAnyDesk Software GmbH
                          LegalTrademarks
                          CommentsAnyDesk
                          ProductNameAnyDesk
                          ProductVersion6.3.2.0
                          FileDescriptionAnyDesk
                          OriginalFilenamenputty.exe

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          07/22/21-10:12:33.217914TCP2025019ET TROJAN Possible NanoCore C2 60B497098234192.168.2.337.0.8.214
                          07/22/21-10:12:40.509972TCP2025019ET TROJAN Possible NanoCore C2 60B497228234192.168.2.337.0.8.214
                          07/22/21-10:12:48.555142TCP2025019ET TROJAN Possible NanoCore C2 60B497238234192.168.2.337.0.8.214
                          07/22/21-10:12:55.373984TCP2025019ET TROJAN Possible NanoCore C2 60B497278234192.168.2.337.0.8.214
                          07/22/21-10:13:02.137554TCP2025019ET TROJAN Possible NanoCore C2 60B497308234192.168.2.337.0.8.214
                          07/22/21-10:13:09.462872TCP2025019ET TROJAN Possible NanoCore C2 60B497318234192.168.2.337.0.8.214
                          07/22/21-10:13:16.164647TCP2025019ET TROJAN Possible NanoCore C2 60B497338234192.168.2.337.0.8.214
                          07/22/21-10:13:23.046489TCP2025019ET TROJAN Possible NanoCore C2 60B497368234192.168.2.337.0.8.214
                          07/22/21-10:13:31.366337TCP2025019ET TROJAN Possible NanoCore C2 60B497378234192.168.2.337.0.8.214
                          07/22/21-10:13:38.273686TCP2025019ET TROJAN Possible NanoCore C2 60B497388234192.168.2.337.0.8.214
                          07/22/21-10:13:44.446402TCP2025019ET TROJAN Possible NanoCore C2 60B497398234192.168.2.337.0.8.214
                          07/22/21-10:13:51.623633TCP2025019ET TROJAN Possible NanoCore C2 60B497418234192.168.2.337.0.8.214
                          07/22/21-10:13:57.692526TCP2025019ET TROJAN Possible NanoCore C2 60B497438234192.168.2.337.0.8.214
                          07/22/21-10:14:05.154406TCP2025019ET TROJAN Possible NanoCore C2 60B497448234192.168.2.337.0.8.214
                          07/22/21-10:14:12.712032TCP2025019ET TROJAN Possible NanoCore C2 60B497458234192.168.2.337.0.8.214
                          07/22/21-10:14:18.043589TCP2025019ET TROJAN Possible NanoCore C2 60B497468234192.168.2.337.0.8.214

