Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report vHLZ6AHJFY.exe

Overview

General Information

Sample Name:vHLZ6AHJFY.exe
Analysis ID:458708
MD5:e7f52d9d50e6d2776d301b5a7e03b662
SHA1:3382b97a08277306637e074f08814b728bc225cc
SHA256:fcf8936d333a76b64672ae8c445531efc277c0ad3222720e1c4b43573b681375
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • vHLZ6AHJFY.exe (PID: 4640 cmdline: 'C:\Users\user\Desktop\vHLZ6AHJFY.exe' MD5: E7F52D9