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 22, 2021 10:12:33.089236021 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.142811060 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.145814896 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.217914104 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.292243958 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.303235054 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.364623070 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.394793987 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.470685005 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.563316107 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.563430071 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.563493967 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.563508034 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.563519955 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.563560963 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.618494987 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618532896 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618556023 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618583918 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618638992 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618664026 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618688107 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618686914 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.618710995 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.618750095 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.618771076 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.618774891 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672164917 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672214031 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672239065 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672262907 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672285080 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672288895 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672307968 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672317028 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672333002 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672346115 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672362089 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672385931 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672405005 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672409058 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672432899 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672456980 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672460079 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672481060 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672504902 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672508955 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672528028 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672554016 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.672555923 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.672602892 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.740875959 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.740926981 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.740947962 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.740972996 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.740995884 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741002083 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741019011 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741034031 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741044044 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741069078 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741074085 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741096973 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741121054 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741144896 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741146088 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741170883 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741179943 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741195917 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741209984 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741215944 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741238117 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741261959 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741262913 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741293907 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741307020 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741319895 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741343975 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741369963 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741394043 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741403103 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741420031 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741445065 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741451979 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741470098 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741472960 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741497993 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741513968 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741520882 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741543055 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741568089 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741585970 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741594076 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741616964 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741626978 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741641998 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741656065 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.741666079 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.741715908 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.796605110 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.796673059 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.796708107 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.796719074 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.796745062 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.796767950 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.796792984 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.796807051 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.796816111 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.796837091 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.796838045 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.796840906 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.796859980 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.796863079 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.796880007 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.796900988 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.796921968 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.796941996 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.796966076 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.796968937 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.796977043 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.796987057 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.796988964 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797005892 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797028065 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797049046 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797056913 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797072887 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797091961 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797095060 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797116041 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797137022 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797149897 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797157049 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797175884 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797183990 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797197104 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797213078 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797216892 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797240973 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797245979 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797264099 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797287941 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797302008 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797333002 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797338963 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797347069 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797350883 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797370911 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797393084 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797400951 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797414064 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797436953 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797445059 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797462940 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797472954 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797483921 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797502041 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797527075 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797538996 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797552109 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797564030 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797578096 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797602892 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797626972 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797648907 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797657967 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797679901 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797682047 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797705889 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.797708035 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.797769070 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.851330996 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851366997 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851387978 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851408958 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851428986 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851449966 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851452112 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.851469994 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851494074 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851497889 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.851510048 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.851516008 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851536036 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.851537943 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851558924 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851577997 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851587057 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.851599932 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851619959 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851619959 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.851639986 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851664066 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851677895 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.851686001 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851706028 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851727009 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851739883 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.851751089 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.851753950 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851774931 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851797104 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851799965 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.851820946 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851845980 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.851846933 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851871014 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851895094 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851898909 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.851918936 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851942062 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851943016 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.851964951 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851989031 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.851999998 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.852010965 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852034092 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.852037907 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852061033 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852080107 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852098942 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852118015 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852137089 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852154970 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852174997 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852195978 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852201939 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.852211952 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.852221012 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852243900 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852246046 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.852269888 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852288008 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.852294922 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852318048 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852343082 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852365971 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852370977 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.852389097 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.852397919 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.852441072 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.906063080 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907171965 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907205105 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907229900 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907253027 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907275915 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907299995 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907325983 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907351017 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907375097 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907398939 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907418966 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907444954 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907469988 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907493114 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907516003 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907537937 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907561064 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907583952 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907605886 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907632113 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907656908 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907680035 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907704115 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907737017 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907762051 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907785892 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907809019 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907831907 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907855034 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907877922 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907905102 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907928944 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907952070 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.907977104 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.908000946 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.908024073 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.908046961 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.908068895 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.908096075 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.908121109 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.908142090 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.908165932 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.908189058 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.908211946 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.908236027 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.908257961 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.908282995 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.910691977 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910737991 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910744905 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910748959 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910752058 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910754919 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910758018 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910761118 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910763979 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910768032 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910772085 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910774946 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910778046 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910780907 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910784006 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910789013 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910792112 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910794973 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910798073 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910800934 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910804033 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910808086 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910810947 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.910814047 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.965478897 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.967989922 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968049049 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968075037 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968099117 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968122005 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968141079 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.968148947 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968170881 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.968172073 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968223095 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.968518019 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968552113 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968573093 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968594074 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968615055 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968636990 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.968647957 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968657970 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.968676090 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968702078 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968710899 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.968729019 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968758106 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968784094 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968792915 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.968810081 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968826056 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.968836069 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968863010 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968867064 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.968888044 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968910933 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968919992 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.968934059 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968955994 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968978882 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.968983889 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.969005108 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969031096 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969033003 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.969057083 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969074011 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.969082117 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969106913 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969106913 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.969126940 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969151974 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969155073 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.969178915 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969203949 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.969203949 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969227076 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969250917 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969264984 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.969273090 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969296932 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969309092 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.969320059 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969342947 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969355106 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.969369888 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969396114 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969402075 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.969419003 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969441891 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969455957 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.969466925 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969491005 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:33.969499111 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:33.969567060 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:34.021368027 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021418095 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021446943 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021472931 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021497011 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021522999 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021543026 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:34.021547079 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021570921 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021581888 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:34.021595955 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021617889 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021646976 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:34.021662951 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021667004 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021678925 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021697044 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021708012 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:34.021723032 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021745920 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:34.021848917 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:34.133470058 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:34.209153891 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:35.136490107 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:35.224807024 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:35.866909027 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:35.947299004 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:36.153959990 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:36.216563940 CEST82344970937.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:36.216677904 CEST497098234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:40.456368923 CEST497228234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:40.509280920 CEST82344972237.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:40.509391069 CEST497228234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:40.509972095 CEST497228234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:40.584168911 CEST82344972237.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:40.588489056 CEST82344972237.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:40.588800907 CEST497228234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:40.642069101 CEST82344972237.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:40.650918961 CEST497228234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:40.757668018 CEST82344972237.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:40.904834032 CEST82344972237.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:40.948123932 CEST497228234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:41.002037048 CEST82344972237.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:41.058469057 CEST497228234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:41.381287098 CEST497228234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:41.474980116 CEST82344972237.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:41.532376051 CEST497228234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:41.615401983 CEST82344972237.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:41.615502119 CEST497228234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:41.680283070 CEST82344972237.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:41.729260921 CEST497228234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:41.781976938 CEST82344972237.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:41.834382057 CEST497228234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:41.933330059 CEST497228234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:42.021897078 CEST82344972237.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:42.023580074 CEST497228234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:42.116370916 CEST82344972237.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:42.564363003 CEST497228234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:48.501607895 CEST497238234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:48.554249048 CEST82344972337.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:48.554379940 CEST497238234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:48.555141926 CEST497238234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:48.630079031 CEST82344972337.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:48.635567904 CEST497238234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:48.695219994 CEST82344972337.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:48.737798929 CEST497238234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:48.855087996 CEST82344972337.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:48.986593962 CEST497238234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:49.216451883 CEST82344972337.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:49.221452951 CEST497238234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:49.309293985 CEST82344972337.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:49.388415098 CEST497238234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:49.443574905 CEST82344972337.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:49.445324898 CEST497238234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:49.502182007 CEST82344972337.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:49.503587961 CEST497238234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:49.740422964 CEST82344972337.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:50.084976912 CEST497238234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:50.245592117 CEST82344972337.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:51.043617010 CEST497238234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:55.319725037 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:55.373138905 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:55.373260975 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:55.373984098 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:55.443593025 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:55.448894978 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:55.449376106 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:55.506647110 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:55.507741928 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:55.584475040 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:55.746862888 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:55.748970985 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:55.819593906 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:55.834590912 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:55.886761904 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:55.887676954 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:55.940078020 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:55.997670889 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:55.997873068 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:56.056538105 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:56.108736992 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:56.115104914 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:56.209438086 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:56.209928036 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:56.305356026 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:56.432360888 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:56.480674028 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:56.535932064 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:56.589935064 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:56.935534954 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:12:57.037349939 CEST82344972737.0.8.214192.168.2.3
                          Jul 22, 2021 10:12:57.952455997 CEST497278234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:02.083486080 CEST497308234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:02.136353970 CEST82344973037.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:02.137247086 CEST497308234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:02.137553930 CEST497308234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:02.224838972 CEST82344973037.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:02.236769915 CEST82344973037.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:02.278028965 CEST497308234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:02.288077116 CEST497308234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:02.342358112 CEST82344973037.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:02.373363972 CEST497308234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:02.460531950 CEST82344973037.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:02.742835045 CEST82344973037.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:02.745858908 CEST497308234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:02.827271938 CEST82344973037.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:02.871840000 CEST497308234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:02.924783945 CEST82344973037.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:02.925297022 CEST497308234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:02.979780912 CEST82344973037.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:02.979866982 CEST497308234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:03.033001900 CEST82344973037.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:03.045425892 CEST497308234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:03.131102085 CEST82344973037.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:03.132153034 CEST497308234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:03.227508068 CEST82344973037.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:04.120074034 CEST497308234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:04.211862087 CEST82344973037.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:05.307415009 CEST497308234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:09.405265093 CEST497318234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:09.458331108 CEST82344973137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:09.461184978 CEST497318234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:09.462872028 CEST497318234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:09.536376953 CEST82344973137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:09.536767006 CEST497318234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:09.590473890 CEST82344973137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:09.594718933 CEST497318234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:09.662437916 CEST82344973137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:09.870315075 CEST82344973137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:09.871361017 CEST497318234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:09.925674915 CEST82344973137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:09.929240942 CEST497318234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:09.982259989 CEST82344973137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:09.985471964 CEST497318234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:10.043432951 CEST82344973137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:10.043534994 CEST497318234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:10.097280025 CEST82344973137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:10.138180017 CEST497318234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:10.889271975 CEST497318234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:10.990958929 CEST82344973137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:11.888684034 CEST497318234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:16.110301018 CEST497338234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:16.163434029 CEST82344973337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:16.163749933 CEST497338234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:16.164647102 CEST497338234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:16.241765976 CEST82344973337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:16.245321035 CEST82344973337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:16.256774902 CEST497338234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:16.316319942 CEST82344973337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:16.388561010 CEST497338234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:16.401581049 CEST497338234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:16.497652054 CEST82344973337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:16.621668100 CEST82344973337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:16.685527086 CEST497338234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:16.729826927 CEST497338234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:16.739797115 CEST82344973337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:16.821513891 CEST82344973337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:16.824393034 CEST497338234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:16.887690067 CEST82344973337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:16.921761036 CEST497338234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:16.974550009 CEST82344973337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:17.185520887 CEST497338234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:17.835727930 CEST82344973337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:17.913914919 CEST497338234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:18.022239923 CEST82344973337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:18.890655041 CEST497338234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:22.990506887 CEST497368234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:23.044296026 CEST82344973637.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:23.045726061 CEST497368234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:23.046489000 CEST497368234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:23.115423918 CEST82344973637.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:23.230598927 CEST82344973637.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:23.230962992 CEST497368234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:23.284347057 CEST82344973637.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:23.287828922 CEST497368234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:23.365438938 CEST82344973637.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:23.493196964 CEST82344973637.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:23.494594097 CEST497368234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:23.547302008 CEST82344973637.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:23.549181938 CEST497368234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:23.606751919 CEST82344973637.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:23.608089924 CEST497368234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:23.663173914 CEST82344973637.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:23.793562889 CEST497368234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:23.881094933 CEST82344973637.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:24.418545008 CEST497368234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:24.506094933 CEST82344973637.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:25.945804119 CEST82344973637.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:26.044579983 CEST497368234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:26.131088018 CEST82344973637.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:27.081805944 CEST497368234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:31.312024117 CEST497378234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:31.365376949 CEST82344973737.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:31.365494967 CEST497378234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:31.366337061 CEST497378234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:31.437741041 CEST82344973737.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:31.464004993 CEST497378234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:31.518215895 CEST82344973737.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:31.520087004 CEST497378234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:31.599960089 CEST82344973737.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:31.759772062 CEST82344973737.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:31.761229038 CEST497378234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:31.815274000 CEST82344973737.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:31.817478895 CEST497378234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:31.872236967 CEST82344973737.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:31.872478962 CEST497378234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:31.926287889 CEST82344973737.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:31.928163052 CEST497378234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:32.006194115 CEST82344973737.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:32.062597990 CEST497378234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:32.131678104 CEST82344973737.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:33.112278938 CEST497378234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:33.193799019 CEST82344973737.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:34.055182934 CEST82344973737.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:34.095422029 CEST497378234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:38.217040062 CEST497388234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:38.272547007 CEST82344973837.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:38.272710085 CEST497388234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:38.273685932 CEST497388234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:38.347031116 CEST82344973837.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:38.347528934 CEST497388234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:38.402705908 CEST82344973837.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:38.404607058 CEST497388234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:38.474844933 CEST82344973837.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:38.618097067 CEST82344973837.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:38.652807951 CEST497388234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:38.705990076 CEST82344973837.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:38.749859095 CEST497388234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:38.753055096 CEST497388234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:38.806149006 CEST82344973837.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:38.806261063 CEST497388234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:38.897491932 CEST82344973837.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:38.918643951 CEST82344973837.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:38.968755960 CEST497388234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:39.141622066 CEST497388234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:39.225140095 CEST82344973837.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:40.219866991 CEST497388234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:44.341309071 CEST497398234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:44.394135952 CEST82344973937.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:44.394258022 CEST497398234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:44.446402073 CEST497398234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:44.516834021 CEST82344973937.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:44.544811964 CEST497398234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:44.601186991 CEST82344973937.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:44.641103029 CEST497398234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:44.740474939 CEST82344973937.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:44.900576115 CEST82344973937.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:44.902832985 CEST497398234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:44.955562115 CEST82344973937.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:45.000442028 CEST497398234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:45.053630114 CEST82344973937.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:45.086143017 CEST497398234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:45.146363974 CEST82344973937.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:45.146553993 CEST497398234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:45.204016924 CEST82344973937.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:45.204242945 CEST497398234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:45.288546085 CEST82344973937.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:45.288736105 CEST497398234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:45.381108999 CEST82344973937.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:46.235965014 CEST497398234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:46.319561958 CEST82344973937.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:47.298523903 CEST497398234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:51.514863968 CEST497418234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:51.568924904 CEST82344974137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:51.569047928 CEST497418234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:51.623632908 CEST497418234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:51.694103003 CEST82344974137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:51.697520971 CEST82344974137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:51.701993942 CEST497418234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:51.756669998 CEST82344974137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:51.760677099 CEST497418234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:51.835309029 CEST82344974137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:51.984988928 CEST82344974137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:51.986144066 CEST497418234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:52.039299965 CEST82344974137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:52.094702959 CEST497418234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:52.148160934 CEST82344974137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:52.148509979 CEST497418234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:52.202419043 CEST82344974137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:52.202498913 CEST497418234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:52.256062031 CEST82344974137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:52.297847986 CEST497418234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:52.360848904 CEST497418234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:52.459871054 CEST82344974137.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:53.527479887 CEST497418234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:57.637101889 CEST497438234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:57.690006018 CEST82344974337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:57.691452026 CEST497438234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:57.692526102 CEST497438234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:57.771995068 CEST82344974337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:57.792318106 CEST82344974337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:57.793629885 CEST497438234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:57.847079039 CEST82344974337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:57.849776983 CEST497438234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:57.928076982 CEST82344974337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:58.072911978 CEST82344974337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:58.073946953 CEST497438234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:58.128098965 CEST82344974337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:58.130482912 CEST497438234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:58.185595989 CEST82344974337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:58.185853004 CEST497438234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:58.246184111 CEST82344974337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:58.298507929 CEST497438234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:58.383356094 CEST82344974337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:58.424024105 CEST497438234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:58.455982924 CEST497438234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:58.537539959 CEST82344974337.0.8.214192.168.2.3
                          Jul 22, 2021 10:13:59.440217018 CEST497438234192.168.2.337.0.8.214
                          Jul 22, 2021 10:13:59.539175034 CEST82344974337.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:00.537184954 CEST497438234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:04.951702118 CEST497448234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:05.009682894 CEST82344974437.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:05.013298988 CEST497448234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:05.154406071 CEST497448234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:05.242105007 CEST82344974437.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:05.242578983 CEST497448234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:05.296322107 CEST82344974437.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:05.297705889 CEST497448234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:05.381153107 CEST82344974437.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:05.659643888 CEST497448234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:05.699963093 CEST82344974437.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:05.713074923 CEST82344974437.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:05.720166922 CEST497448234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:05.803107023 CEST82344974437.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:05.803325891 CEST497448234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:05.859158993 CEST82344974437.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:05.908565998 CEST497448234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:05.961733103 CEST82344974437.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:06.027847052 CEST497448234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:06.511173010 CEST82344974437.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:06.565452099 CEST497448234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:06.660866976 CEST497448234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:06.760265112 CEST82344974437.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:08.212594986 CEST497448234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:12.656784058 CEST497458234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:12.710087061 CEST82344974537.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:12.712001085 CEST497458234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:12.712032080 CEST497458234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:12.773482084 CEST82344974537.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:12.872056007 CEST497458234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:12.925328016 CEST82344974537.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:12.984582901 CEST497458234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:13.038512945 CEST82344974537.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:13.067655087 CEST497458234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:13.164309025 CEST82344974537.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:13.164428949 CEST497458234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:13.256221056 CEST82344974537.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:13.385169029 CEST82344974537.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:13.386346102 CEST497458234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:13.440673113 CEST82344974537.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:13.487951994 CEST497458234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:13.868257999 CEST82344974537.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:13.896955013 CEST497458234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:13.910346985 CEST497458234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:13.956043959 CEST82344974537.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:13.956309080 CEST497458234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:17.985181093 CEST497468234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:18.040565014 CEST82344974637.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:18.043555021 CEST497468234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:18.043589115 CEST497468234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:18.115827084 CEST82344974637.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:18.116837978 CEST82344974637.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:18.117110014 CEST497468234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:18.171395063 CEST82344974637.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:18.172327042 CEST497468234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:18.240875006 CEST82344974637.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:18.400192976 CEST82344974637.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:18.401668072 CEST497468234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:18.454740047 CEST82344974637.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:18.463054895 CEST497468234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:18.516956091 CEST82344974637.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:18.519162893 CEST497468234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:18.575699091 CEST82344974637.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:18.628353119 CEST497468234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:23.100645065 CEST82344974637.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:23.144306898 CEST497468234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:23.743038893 CEST82344974637.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:23.785007954 CEST497468234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:28.117736101 CEST82344974637.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:28.160835981 CEST497468234192.168.2.337.0.8.214
                          Jul 22, 2021 10:14:31.854242086 CEST82344974637.0.8.214192.168.2.3
                          Jul 22, 2021 10:14:31.937752962 CEST497468234192.168.2.337.0.8.214

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 22, 2021 10:12:04.483680964 CEST4919953192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:04.544792891 CEST53491998.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:17.474087000 CEST5062053192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:17.527877092 CEST53506208.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:18.381427050 CEST6493853192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:18.433568954 CEST53649388.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:19.729363918 CEST6015253192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:19.781308889 CEST53601528.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:20.862613916 CEST5754453192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:20.911739111 CEST53575448.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:29.784545898 CEST5598453192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:29.836622953 CEST53559848.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:30.934617043 CEST6418553192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:30.987359047 CEST53641858.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:31.743467093 CEST6511053192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:31.792503119 CEST53651108.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:32.683058023 CEST5836153192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:32.735102892 CEST53583618.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:32.898813009 CEST6349253192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:33.077167034 CEST53634928.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:33.553186893 CEST6083153192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:33.603641033 CEST53608318.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:34.740466118 CEST6010053192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:34.789644003 CEST53601008.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:35.512552977 CEST5319553192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:35.571091890 CEST53531958.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:35.966790915 CEST5014153192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:36.024133921 CEST53501418.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:36.834734917 CEST5302353192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:36.887063026 CEST53530238.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:37.900320053 CEST4956353192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:37.952675104 CEST53495638.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:38.714679003 CEST5135253192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:38.766938925 CEST53513528.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:39.834132910 CEST5934953192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:39.897793055 CEST53593498.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:40.028800964 CEST5708453192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:40.081362963 CEST53570848.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:40.395188093 CEST5882353192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:40.454894066 CEST53588238.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:48.051269054 CEST5756853192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:48.132077932 CEST53575688.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:53.429100037 CEST5054053192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:53.479486942 CEST53505408.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:54.279499054 CEST5436653192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:54.337770939 CEST53543668.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:55.132555008 CEST5303453192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:55.192229986 CEST53530348.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:55.243602991 CEST5776253192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:55.300825119 CEST53577628.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:56.994220972 CEST5543553192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:57.054982901 CEST53554358.8.8.8192.168.2.3
                          Jul 22, 2021 10:12:57.147958040 CEST5071353192.168.2.38.8.8.8
                          Jul 22, 2021 10:12:57.207802057 CEST53507138.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:02.021925926 CEST5613253192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:02.082191944 CEST53561328.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:09.345129013 CEST5898753192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:09.402096987 CEST53589878.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:15.068753004 CEST5657953192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:15.136583090 CEST53565798.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:15.940887928 CEST6063353192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:16.108418941 CEST53606338.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:18.308175087 CEST6129253192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:18.367202044 CEST53612928.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:22.932476044 CEST6361953192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:22.989346027 CEST53636198.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:31.250138044 CEST6493853192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:31.309767962 CEST53649388.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:38.157721996 CEST6194653192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:38.214937925 CEST53619468.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:44.280306101 CEST6491053192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:44.338745117 CEST53649108.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:50.347492933 CEST5212353192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:50.419574022 CEST53521238.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:51.347198963 CEST5613053192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:51.418507099 CEST53561308.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:52.124183893 CEST5633853192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:52.182318926 CEST53563388.8.8.8192.168.2.3
                          Jul 22, 2021 10:13:57.575160980 CEST5942053192.168.2.38.8.8.8
                          Jul 22, 2021 10:13:57.634875059 CEST53594208.8.8.8192.168.2.3
                          Jul 22, 2021 10:14:04.869976997 CEST5878453192.168.2.38.8.8.8
                          Jul 22, 2021 10:14:04.928997993 CEST53587848.8.8.8192.168.2.3
                          Jul 22, 2021 10:14:12.535176992 CEST6397853192.168.2.38.8.8.8
                          Jul 22, 2021 10:14:12.603715897 CEST53639788.8.8.8192.168.2.3
                          Jul 22, 2021 10:14:17.928350925 CEST6293853192.168.2.38.8.8.8
                          Jul 22, 2021 10:14:17.980721951 CEST53629388.8.8.8192.168.2.3

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Jul 22, 2021 10:12:32.898813009 CEST192.168.2.38.8.8.80x2bc0Standard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:12:40.395188093 CEST192.168.2.38.8.8.80x3636Standard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:12:48.051269054 CEST192.168.2.38.8.8.80xd70cStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:12:55.243602991 CEST192.168.2.38.8.8.80xb15cStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:02.021925926 CEST192.168.2.38.8.8.80x2265Standard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:09.345129013 CEST192.168.2.38.8.8.80xb607Standard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:15.940887928 CEST192.168.2.38.8.8.80xea1eStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:22.932476044 CEST192.168.2.38.8.8.80x5485Standard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:31.250138044 CEST192.168.2.38.8.8.80xf29fStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:38.157721996 CEST192.168.2.38.8.8.80x4ef7Standard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:44.280306101 CEST192.168.2.38.8.8.80x6d0aStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:51.347198963 CEST192.168.2.38.8.8.80xb158Standard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:57.575160980 CEST192.168.2.38.8.8.80xa0aaStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:14:04.869976997 CEST192.168.2.38.8.8.80xf64eStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:14:12.535176992 CEST192.168.2.38.8.8.80xf46bStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)
                          Jul 22, 2021 10:14:17.928350925 CEST192.168.2.38.8.8.80x918fStandard query (0)asweee.jumpingcrab.comA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Jul 22, 2021 10:12:33.077167034 CEST8.8.8.8192.168.2.30x2bc0No error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:12:40.454894066 CEST8.8.8.8192.168.2.30x3636No error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:12:48.132077932 CEST8.8.8.8192.168.2.30xd70cNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:12:55.300825119 CEST8.8.8.8192.168.2.30xb15cNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:02.082191944 CEST8.8.8.8192.168.2.30x2265No error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:09.402096987 CEST8.8.8.8192.168.2.30xb607No error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:16.108418941 CEST8.8.8.8192.168.2.30xea1eNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:22.989346027 CEST8.8.8.8192.168.2.30x5485No error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:31.309767962 CEST8.8.8.8192.168.2.30xf29fNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:38.214937925 CEST8.8.8.8192.168.2.30x4ef7No error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:44.338745117 CEST8.8.8.8192.168.2.30x6d0aNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:51.418507099 CEST8.8.8.8192.168.2.30xb158No error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:13:57.634875059 CEST8.8.8.8192.168.2.30xa0aaNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:14:04.928997993 CEST8.8.8.8192.168.2.30xf64eNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:14:12.603715897 CEST8.8.8.8192.168.2.30xf46bNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)
                          Jul 22, 2021 10:14:17.980721951 CEST8.8.8.8192.168.2.30x918fNo error (0)asweee.jumpingcrab.com37.0.8.214A (IP address)IN (0x0001)

                          Code Manipulations

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          Analysis Process: IDeVaZ8ESy.exe PID: 5976 Parent PID: 5624

                          General

                          Start time:10:12:11
                          Start date:22/07/2021
                          Path:C:\Users\user\Desktop\IDeVaZ8ESy.exe
                          Wow64 process (32bit):true
                          Commandline:'C:\Users\user\Desktop\IDeVaZ8ESy.exe'
                          Imagebase:0xea0000
                          File size:565248 bytes
                          MD5 hash:B0876B8DA9DCB8A3B22D2CBF2B6A4711
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.253550747.00000000043C7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.253253129.0000000004327000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Chronological Activities

                          Analysis Process: IDeVaZ8ESy.exe PID: 1384 Parent PID: 5976

                          General

                          Start time:10:12:25
                          Start date:22/07/2021
                          Path:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Imagebase:0x2a0000
                          File size:565248 bytes
                          MD5 hash:B0876B8DA9DCB8A3B22D2CBF2B6A4711
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 24%, Virustotal, Browse
                          • Detection: 23%, Metadefender, Browse
                          • Detection: 32%, ReversingLabs
                          Reputation:low

                          Chronological Activities

                          Analysis Process: IDeVaZ8ESy.exe PID: 5056 Parent PID: 5976

                          General

                          Start time:10:12:27
                          Start date:22/07/2021
                          Path:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Imagebase:0x8a0000
                          File size:565248 bytes
                          MD5 hash:B0876B8DA9DCB8A3B22D2CBF2B6A4711
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:low

                          Chronological Activities

                          Analysis Process: schtasks.exe PID: 6064 Parent PID: 5056

                          General

                          Start time:10:12:30
                          Start date:22/07/2021
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBB0F.tmp'
                          Imagebase:0x930000
                          File size:185856 bytes
                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: conhost.exe PID: 2476 Parent PID: 6064

                          General

                          Start time:10:12:30
                          Start date:22/07/2021
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6b2800000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Chronological Activities

                          Analysis Process: IDeVaZ8ESy.exe PID: 5972 Parent PID: 528

                          General

                          Start time:10:12:32
                          Start date:22/07/2021
                          Path:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe 0
                          Imagebase:0xf0000
                          File size:565248 bytes
                          MD5 hash:B0876B8DA9DCB8A3B22D2CBF2B6A4711
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.282656161.00000000026F2000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.284916631.0000000003A3A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.286367927.0000000003AD9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Chronological Activities

                          Analysis Process: IDeVaZ8ESy.exe PID: 1276 Parent PID: 5972

                          General

                          Start time:10:12:39
                          Start date:22/07/2021
                          Path:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Local\Temp\IDeVaZ8ESy.exe
                          Imagebase:0x930000
                          File size:565248 bytes
                          MD5 hash:B0876B8DA9DCB8A3B22D2CBF2B6A4711
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.298170775.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.301106793.0000000003DA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, Author: Joe Security
                          • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.300993191.0000000002DA1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                          Reputation:low

                          Chronological Activities

                          Disassembly

                          Code Analysis

                          Reset < >

                            Analysis Process: IDeVaZ8ESy.exe PID: 5976 Parent PID: 5624 IDeVaZ8ESy.exeCOMMON

                            Executed Functions

                            Function 018CE5E1, Relevance: .2, Instructions: 237COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.252045504.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d17411f09be44d6e5cb67f304c9638486928a6a3779171528b8da644a5a5e00c
                            • Instruction ID: 5d499bfe2d9fb400be200ddc0c298e3af677ac65a7c03387b14a6b848e7f6164
                            • Opcode Fuzzy Hash: d17411f09be44d6e5cb67f304c9638486928a6a3779171528b8da644a5a5e00c
                            • Instruction Fuzzy Hash: B7C138B99117468BD730DF64E8881897BF1FB8532CF504308D2616FAD9D7B8168ACF84
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018CB708, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 018CB768
                            • GetCurrentThread.KERNEL32 ref: 018CB7A5
                            • GetCurrentProcess.KERNEL32 ref: 018CB7E2
                            • GetCurrentThreadId.KERNEL32 ref: 018CB83B
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.252045504.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID: 6nk
                            • API String ID: 2063062207-2398489689
                            • Opcode ID: 0b6dd24665775b46aa87519e67d5bbe420397330cdb243881ab70b48af81e99b
                            • Instruction ID: 4c46782beded7341d74dafb2bb8366e5ca45211bfb40a0263e04788052f5c301
                            • Opcode Fuzzy Hash: 0b6dd24665775b46aa87519e67d5bbe420397330cdb243881ab70b48af81e99b
                            • Instruction Fuzzy Hash: AD5143B09007498FDB54CFAAD588BAEBBF4AB48314F24805DE519A7360D734A948CB65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018CB707, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 018CB768
                            • GetCurrentThread.KERNEL32 ref: 018CB7A5
                            • GetCurrentProcess.KERNEL32 ref: 018CB7E2
                            • GetCurrentThreadId.KERNEL32 ref: 018CB83B
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.252045504.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID: 6nk
                            • API String ID: 2063062207-2398489689
                            • Opcode ID: 5dd5703a2d69d11e88f2c8d81e37906f317379ff54e8ad28df66e37c85f5dba9
                            • Instruction ID: 0557cc9e63888f732a54ef984bab548ecb557f3a99c393bdebaca0703f6127b4
                            • Opcode Fuzzy Hash: 5dd5703a2d69d11e88f2c8d81e37906f317379ff54e8ad28df66e37c85f5dba9
                            • Instruction Fuzzy Hash: AA5133B09007498FDB64CFAAD588BAEBBF0BF89314F24845DE519A7360D7349948CF25
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018CFD78, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 018CFE8A
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.252045504.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID: 6nk$6nk
                            • API String ID: 716092398-2463590369
                            • Opcode ID: c1eacfc7603e57eebb613bddc26bd4eb0ef0e945132a04cf3eb642883ccd57e1
                            • Instruction ID: 60ce10321abfa45868a33bf1ca51c7df6d454a7112aa4893fafe972f164808a9
                            • Opcode Fuzzy Hash: c1eacfc7603e57eebb613bddc26bd4eb0ef0e945132a04cf3eb642883ccd57e1
                            • Instruction Fuzzy Hash: 97419FB1D003099FDB14CFAAD984ADEBFB6BF48714F24812EE919AB210D7749945CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018C9410, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 018C9656
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.252045504.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID: 6nk
                            • API String ID: 4139908857-2398489689
                            • Opcode ID: 601ae84e9f3e0fbb338bb8be9736326d4252cd45542f1a2bf8b49c79fdf7caaa
                            • Instruction ID: e313ff238f30083befa0b796ecde0245ced845ef8c5dc1a9de7235a4f17184fe
                            • Opcode Fuzzy Hash: 601ae84e9f3e0fbb338bb8be9736326d4252cd45542f1a2bf8b49c79fdf7caaa
                            • Instruction Fuzzy Hash: 8C7135B0A00B058FD764CF69D0447AABBF5BF88718F00896DE54ADBA40D735EA09CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018C38A8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                            Download Yara Rule
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 018C5411
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.252045504.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: false
                            Similarity
                            • API ID: Create
                            • String ID: 6nk
                            • API String ID: 2289755597-2398489689
                            • Opcode ID: 3a8efbecbb2de5ddc6b9c5248d4945679a6a9cca7305ce95c0ddd19ba3e67756
                            • Instruction ID: ffbce4989af4c6a13854f0a782eea26ff664d530495211a01b595a773534b9b1
                            • Opcode Fuzzy Hash: 3a8efbecbb2de5ddc6b9c5248d4945679a6a9cca7305ce95c0ddd19ba3e67756
                            • Instruction Fuzzy Hash: 0641C0B0E0061CCBDB24CFA9C884B9DFBB5BF49709F20806AD508AB251DB756A45CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018C535E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94COMMON
                            Download Yara Rule
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 018C5411
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.252045504.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: false
                            Similarity
                            • API ID: Create
                            • String ID: 6nk
                            • API String ID: 2289755597-2398489689
                            • Opcode ID: 601e43e58ab46042a34b1b2b12ceb7aa3af8365d321a19f79044c35115e651dd
                            • Instruction ID: 0f8c7d3f3a9ebc53a074a023fa52c11efcc2fbe131bc9398ea75535d021979aa
                            • Opcode Fuzzy Hash: 601e43e58ab46042a34b1b2b12ceb7aa3af8365d321a19f79044c35115e651dd
                            • Instruction Fuzzy Hash: 5341C1B0D00618CFDB24CFA9C884BDEFBB5BF89308F20806AD508AB251D7756945CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018CB930, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018CB9B7
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.252045504.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID: 6nk
                            • API String ID: 3793708945-2398489689
                            • Opcode ID: 31f8d6b3cbb36cd0536309487bcf0eb92ae905e3198d34f6a0efe8fc853115a7
                            • Instruction ID: 03ac6254c363d8ed85c87f1b9e9c04f309b1277d4c7f425bbf2522730b24561b
                            • Opcode Fuzzy Hash: 31f8d6b3cbb36cd0536309487bcf0eb92ae905e3198d34f6a0efe8fc853115a7
                            • Instruction Fuzzy Hash: AA21C4B59002189FDB10CFAAD585ADEBBF4EF48324F14841AE954A7310D374AA54CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018C8970, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018C96D1,00000800,00000000,00000000), ref: 018C98E2
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.252045504.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID: 6nk
                            • API String ID: 1029625771-2398489689
                            • Opcode ID: 9ec08a5ec1ba07674d97f83b7cae7817560d87643d00790768e4bbb54ac9d6c9
                            • Instruction ID: 8f19beb7d5cc693185d6111d123af58823387070a2c2364cf9f17362b71027d3
                            • Opcode Fuzzy Hash: 9ec08a5ec1ba07674d97f83b7cae7817560d87643d00790768e4bbb54ac9d6c9
                            • Instruction Fuzzy Hash: 2F11F4B5D00209CFDB10CF9AC484AEEBBF4EB48714F14846EE515A7200C774AA45CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018C95F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 018C9656
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.252045504.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID: 6nk
                            • API String ID: 4139908857-2398489689
                            • Opcode ID: f9a1b014b5d3bcf52f2eee5cc31f4914e48c13856ba6b081e3fffb0a5aac4f04
                            • Instruction ID: 816a912b8d62f0b435a12ef3aec490e873bce4a08f328c849ec459f48b920ef7
                            • Opcode Fuzzy Hash: f9a1b014b5d3bcf52f2eee5cc31f4914e48c13856ba6b081e3fffb0a5aac4f04
                            • Instruction Fuzzy Hash: 66110FB1D006498FDB10CF9AC444BDEFBF4AB88328F10845AD529A7640C378A645CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 015DD3D8, Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.251836972.00000000015DD000.00000040.00000001.sdmp, Offset: 015DD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6b71b2ae48ba9ce31c2a79b70c59564fae333b55e79aea635553aeea0de30d74
                            • Instruction ID: c75f50d80f808723a74835d307b8cd445d1a464d7c22a7fe0587c06de6c42f35
                            • Opcode Fuzzy Hash: 6b71b2ae48ba9ce31c2a79b70c59564fae333b55e79aea635553aeea0de30d74
                            • Instruction Fuzzy Hash: E42106B1504244DFDB21CF98D9C0B5ABBB5FB88324F248569E9054F286C376E846C7A2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 015DD4C4, Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.251836972.00000000015DD000.00000040.00000001.sdmp, Offset: 015DD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2b2615f27edb4737e9ddd5b7a55b922fbc48a4f5ca1717b76d885f99ada7efb3
                            • Instruction ID: 1e4c73f7d9a5e6ffe7c498de13fbad085eff9c456903fb6d27aba0324325cd1f
                            • Opcode Fuzzy Hash: 2b2615f27edb4737e9ddd5b7a55b922fbc48a4f5ca1717b76d885f99ada7efb3
                            • Instruction Fuzzy Hash: 45212871504240DFDB21DF98D9C0B2BBFB5FB88318F248969E9050F286C336D845CBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 015ED01C, Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.251882841.00000000015ED000.00000040.00000001.sdmp, Offset: 015ED000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 14c9500ea8dac0fff0fcdd274c21267a00f404617bce12a46248deb186a0c4f1
                            • Instruction ID: 2e2201b2ca9453dfcc238eb18be09fcb939d847f504de711df445913dce24c01
                            • Opcode Fuzzy Hash: 14c9500ea8dac0fff0fcdd274c21267a00f404617bce12a46248deb186a0c4f1
                            • Instruction Fuzzy Hash: CC21E0759042449FCB19CF94D488B1ABFB5FB84254F28C969E8094F246D33AD846CA61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 015ED2E4, Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.251882841.00000000015ED000.00000040.00000001.sdmp, Offset: 015ED000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b35dbd822f4da898cbd4e186355e8d3c131efd1555a458b990075ca923870e97
                            • Instruction ID: 245b1be96622e526425c8e6fa9fbfc536aa6b634097bb2772e0fed0f1f5210f2
                            • Opcode Fuzzy Hash: b35dbd822f4da898cbd4e186355e8d3c131efd1555a458b990075ca923870e97
                            • Instruction Fuzzy Hash: 002138B1904340DFD709DF58D5C8B1EBBF5FB88614F24896DD4494F246C336D805C662
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 015ED006, Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.251882841.00000000015ED000.00000040.00000001.sdmp, Offset: 015ED000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4be3523a9afbf70f065b7026456fedb977b8cf168bad26ee8fc2c926a31fa702
                            • Instruction ID: 49d5a5a1fb84e51009a1916acbf19fb13a6d03170aeae8d103261ab18e491e2e
                            • Opcode Fuzzy Hash: 4be3523a9afbf70f065b7026456fedb977b8cf168bad26ee8fc2c926a31fa702
                            • Instruction Fuzzy Hash: 512180755093808FCB06CF24D594715BFB1FB46214F28C5DAD8498F657C33A984ACB62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 015DD4BF, Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.251836972.00000000015DD000.00000040.00000001.sdmp, Offset: 015DD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                            • Instruction ID: 1930d6244e7c70123ad82b5e921fa0d7dd6c5d52a4b604f672155a7689ce4617
                            • Opcode Fuzzy Hash: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                            • Instruction Fuzzy Hash: 7B11D376404280DFCB12CF58D5C4B1ABF71FB84324F24C6A9D8450F656C33AD45ACBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 015DD3D3, Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.251836972.00000000015DD000.00000040.00000001.sdmp, Offset: 015DD000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                            • Instruction ID: b7edf89b364923ef36a171c59fd36b144fa7832a73cf160ea9ad3ecef6465849
                            • Opcode Fuzzy Hash: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                            • Instruction Fuzzy Hash: 7B11E172404280DFCB12CF48D5C4B5ABF71FB84324F24C2A9D8090F656C33AE45ACBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 015ED2DF, Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.251882841.00000000015ED000.00000040.00000001.sdmp, Offset: 015ED000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 34c0d75a25d4e1baa7574c8e2ee5148d9d259b71df7d0cf408280cc09e70b47c
                            • Instruction ID: 0c17260471aacd11469d54702c6636b4981d6a20eca8f38b34054f36bc439a5d
                            • Opcode Fuzzy Hash: 34c0d75a25d4e1baa7574c8e2ee5148d9d259b71df7d0cf408280cc09e70b47c
                            • Instruction Fuzzy Hash: 6711C176904680CFDB16CF14D58871AFBB1FB88224F24C6AAD8484B646C339D44ACB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 018CE5F0, Relevance: .3, Instructions: 315COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.252045504.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2e5c3473f6da8d1733f2ffd4de46c6ff7c4fb349275b6d05bd410db60c299ac1
                            • Instruction ID: 470d3ee287030bcb053454b8260eaf3ee46e00e19ff1d2fddee3feb798515e3d
                            • Opcode Fuzzy Hash: 2e5c3473f6da8d1733f2ffd4de46c6ff7c4fb349275b6d05bd410db60c299ac1
                            • Instruction Fuzzy Hash: B01290F94117468BE730DF65F9982893BF1B78532CB904208D2612FAD9D7B8178ACF94
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 018CC224, Relevance: .3, Instructions: 265COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.252045504.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4e1ca04cd03dd02aa6c87a7f1404c0fb47f02a246084349ca7972007b376fc02
                            • Instruction ID: c0d70a7ca82813b7d907963ada02f4c5ef742416e61f0fd33253c1d08628ee5a
                            • Opcode Fuzzy Hash: 4e1ca04cd03dd02aa6c87a7f1404c0fb47f02a246084349ca7972007b376fc02
                            • Instruction Fuzzy Hash: 8CA14032E0021A8FCF15DFA9C8445DEBBB2FF95700B15856AE909EB265DB71DA05CF80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Analysis Process: IDeVaZ8ESy.exe PID: 5972 Parent PID: 528 IDeVaZ8ESy.exeCOMMON

                            Executed Functions

                            Function 0091B6F8, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0091B768
                            • GetCurrentThread.KERNEL32 ref: 0091B7A5
                            • GetCurrentProcess.KERNEL32 ref: 0091B7E2
                            • GetCurrentThreadId.KERNEL32 ref: 0091B83B
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278908927.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 8bcc28a04bb88748f31fcbdba0b7e888ce895e578c27c8aab36e34bd55d4832a
                            • Instruction ID: e52eb4a75d18a8168101c5bbf46649d0b555db93f649ba497bafee26c9ed8e76
                            • Opcode Fuzzy Hash: 8bcc28a04bb88748f31fcbdba0b7e888ce895e578c27c8aab36e34bd55d4832a
                            • Instruction Fuzzy Hash: A05158B4A007488FDB50CFAAD5487DEBBF1AF89304F248459E419B7390DB745988CF25
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0091B708, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0091B768
                            • GetCurrentThread.KERNEL32 ref: 0091B7A5
                            • GetCurrentProcess.KERNEL32 ref: 0091B7E2
                            • GetCurrentThreadId.KERNEL32 ref: 0091B83B
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278908927.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: c8f2410fbd3d0b6d9ba06205c10d437780f1bb419cc341a3263d8e083fe3a541
                            • Instruction ID: 94f993c023b6611bf2a3c89725d615a15baf44e1e05cce8f022b6a8188c130bc
                            • Opcode Fuzzy Hash: c8f2410fbd3d0b6d9ba06205c10d437780f1bb419cc341a3263d8e083fe3a541
                            • Instruction Fuzzy Hash: 835146B4A007488FDB50CFAAD548BDEBBF5AF88314F208459E419B7350DB745988CF65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00919410, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00919656
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278908927.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID: xNr$xNr
                            • API String ID: 4139908857-1374218907
                            • Opcode ID: dc939e8c18c1bf1c823d05374e0cb8a71b9c0a16a1900d3992855504e79826b8
                            • Instruction ID: 1623550f8486d9f25f9592f0586fc242b551535e057bfc43b58e2c0cd00360b3
                            • Opcode Fuzzy Hash: dc939e8c18c1bf1c823d05374e0cb8a71b9c0a16a1900d3992855504e79826b8
                            • Instruction Fuzzy Hash: 12714770A00B098FD724DF69D0517AABBF5BF88314F00892DE45AD7A50DB35E986CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06554D44, Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06554F86
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: db725ec9640f4ec0ddef9e380f1db097c1dcf198c568784752d2a07a218bb931
                            • Instruction ID: bbfea0dc8f5fb66626fe0c27eade2fe49e7bea4739f51650f316bd5c3e1c78d7
                            • Opcode Fuzzy Hash: db725ec9640f4ec0ddef9e380f1db097c1dcf198c568784752d2a07a218bb931
                            • Instruction Fuzzy Hash: E7A16B71D00219DFDB60CFA8C8557EEBBF2BF48314F15856AE809A7240DB749985CF92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06554D50, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06554F86
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: f4bfe51bf9bbf90207acad80630165ff0c796826fa7da63512ea5ef94fce960b
                            • Instruction ID: f3d4b34144d9a0463239ebbb55db0d2c45dde092883898b6fc687e21bd1fe468
                            • Opcode Fuzzy Hash: f4bfe51bf9bbf90207acad80630165ff0c796826fa7da63512ea5ef94fce960b
                            • Instruction Fuzzy Hash: 6B915A71D00219CFDB50CFA8C8557EEBBF2BF48314F15856AE849A7280DB749985CF92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06555984, Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                            Download Yara Rule
                            APIs
                            • K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 06555A91
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: BaseModuleName
                            • String ID:
                            • API String ID: 595626670-0
                            • Opcode ID: 7f66734a9346368af6e6bce0c14bf123d8bb033dfe62bb129e33664f9df15bd0
                            • Instruction ID: 4293d44eb4954f9cbabb40cbd0520e270578c7bd5f2b37d6121e5eea502d28b5
                            • Opcode Fuzzy Hash: 7f66734a9346368af6e6bce0c14bf123d8bb033dfe62bb129e33664f9df15bd0
                            • Instruction Fuzzy Hash: 17415774D002489FCB14CFA9C898BDEBBF5BF48314F15842EE819AB241E7749985CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0091FD6C, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0091FE8A
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278908927.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: c4bced2270bb356d597aa05b7ae2e89f6f1ee6e3f7a86fa2e0496608d46dba75
                            • Instruction ID: 7e2be735bf1b9a4b5ea0e444faf8c16693f20f75fe5e798727162c49e31264a9
                            • Opcode Fuzzy Hash: c4bced2270bb356d597aa05b7ae2e89f6f1ee6e3f7a86fa2e0496608d46dba75
                            • Instruction Fuzzy Hash: 9051EEB1D0030C9FDB14CFA9D894ADEBFB5BF88314F25812AE819AB251D7709985CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0091FD78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0091FE8A
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278908927.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: 4dd01ea2523bb2274bbf6bf1091b5b404e7f7d3bd3b37cdd184018d88c3e6fef
                            • Instruction ID: a39f0248aacbfb1be75113db0cdc2d2e368c783964a3744a1030ea02c337bb8d
                            • Opcode Fuzzy Hash: 4dd01ea2523bb2274bbf6bf1091b5b404e7f7d3bd3b37cdd184018d88c3e6fef
                            • Instruction Fuzzy Hash: 1841DEB1D0030C9FDB14CF9AC980ADEBBF5BF48314F24812AE819AB210D7749985CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06555990, Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                            Download Yara Rule
                            APIs
                            • K32GetModuleBaseNameA.KERNEL32(?,?,?,?), ref: 06555A91
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: BaseModuleName
                            • String ID:
                            • API String ID: 595626670-0
                            • Opcode ID: 7837daa4202df717f2c2fc799e1be4b49bbb3cdd0d61c32874e38e3a0b8ba71b
                            • Instruction ID: fb05cf31c4fa79817910aaf62b4646e21d44efdc674f579c097c70b9864ba741
                            • Opcode Fuzzy Hash: 7837daa4202df717f2c2fc799e1be4b49bbb3cdd0d61c32874e38e3a0b8ba71b
                            • Instruction Fuzzy Hash: B8414770D002089FCB14CF99C498BDEBBF1BF48314F15842AE819AB341E7749985CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065525B0, Relevance: 1.6, APIs: 1, Instructions: 111fileCOMMON
                            Download Yara Rule
                            APIs
                            • CopyFileW.KERNELBASE(?,00000000,?), ref: 065526C1
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: CopyFile
                            • String ID:
                            • API String ID: 1304948518-0
                            • Opcode ID: b4705540af8c8eb34bfa7f6a36be3703745c0b6618bc7c1debe3afc7aa1bbae9
                            • Instruction ID: db6bb872f8abbb04bd19b7438a2ddcdba2b264d4b9ea9df095df976321671ef3
                            • Opcode Fuzzy Hash: b4705540af8c8eb34bfa7f6a36be3703745c0b6618bc7c1debe3afc7aa1bbae9
                            • Instruction Fuzzy Hash: B441C271905354AFCB01CFA9D845AEEBFF8EF49220F19809BE844E7242D7359A04CBB1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00915354, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                            Download Yara Rule
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 00915411
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278908927.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 98fa11817766077a57360536ef327df3a284b1eb1c05e66da62e11ffbcba2990
                            • Instruction ID: d53157a1f8b2b9f74ae09ad16f6c0bf456e6e2aab18997a3381e6f286efdb5cd
                            • Opcode Fuzzy Hash: 98fa11817766077a57360536ef327df3a284b1eb1c05e66da62e11ffbcba2990
                            • Instruction Fuzzy Hash: 6641E2B1D0061CCFDB24CFA9C884BDEBBB5BF89305F21806AD409AB251D7755989CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009138A8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 00915411
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278908927.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 175b4e8a6fb9fe6005ebbdada08f6d2a1c818a724c436a056426c324b32d6878
                            • Instruction ID: 4833cebce4d184f0429bf2e3edba0fb378150246cd9462323bb2d74f52e682a5
                            • Opcode Fuzzy Hash: 175b4e8a6fb9fe6005ebbdada08f6d2a1c818a724c436a056426c324b32d6878
                            • Instruction Fuzzy Hash: 3641E270D0061CCFDB24CFA9C8847DEBBB5BF88305F21806AD509AB251D7B55985CF90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06554A19, Relevance: 1.6, APIs: 1, Instructions: 90memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06554AC6
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 4737392704202a8a5c8e6f4db7d24d545d311066b77aea87a6d7ed865b037ed5
                            • Instruction ID: c3dce9520af3b559f9a6d66ed7a2ba3656efed5993398b33aa09491c3f1cd542
                            • Opcode Fuzzy Hash: 4737392704202a8a5c8e6f4db7d24d545d311066b77aea87a6d7ed865b037ed5
                            • Instruction Fuzzy Hash: D531F5718053889FCB01DFA5C855ADEBFF9EF49314F09849AD548A7251CB35A805CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06552620, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                            Download Yara Rule
                            APIs
                            • CopyFileW.KERNELBASE(?,00000000,?), ref: 065526C1
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: CopyFile
                            • String ID:
                            • API String ID: 1304948518-0
                            • Opcode ID: 6ca45db27a66d3a6b17e6c15fb4c16b5f058be737535ab8650be7ad912d3cd5c
                            • Instruction ID: 88c10a412909d42d49bd903dfbd8adf26b4517dc4cf3c93a9b5a87b93a40fd5d
                            • Opcode Fuzzy Hash: 6ca45db27a66d3a6b17e6c15fb4c16b5f058be737535ab8650be7ad912d3cd5c
                            • Instruction Fuzzy Hash: 5F213CB1D012199FCB50CFA9D9857EEBBF5EF48320F15806AE818E7241D7349A44CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06554B40, Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                            Download Yara Rule
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06554BD8
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: f236b389b243620cbcef94940ccbfea2f3c81891b230a827899c98e6c186bdf1
                            • Instruction ID: fb7e8b54341a1b73cc411955df65045bca12534e697a2aeee542ba64ea2b3614
                            • Opcode Fuzzy Hash: f236b389b243620cbcef94940ccbfea2f3c81891b230a827899c98e6c186bdf1
                            • Instruction Fuzzy Hash: 3F2137B19003099FCF40CFA9C884BDEBBF5FF48324F11842AE959A7240C778A954CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06552628, Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
                            Download Yara Rule
                            APIs
                            • CopyFileW.KERNELBASE(?,00000000,?), ref: 065526C1
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: CopyFile
                            • String ID:
                            • API String ID: 1304948518-0
                            • Opcode ID: 68cc72fa9b489aa3af0223eb075c4b398c0f171ce6e35d9324253377631461ad
                            • Instruction ID: e7aed811f748888155f8d31fb9b27ca8caac6c9d650ed33e2b280c5ce16011c2
                            • Opcode Fuzzy Hash: 68cc72fa9b489aa3af0223eb075c4b398c0f171ce6e35d9324253377631461ad
                            • Instruction Fuzzy Hash: 342128B1D012199FCB50CF9AD9847EEFBF5BF48320F15816AE818A7241D7349A44CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06554B48, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                            Download Yara Rule
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06554BD8
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 2718980ef82be6df66ea3a72404c7273089af19d31a07849e9325148f899e901
                            • Instruction ID: 423be69899264da12c2516fc448858716a034b6067b83ee3c83b7e795e967ccc
                            • Opcode Fuzzy Hash: 2718980ef82be6df66ea3a72404c7273089af19d31a07849e9325148f899e901
                            • Instruction Fuzzy Hash: 062115B19003199FCF40DFA9C984BDEBBF5FF48324F11842AE959A7240D778A954CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06555391, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                            Download Yara Rule
                            APIs
                            • K32EnumProcesses.KERNEL32(00000000,?,?), ref: 0655541B
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: EnumProcesses
                            • String ID:
                            • API String ID: 84517404-0
                            • Opcode ID: 5f3d6d1cbbc862f176328f31dff06ecfe7e671cff715ee4c1cfab3e8111f3b04
                            • Instruction ID: d1e83defd352f156c1cb4abef97fbf4abdea81fe3a4f96962ad927a78e538a89
                            • Opcode Fuzzy Hash: 5f3d6d1cbbc862f176328f31dff06ecfe7e671cff715ee4c1cfab3e8111f3b04
                            • Instruction Fuzzy Hash: B52128B1D01219AFCB00CF99D885BDEFBF4FB48320F01812AE958A7240D774A954CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06555E70, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            • EnumChildWindows.USER32(?,00000000,?), ref: 06555EF0
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: ChildEnumWindows
                            • String ID:
                            • API String ID: 3555792229-0
                            • Opcode ID: 3460625a855b512c4b6c17663505db9028d93ed0c6b43f3336a0a259ca3ca90e
                            • Instruction ID: afbb387bf63bce6821ffc16f168330ffff56abfef2f936cfff5ada760ff64029
                            • Opcode Fuzzy Hash: 3460625a855b512c4b6c17663505db9028d93ed0c6b43f3336a0a259ca3ca90e
                            • Instruction Fuzzy Hash: F5213A71D002199FDB50CFAAD844BEEFBF5BF88324F14842AE459A3650DB74A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065548E9, Relevance: 1.6, APIs: 1, Instructions: 66threadinjectionCOMMON
                            Download Yara Rule
                            APIs
                            • SetThreadContext.KERNELBASE(?,00000000), ref: 0655496E
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: ContextThread
                            • String ID:
                            • API String ID: 1591575202-0
                            • Opcode ID: 11455fdf84e601395c0955c6d9b22aebe51e2091d9fce3b8839b0336c6250c33
                            • Instruction ID: 1c0e4041b6e7a2257f8692267986c9235f2bd02c7a898c0f9fef8f4acd37b41d
                            • Opcode Fuzzy Hash: 11455fdf84e601395c0955c6d9b22aebe51e2091d9fce3b8839b0336c6250c33
                            • Instruction Fuzzy Hash: AE2148719002089FCB50CFAAC9847EEFBF4AF48324F15842AD959A7240CB78A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0091B92A, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0091B9B7
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278908927.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 2f75da17ee010a7e666363310a7fa51871f79ca131bb45362e971db686769bce
                            • Instruction ID: ca3e59ddeb5c69b029fc8a976ac120c095e314394d80b02c7e513aec251c28ba
                            • Opcode Fuzzy Hash: 2f75da17ee010a7e666363310a7fa51871f79ca131bb45362e971db686769bce
                            • Instruction Fuzzy Hash: 332100B5D00208AFDB10CFAAD984AEEBBF4EF48324F14801AE955B7310C374A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06555850, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            • K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 065558CB
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: EnumModulesProcess
                            • String ID:
                            • API String ID: 1082081703-0
                            • Opcode ID: 6f277e5ad6c1d1411d139aae6d5345fcc78e658a63475e8f092ab86d56e3b713
                            • Instruction ID: 28d1254b1358bee46a6ac019d42c9fb647b43adc8841041aeb466538d91b284a
                            • Opcode Fuzzy Hash: 6f277e5ad6c1d1411d139aae6d5345fcc78e658a63475e8f092ab86d56e3b713
                            • Instruction Fuzzy Hash: A721E8759002499FCB10CF9AC984BDFBBF5FF48324F11842AE958A7240D774AA45CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065548F0, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                            Download Yara Rule
                            APIs
                            • SetThreadContext.KERNELBASE(?,00000000), ref: 0655496E
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: ContextThread
                            • String ID:
                            • API String ID: 1591575202-0
                            • Opcode ID: a5d8a137ccc76792ff2b6a161ffe483c237f23e112f4ab44f4e39562eb33195f
                            • Instruction ID: 61f07ad23aa3ece453ded064180198da512ef35fc67fa22402dab4045aca7d07
                            • Opcode Fuzzy Hash: a5d8a137ccc76792ff2b6a161ffe483c237f23e112f4ab44f4e39562eb33195f
                            • Instruction Fuzzy Hash: 4C213871D003088FDB50CFAAC5857EEBBF4AF48324F15842AD959A7240DB78A985CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0091B930, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0091B9B7
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278908927.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: f683a0415c6d2c207a34e57de615a9f49e0741a304fa1b333dc5b428ab3d5881
                            • Instruction ID: 66d999e9e6f9c8296b087e8289e2e17745a039d311dbb7613f9c5aad0cc6d556
                            • Opcode Fuzzy Hash: f683a0415c6d2c207a34e57de615a9f49e0741a304fa1b333dc5b428ab3d5881
                            • Instruction Fuzzy Hash: 2421D3B5D00208AFDB10CFAAD984ADEBBF9FF48324F15841AE954A7310D374A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06555398, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • K32EnumProcesses.KERNEL32(00000000,?,?), ref: 0655541B
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: EnumProcesses
                            • String ID:
                            • API String ID: 84517404-0
                            • Opcode ID: 821865691e433872a3a6bfabec3bbfe4ff5a6bb0398ab6ae0a7b61e95761c051
                            • Instruction ID: b489440e488909b9cc87f4a9770f09ab7188cc8aae914a8146de5e2ac78d1bef
                            • Opcode Fuzzy Hash: 821865691e433872a3a6bfabec3bbfe4ff5a6bb0398ab6ae0a7b61e95761c051
                            • Instruction Fuzzy Hash: 7021F3B1D016199FCB00CF9AD984BDEFBF4BB48324F01812AE918A7240D778A954CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06555E78, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                            Download Yara Rule
                            APIs
                            • EnumChildWindows.USER32(?,00000000,?), ref: 06555EF0
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: ChildEnumWindows
                            • String ID:
                            • API String ID: 3555792229-0
                            • Opcode ID: a5f52db146c54de1c739cc3bcab782215c062ae22944d9017eaf4f1d1456207e
                            • Instruction ID: c91063751ee258073fbf4ec5240d83afff62ba817fc7d3be47cbca8824a939e5
                            • Opcode Fuzzy Hash: a5f52db146c54de1c739cc3bcab782215c062ae22944d9017eaf4f1d1456207e
                            • Instruction Fuzzy Hash: 722115B1D002198FDB50CF9AC944BEEBBF5BF88324F14842AE459A3650DB74A944CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06555858, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                            Download Yara Rule
                            APIs
                            • K32EnumProcessModules.KERNEL32(?,?,?,?), ref: 065558CB
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: EnumModulesProcess
                            • String ID:
                            • API String ID: 1082081703-0
                            • Opcode ID: cdb4befe5a7cae917c424a8c15cbd954d53fd24667e31c99d454e5bf7c17585c
                            • Instruction ID: 7b69aa0e41b544d0407570a4944cd533a9a2587551796189cbf8815c4a236763
                            • Opcode Fuzzy Hash: cdb4befe5a7cae917c424a8c15cbd954d53fd24667e31c99d454e5bf7c17585c
                            • Instruction Fuzzy Hash: 9D2108B1D002099FCB10CF9AC584BDEBBF4FF48324F118429E958A7240D774A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07037CB8, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07037D2C
                            Memory Dump Source
                            • Source File: 0000000A.00000002.302219206.0000000007030000.00000040.00000001.sdmp, Offset: 07030000, based on PE: false
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: e1239f9641b0b84287683f21b1838ef5ecb551925f2e23f9ac0b4c4e81fcb656
                            • Instruction ID: 9b2997228b382c2fac42fd79a9a9932e30025d1ec52729e0d931e7bd27db6ec3
                            • Opcode Fuzzy Hash: e1239f9641b0b84287683f21b1838ef5ecb551925f2e23f9ac0b4c4e81fcb656
                            • Instruction Fuzzy Hash: CF11F7B1D042099FDB10DFAAC8847EEFBF9AF48324F148829D519A7200CB74A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00918970, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009196D1,00000800,00000000,00000000), ref: 009198E2
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278908927.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 020ae1fe282b7bfc9fefbf3760edf98491c9a5dc6e78f00ca4fb977edae5d5bd
                            • Instruction ID: 42d7790aedcfad5bd6451f7feabfc869d504f4e82dfc2590e8c0c33a440fc800
                            • Opcode Fuzzy Hash: 020ae1fe282b7bfc9fefbf3760edf98491c9a5dc6e78f00ca4fb977edae5d5bd
                            • Instruction Fuzzy Hash: 5411E4B6D003499FDB10CF9AC584ADEFBF4EB49324F15846EE919A7200C774A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06555BA1, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                            Download Yara Rule
                            APIs
                            • FindCloseChangeNotification.KERNELBASE ref: 06555C07
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: ChangeCloseFindNotification
                            • String ID:
                            • API String ID: 2591292051-0
                            • Opcode ID: ea219f7ec518180f0231859018fd4e58b8c58c785b6698fded3372b2c39fcfeb
                            • Instruction ID: d212e6596baaa603e09d90ee479341f512ffdb43bb76a08e4f92c4f2a26d34d6
                            • Opcode Fuzzy Hash: ea219f7ec518180f0231859018fd4e58b8c58c785b6698fded3372b2c39fcfeb
                            • Instruction Fuzzy Hash: 65113DB18006099FCB10CF9AD945BEFBBF4EF48324F15841AD558A7340D774A985CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00919872, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009196D1,00000800,00000000,00000000), ref: 009198E2
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278908927.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 45cbc071a6dacaa394b4dd29b20d7803a6367f6c0c8a5e11c09860a0e837e210
                            • Instruction ID: 9cec94c575a5a56a083e59efbc38fddec472b8338cbb886e45d13fc9ad309c3a
                            • Opcode Fuzzy Hash: 45cbc071a6dacaa394b4dd29b20d7803a6367f6c0c8a5e11c09860a0e837e210
                            • Instruction Fuzzy Hash: 311126B6D002498FDB10CFAAD484ADEFBF4AF89324F15846ED419B7200C774A945CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06554A58, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06554AC6
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: d93d5f910370cf78412db3d80402b88150f4c744cf8e91528d6e43bcc4504688
                            • Instruction ID: 8d24d44157287befdf6e203f543c43baea72dc208665820123ff30437d55b9b5
                            • Opcode Fuzzy Hash: d93d5f910370cf78412db3d80402b88150f4c744cf8e91528d6e43bcc4504688
                            • Instruction Fuzzy Hash: 6C1137719002089FDF10DFAAC8447DFBBF5EF48324F15882AE919A7250CB75A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 07037E88, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                            Download Yara Rule
                            APIs
                            • FindCloseChangeNotification.KERNELBASE ref: 07037EEA
                            Memory Dump Source
                            • Source File: 0000000A.00000002.302219206.0000000007030000.00000040.00000001.sdmp, Offset: 07030000, based on PE: false
                            Similarity
                            • API ID: ChangeCloseFindNotification
                            • String ID:
                            • API String ID: 2591292051-0
                            • Opcode ID: 50c5dc5a7297591cde347c41768ad6147008bc233f08c2f6d89282e2b8f90c4b
                            • Instruction ID: 6c14bb728bd732340c4bd48df841ac6e256775d0db7dcfd3f1659ce17a9f5c2f
                            • Opcode Fuzzy Hash: 50c5dc5a7297591cde347c41768ad6147008bc233f08c2f6d89282e2b8f90c4b
                            • Instruction Fuzzy Hash: FA1128B19042088FDB10DFAAC8447DEBBF9AB88324F148819D519A7240CB75A944CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 06555BA8, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                            Download Yara Rule
                            APIs
                            • FindCloseChangeNotification.KERNELBASE ref: 06555C07
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301212907.0000000006550000.00000040.00000001.sdmp, Offset: 06550000, based on PE: false
                            Similarity
                            • API ID: ChangeCloseFindNotification
                            • String ID:
                            • API String ID: 2591292051-0
                            • Opcode ID: 85efcd9e302f07ce27e7cc15968f6ccf392fe93dc565c9417cb572124eea80ce
                            • Instruction ID: bd82b6c8d597de7b95e9add892b1e66beec2327a53666cef3462873581da3a93
                            • Opcode Fuzzy Hash: 85efcd9e302f07ce27e7cc15968f6ccf392fe93dc565c9417cb572124eea80ce
                            • Instruction Fuzzy Hash: 291106B19006098FCB10CF9AC548BDEBBF4EF48324F15846AD559A7340D778A944CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 009195F0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00919656
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278908927.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 7efb2115c1e71eaf6e86c3bc639a4c0c97e9def3f577edd2867ade8150062f98
                            • Instruction ID: a960113c5845c1500ae9fe2e864642b8dcfc31c888acc7ccb3b5403a8d9f8e1e
                            • Opcode Fuzzy Hash: 7efb2115c1e71eaf6e86c3bc639a4c0c97e9def3f577edd2867ade8150062f98
                            • Instruction Fuzzy Hash: 5311E0B6D006498FDB10CF9AC544BDEFBF8AF88324F15841AD569B7600C378A645CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A22F8, Relevance: .1, Instructions: 125COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6f5400cb335e6ef8490396926921498fe15b6bf0f0ea04ecfcef569212af3380
                            • Instruction ID: ad76e60b63ee03a83d634e08327a5b9c874ac9756bc9ae1cab10f7ac06b3726c
                            • Opcode Fuzzy Hash: 6f5400cb335e6ef8490396926921498fe15b6bf0f0ea04ecfcef569212af3380
                            • Instruction Fuzzy Hash: CD515C39A04364CFDB51CBD8C985A9DB7B1FF48310F0A4995E906AB356C770EE45CB80
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0071D4C4, Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278502472.000000000071D000.00000040.00000001.sdmp, Offset: 0071D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c303898c3ece70bedb5e19a19b28785013db148c290dc1709ac8384d2fa1f0dc
                            • Instruction ID: 064f8e2a7185168b26946c27d27a023c67628519bd7f5f7b88fa0e881f32b461
                            • Opcode Fuzzy Hash: c303898c3ece70bedb5e19a19b28785013db148c290dc1709ac8384d2fa1f0dc
                            • Instruction Fuzzy Hash: 102128B1504240DFCB25DF18D9C0B67BF66FB88318F248569E8050B286C33ADC95DBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0072D01C, Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278601890.000000000072D000.00000040.00000001.sdmp, Offset: 0072D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1fe1d7b88fc2b75f55806fb8a88939f52d36806c75672dc8d5e6f694b359fa55
                            • Instruction ID: de47ae699e3b9315fc1a1aade8270b54ccd7750f6fd7598b308b0754e30767b0
                            • Opcode Fuzzy Hash: 1fe1d7b88fc2b75f55806fb8a88939f52d36806c75672dc8d5e6f694b359fa55
                            • Instruction Fuzzy Hash: FC2122B1604244DFCB30CF24E9C4B16BB65FB88314F20C96DE80A4B266C73BDC46CA62
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0072D2E4, Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278601890.000000000072D000.00000040.00000001.sdmp, Offset: 0072D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 774118b6926cc97bb6e04df1aaaa1fd563d0ad1da28b0f226d84486be7cb1fe8
                            • Instruction ID: d9e47f4f011af37f60dc434ae86409ca888d7837a5bd8464fdac596914fe4be0
                            • Opcode Fuzzy Hash: 774118b6926cc97bb6e04df1aaaa1fd563d0ad1da28b0f226d84486be7cb1fe8
                            • Instruction Fuzzy Hash: 992105B1504340DFD720DF14E5C4B2ABBA5FB98714F248569D4494B246C33AEC46C6A3
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A237A, Relevance: .1, Instructions: 68COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5cd66f463619247d94ea1b8281fe3b101d0735edf48eb304e9be859e8c0609b9
                            • Instruction ID: 52f772691b3847c70dc682e8058a6f6990c995debbc4cf7f82a12cf97f74c673
                            • Opcode Fuzzy Hash: 5cd66f463619247d94ea1b8281fe3b101d0735edf48eb304e9be859e8c0609b9
                            • Instruction Fuzzy Hash: 2A214174A04364CFEB84CBD8C985AAC7BB1FB49310F090985E506AF756C7B0EE45CB81
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A3320, Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e3f102bd08054e1a43d657b07258a6d5e1e29c62b87ad04654afb5d234b4db05
                            • Instruction ID: e865337a2c3a04440b0a27782780ae37ae2d7580ef15585b1aa3e1fd7b531167
                            • Opcode Fuzzy Hash: e3f102bd08054e1a43d657b07258a6d5e1e29c62b87ad04654afb5d234b4db05
                            • Instruction Fuzzy Hash: FE21E674A44218CFE754DF68C894F99B7B1FF48300F11409AE90AAB361DB31AE85CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A0006, Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 02727f8dc5668de8f73c18110ead3a4f81e69351f368146c006aab6fa93089ed
                            • Instruction ID: ed1b0f1e76a078e224ed67ce2084d52d6f7b57fb1d34692da9a605041b8d5d15
                            • Opcode Fuzzy Hash: 02727f8dc5668de8f73c18110ead3a4f81e69351f368146c006aab6fa93089ed
                            • Instruction Fuzzy Hash: 4B11023150D3A59FD71387209C605E67FB4DF83300F0641EBD4819B292C6681D85CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0071D4BF, Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278502472.000000000071D000.00000040.00000001.sdmp, Offset: 0071D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                            • Instruction ID: 91663536aafcd19019e82042e9e46c3d903b1ae12bfda24b10230e24bebaa0fb
                            • Opcode Fuzzy Hash: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                            • Instruction Fuzzy Hash: 4511B176404280DFCB15CF14D5C4B56BF72FB94324F24C6A9D8450B656C33AD9AACFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0072D017, Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278601890.000000000072D000.00000040.00000001.sdmp, Offset: 0072D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 17adf84bf3d986228e54cd171d4c143f67dded3a97ef0c4bc82ee09b3a791334
                            • Instruction ID: 953547ab6f38184cb0d863d4c16ce33e056f7419e56cb3c95a11885c876c5a1f
                            • Opcode Fuzzy Hash: 17adf84bf3d986228e54cd171d4c143f67dded3a97ef0c4bc82ee09b3a791334
                            • Instruction Fuzzy Hash: 5A118E75504284DFCB21CF14E5D4B16BB61FB44314F24C6AAD8494B666C33AD84ACB61
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A56F0, Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6158e30be8db68e6aedeaf7a3c0a9da32f7389e32c36eac63da82dabd1958f97
                            • Instruction ID: d8425657100094839aa488cae8c0b33a827b3e25d9b4b0f6a29d3473cb431b6f
                            • Opcode Fuzzy Hash: 6158e30be8db68e6aedeaf7a3c0a9da32f7389e32c36eac63da82dabd1958f97
                            • Instruction Fuzzy Hash: 0721C4B4A012188FDB54DFA8D884A99F7F1FB88314F11C196E929AB355C730ED45CF50
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0072D2DF, Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.278601890.000000000072D000.00000040.00000001.sdmp, Offset: 0072D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 34c0d75a25d4e1baa7574c8e2ee5148d9d259b71df7d0cf408280cc09e70b47c
                            • Instruction ID: 5ff213b6012a67f9f3ba64eb35a949e68c06cb40f4e2ccba4e6b60afc32ed8c2
                            • Opcode Fuzzy Hash: 34c0d75a25d4e1baa7574c8e2ee5148d9d259b71df7d0cf408280cc09e70b47c
                            • Instruction Fuzzy Hash: B011E371504680CFDB11CF14E5C471AFB71FB85324F24C6AED8484B646C339D84ACB92
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065AEDD8, Relevance: .0, Instructions: 44COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8f741cc07d5c69faae91e84626489b591ac80458a9d08981cfaf37b9ccc5a2b1
                            • Instruction ID: 43387f2bf9ff78f5d37fb159b932f1f9b774c2d546a0015e0771f96d093271e2
                            • Opcode Fuzzy Hash: 8f741cc07d5c69faae91e84626489b591ac80458a9d08981cfaf37b9ccc5a2b1
                            • Instruction Fuzzy Hash: 7801F231509248EFC711EB68C9009DBBBBAEF82214F0584EAD5099F102DB31FC00CBE6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065AEFA8, Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 283eff0c06719b293376e4e10ab80bdd4b8e5b1092a348d707411de266a15713
                            • Instruction ID: bae8a05503a01b62b7d3da40461369d78788e844132005ca8939efb0fb431fed
                            • Opcode Fuzzy Hash: 283eff0c06719b293376e4e10ab80bdd4b8e5b1092a348d707411de266a15713
                            • Instruction Fuzzy Hash: F2018474F042198FDB54DFA8C8545AE77B6BF88744B010869E542AB750CB306C05CBE1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A21C0, Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a1bf7a1726f7f414e7e89cc03bea59b391f28f3f0b34317f5808aa9f1fd42dbc
                            • Instruction ID: a88c9ab88b103df15209c1110350415c624e545a52bc7795996752b97e6fa93b
                            • Opcode Fuzzy Hash: a1bf7a1726f7f414e7e89cc03bea59b391f28f3f0b34317f5808aa9f1fd42dbc
                            • Instruction Fuzzy Hash: 85F0ABB29083489FE705CFD9D8408DEBFB6FB45310F048297E506CB246EA301A8683C1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A0040, Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc45c7c981cdd3faf5f30ed6b367cc89bfc4b32949a43994ad1a9118ed1acda3
                            • Instruction ID: 955091a2c451ac93b6146f23a2700712e15f5e848bcb12e2a283306cdc54b956
                            • Opcode Fuzzy Hash: fc45c7c981cdd3faf5f30ed6b367cc89bfc4b32949a43994ad1a9118ed1acda3
                            • Instruction Fuzzy Hash: 76E09B709042299FD7649B14DC146EAB7B5EB99300F0045B9598673384DEB41E848FD5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A1590, Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f3826eef16f85afd1671419d8160518627e74ea1d7e3e1e3fdf0577916928a0d
                            • Instruction ID: a85b20d85d4fdf2118b627e1edc7017618c9b115f918cc992f0f71d0c20b5170
                            • Opcode Fuzzy Hash: f3826eef16f85afd1671419d8160518627e74ea1d7e3e1e3fdf0577916928a0d
                            • Instruction Fuzzy Hash: 6CE0CD3564C3851FD763575CBC024787FB9AF86024B5844EBD58DC7113C512640787F5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A21D0, Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 368da1d22928b0eb7acf2f6aff0ec533fbcfb45bc624a5aa154c3119a7f39094
                            • Instruction ID: a3c9eea9c0ecfde00de9f06e97b4db18df4faa360b74d2afa3335650abf673f9
                            • Opcode Fuzzy Hash: 368da1d22928b0eb7acf2f6aff0ec533fbcfb45bc624a5aa154c3119a7f39094
                            • Instruction Fuzzy Hash: 9AE0CD71614318DFA704DFD9E8419DF7BEBEB84321F148067E50AD3344EA355A4147D5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A1D58, Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eff1548ff8b28d3a2cbbf0fc682c6ee71be0a71aeb80a2f64f23bfb3990a19de
                            • Instruction ID: 6683c13da2d7fbbc81234bf57e1c15a7f831c210b61ff210072db0d101f9f5a8
                            • Opcode Fuzzy Hash: eff1548ff8b28d3a2cbbf0fc682c6ee71be0a71aeb80a2f64f23bfb3990a19de
                            • Instruction Fuzzy Hash: 0BE086B1C0524CDFC741DFE4C84089ABBF9FF46100B1546DAD5098F152E9355A109BD6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A6A78, Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c573468159fbde94abbf1245a6a708f92568079b478b6a78ef5c4d8c66b3b546
                            • Instruction ID: 2c3e2f18475bdcc4d175ebe94fc4dd4965729bd27e484f3aec214916d4ed609a
                            • Opcode Fuzzy Hash: c573468159fbde94abbf1245a6a708f92568079b478b6a78ef5c4d8c66b3b546
                            • Instruction Fuzzy Hash: A8D05BB6A04154DFE741ABD8E4446ED7372F78D315F10C157D51983545D33144478793
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A2840, Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f6e046f56b46f18135580924967556de2dd21ea8f4651cfe0c8f570903c44e0d
                            • Instruction ID: cc55036bbb8d266dbcd7716eb8d73785cef60739eaef48d452a04460323ae86e
                            • Opcode Fuzzy Hash: f6e046f56b46f18135580924967556de2dd21ea8f4651cfe0c8f570903c44e0d
                            • Instruction Fuzzy Hash: 48D05EB56097482FD304C658EC62862BBA9DB99604724C09EA808CB353E923ED03C2A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A2251, Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 722beda4753ebb7cae40af8b9b8df9435ab80b3a91b952051bc1b2c01f1c6a57
                            • Instruction ID: 44c15f81c63539b7a0fe16020e5df134eb566e8ed7d5c113abb1c226f95e39bb
                            • Opcode Fuzzy Hash: 722beda4753ebb7cae40af8b9b8df9435ab80b3a91b952051bc1b2c01f1c6a57
                            • Instruction Fuzzy Hash: E7D0A7B57483482FD305C658DC62C63BFA8DBD9614304C09EF848CB363EA26ED03C2A1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A1D68, Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 826d252d2c392eda6e88d003a9d7ec12373d81702e6d4845dd1b104763fc0451
                            • Instruction ID: 6b42f5a307a56b56e953a3e3cc22ca4a9519e22d58dcece828ea608c2a7b35c1
                            • Opcode Fuzzy Hash: 826d252d2c392eda6e88d003a9d7ec12373d81702e6d4845dd1b104763fc0451
                            • Instruction Fuzzy Hash: 22D0C7B1D0520CEF8B50EFF5D54049E77EDEB45504F1045A59509DB150ED315F105BD6
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A1114, Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d7cb0f7efa3bd5c5f9b0bb9a771ec7d59145d8b63d85b047758ebc4bd4d2788f
                            • Instruction ID: 6f077083812bcd0d42838bc2707fe4ab4c5fd01ebb67f922de8f4a435ad675c8
                            • Opcode Fuzzy Hash: d7cb0f7efa3bd5c5f9b0bb9a771ec7d59145d8b63d85b047758ebc4bd4d2788f
                            • Instruction Fuzzy Hash: AAD05EB5C152558FC7109B24D8515DC7B71EB5A300F1185C6C845A7291C6740E8A8F90
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065AEF78, Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
                            • Instruction ID: 58c7e918dc9fc6e739d0296992eb27fcb8a7bf4254ad48f247067e0340e6a738
                            • Opcode Fuzzy Hash: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
                            • Instruction Fuzzy Hash: A6C012313402095BD304CA88C842A22B3AADBC8614B14C079A808C7746DE36EC028694
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A21A0, Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 83ae2197ad58cb48ad09a4753215df81d5d022b21540442ad6018b78edfa0e23
                            • Instruction ID: f7a52e5a7d0256657fdc35713e29ff2f104064f8029ed86f15f682fa91936a1c
                            • Opcode Fuzzy Hash: 83ae2197ad58cb48ad09a4753215df81d5d022b21540442ad6018b78edfa0e23
                            • Instruction Fuzzy Hash: 23D012329481059FC305CB98DC41960F769AF95214B18C1F9DD1C8B207D732AD2BC7D9
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A2850, Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                            • Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
                            • Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                            • Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065AF938, Relevance: .0, Instructions: 11COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                            • Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
                            • Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                            • Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 065A21B0, Relevance: .0, Instructions: 8COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000A.00000002.301328888.00000000065A0000.00000040.00000001.sdmp, Offset: 065A0000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                            • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                            • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                            • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Analysis Process: IDeVaZ8ESy.exe PID: 1276 Parent PID: 5972 IDeVaZ8ESy.exeCOMMON

                            Executed Functions

                            Function 0137B6C0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0137B730
                            • GetCurrentThread.KERNEL32 ref: 0137B76D
                            • GetCurrentProcess.KERNEL32 ref: 0137B7AA
                            • GetCurrentThreadId.KERNEL32 ref: 0137B803
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.300569109.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID: X
                            • API String ID: 2063062207-1677210272
                            • Opcode ID: 6fc6eafe232ddd29a1b9cc58c27233de03c3a5021dfa07d1a335bb3828aeac3e
                            • Instruction ID: 7f67c614b1c32c9c5aa70dc09bcbfdcb1b3a45282ecc9cbc5335b8ae53d45c30
                            • Opcode Fuzzy Hash: 6fc6eafe232ddd29a1b9cc58c27233de03c3a5021dfa07d1a335bb3828aeac3e
                            • Instruction Fuzzy Hash: 735156B4E006488FDB14CFAAC688BDEBBF0AF48318F24845AE049A7350C7795944CF65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0137B6D0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0137B730
                            • GetCurrentThread.KERNEL32 ref: 0137B76D
                            • GetCurrentProcess.KERNEL32 ref: 0137B7AA
                            • GetCurrentThreadId.KERNEL32 ref: 0137B803
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.300569109.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID: X
                            • API String ID: 2063062207-1677210272
                            • Opcode ID: 96a6594ed8f561219d21a0b7237848620ab16f0fa8b046b68ce70466261bac22
                            • Instruction ID: 770071788b96d21b114c2f972a681424b080e8c8b8464319a45aeb58a483a9c3
                            • Opcode Fuzzy Hash: 96a6594ed8f561219d21a0b7237848620ab16f0fa8b046b68ce70466261bac22
                            • Instruction Fuzzy Hash: A45164B4E006488FDB14CFAAD688BEEFBF1AF48318F248459E059A7350C7785948CF65
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013793E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0137962E
                            Memory Dump Source
                            • Source File: 0000000C.00000002.300569109.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 23843a49425f5c658e611ac0e1104568bf31a9d84c6f7a7e4eba73a14bc8bee4
                            • Instruction ID: 65c9eb84e29d47cca7469b65a27ebdb5962905e4ea4cde871fd1f81e8edd95f9
                            • Opcode Fuzzy Hash: 23843a49425f5c658e611ac0e1104568bf31a9d84c6f7a7e4eba73a14bc8bee4
                            • Instruction Fuzzy Hash: 0C712570A00B058FD734DF6AC44579ABBF5BF89228F008A2DD58ADBA50D739E845CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0137FBEC, Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0137FD0A
                            Memory Dump Source
                            • Source File: 0000000C.00000002.300569109.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: ac8ecd0c01a9102f1ccff35d72a21df807bbf5592ed43a43a8a3bac96190c21d
                            • Instruction ID: 057bffdb5434820fabaa15a2232b1bfdc3bb2c489dbdbbb135417c05883c553c
                            • Opcode Fuzzy Hash: ac8ecd0c01a9102f1ccff35d72a21df807bbf5592ed43a43a8a3bac96190c21d
                            • Instruction Fuzzy Hash: DE51CFB1D00309DFDF24CFA9C884ADDBBB5BF48314F24812AE819AB214D7749985CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0137FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0137FD0A
                            Memory Dump Source
                            • Source File: 0000000C.00000002.300569109.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
                            Similarity
                            • API ID: CreateWindow
                            • String ID:
                            • API String ID: 716092398-0
                            • Opcode ID: 9a1d8e980bc36b70d9274bb4f1710246c78cbdf3e341aa325441b5d74085c097
                            • Instruction ID: 8a72bc6822378cde9f90eeddf3c6088e9452e2e60c14d8bfabd83e1d336a2045
                            • Opcode Fuzzy Hash: 9a1d8e980bc36b70d9274bb4f1710246c78cbdf3e341aa325441b5d74085c097
                            • Instruction Fuzzy Hash: A2419FB1D10309DFDF14CF9AC884ADEBBB5BF88314F24812AE819AB214D7759945CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0137BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0137BD87
                            Memory Dump Source
                            • Source File: 0000000C.00000002.300569109.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 11f85238b12ba20197ebeb517cc77c92730f9975cec3efee99d36d889cf9c937
                            • Instruction ID: 29cf8e201ad2f3ec10a174754fa5aa46cd15e425c5cfcb5066f3541793769b2d
                            • Opcode Fuzzy Hash: 11f85238b12ba20197ebeb517cc77c92730f9975cec3efee99d36d889cf9c937
                            • Instruction Fuzzy Hash: 1C21E3B5D00208DFDB10CFA9D984AEEBBF4EB48324F14841AE955A7310D378A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0137BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0137BD87
                            Memory Dump Source
                            • Source File: 0000000C.00000002.300569109.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 3c9aa996dda0c3fc6c752884b72d6829b0e75cad16eeec4170ecb09ddaa2eee0
                            • Instruction ID: 53f822a705dd32859a5f7450cf168af3b28a6a8c7bbf36c9956a4af49197bea8
                            • Opcode Fuzzy Hash: 3c9aa996dda0c3fc6c752884b72d6829b0e75cad16eeec4170ecb09ddaa2eee0
                            • Instruction Fuzzy Hash: 5E21C2B59002089FDB10CFAAD984ADEFBF8EB48324F14841AE955A7310D378A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01378768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013796A9,00000800,00000000,00000000), ref: 013798BA
                            Memory Dump Source
                            • Source File: 0000000C.00000002.300569109.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 2862167a405a59e991d8110681aaf2ca50561d5f9e30f9af3eaa7a5e5ecd1895
                            • Instruction ID: 3496dc120f7abb05fcb3e7222830aab14bc7e3fbb4290d71568d9778b679c393
                            • Opcode Fuzzy Hash: 2862167a405a59e991d8110681aaf2ca50561d5f9e30f9af3eaa7a5e5ecd1895
                            • Instruction Fuzzy Hash: DF11C4B69002099FDB20CF9AC444B9EBBF4AB48328F15852AE515A7700C779A945CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 01379849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013796A9,00000800,00000000,00000000), ref: 013798BA
                            Memory Dump Source
                            • Source File: 0000000C.00000002.300569109.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: ae5cc88df61b11e4fccb2c0cc7672258f3e5846e2fd2b41da48ec8f6042b79a4
                            • Instruction ID: f33081dce7657571d469f1c19a7098ceaf51f5cde49eefbeb80fc23255312917
                            • Opcode Fuzzy Hash: ae5cc88df61b11e4fccb2c0cc7672258f3e5846e2fd2b41da48ec8f6042b79a4
                            • Instruction Fuzzy Hash: 3E11E4B6D00209DFDB10CF9AC544BDEBBF4AB48324F15851AE515B7700C379A645CFA5
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 013795C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0137962E
                            Memory Dump Source
                            • Source File: 0000000C.00000002.300569109.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 7128c547d44a9ff3a5f587bcb82a421ba66a2cf94cbc0d12c559fe312f15921a
                            • Instruction ID: 5ef48a45047c6dcf9ce2f8b3f8df53f41d91b44fa5d06ad1c5a8cffbecbba09c
                            • Opcode Fuzzy Hash: 7128c547d44a9ff3a5f587bcb82a421ba66a2cf94cbc0d12c559fe312f15921a
                            • Instruction Fuzzy Hash: 2411E0B6D006498FDB20CF9AC444BDEFBF4AF88228F14851AD559A7600C379A545CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0137FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?), ref: 0137FE9D
                            Memory Dump Source
                            • Source File: 0000000C.00000002.300569109.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID:
                            • API String ID: 1378638983-0
                            • Opcode ID: eb6f8a1816fa042fc85b60b1c3a33db4cb73142a261f480b9e3fd83e4eed76ab
                            • Instruction ID: 09fa4ee685e889f0b48fc43b045d77e5f521e26104388947adc5ffbdd27f39e2
                            • Opcode Fuzzy Hash: eb6f8a1816fa042fc85b60b1c3a33db4cb73142a261f480b9e3fd83e4eed76ab
                            • Instruction Fuzzy Hash: 4811F5B5900209CFDB10CF99D585BDEBBF8EB48324F10841AD959B7701C379A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0137FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowLongW.USER32(?,?,?), ref: 0137FE9D
                            Memory Dump Source
                            • Source File: 0000000C.00000002.300569109.0000000001370000.00000040.00000001.sdmp, Offset: 01370000, based on PE: false
                            Similarity
                            • API ID: LongWindow
                            • String ID:
                            • API String ID: 1378638983-0
                            • Opcode ID: 23ad3e53f46a7c83caea0812f8efb45d0a7681c88a29d118a5acf39730d0d06b
                            • Instruction ID: d6572f51c948508c34d19202deae312bd9d5d823b80cf03b1af29fbdea939b35
                            • Opcode Fuzzy Hash: 23ad3e53f46a7c83caea0812f8efb45d0a7681c88a29d118a5acf39730d0d06b
                            • Instruction Fuzzy Hash: 1C11E8B59002499FDB10CF99D585BDEBBF8FB48324F10841AE955A7741C374A944CFA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F4D4A0, Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.299523430.0000000000F4D000.00000040.00000001.sdmp, Offset: 00F4D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fff1b25097e96e8ca6bddc4ed927620b9f6674a582bbdc2b62499a2f57791086
                            • Instruction ID: d3702abe609e43546e4e6a923298c26e8e87794b70e4b66c692dcb74ba4059f7
                            • Opcode Fuzzy Hash: fff1b25097e96e8ca6bddc4ed927620b9f6674a582bbdc2b62499a2f57791086
                            • Instruction Fuzzy Hash: 0C2125B2904244DFDB01CF54D9C0B27BF65FB98328F288569ED050B256C736D845EBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0107D01C, Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.300203843.000000000107D000.00000040.00000001.sdmp, Offset: 0107D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1b0bace32178c9f6b1f58fa2478f533bd03fe00341818d6078adecda59721ae
                            • Instruction ID: f9c38b8c55def9d5d2fd1ccd9de188b58b2022ed9e9d22234a801a71406fd07d
                            • Opcode Fuzzy Hash: e1b0bace32178c9f6b1f58fa2478f533bd03fe00341818d6078adecda59721ae
                            • Instruction Fuzzy Hash: 72210375904240DFCB12CF94D9C4B16BBA5FF84354F24C9ADE9894B246C336D846CBA1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 0107D006, Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.300203843.000000000107D000.00000040.00000001.sdmp, Offset: 0107D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9d0ffb8af866a9804ea0d9beda59cf21785d4ddc077514d82bb081a8312a596b
                            • Instruction ID: 3ffab9011431271d0fa121040fd50790a75d58a0a54663289612542945132ab5
                            • Opcode Fuzzy Hash: 9d0ffb8af866a9804ea0d9beda59cf21785d4ddc077514d82bb081a8312a596b
                            • Instruction Fuzzy Hash: A42180755093808FCB13CF64D994715BFB1EF46214F28C5DAD8898B657C33A984ACBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00F4D49B, Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.299523430.0000000000F4D000.00000040.00000001.sdmp, Offset: 00F4D000, based on PE: false
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                            • Instruction ID: 81f75fa3cc24df393315cfa3acdf584282a2fb3fd9ef5e8bce5c416523735102
                            • Opcode Fuzzy Hash: 0d8a9d817077d39d9fad6da2ff2e5526acd16db30dd6086573c8171f784580f2
                            • Instruction Fuzzy Hash: B011B176804284DFDF12CF14D5C4B16BF71FB94324F2886A9DD050B65AC336D85ADBA2
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions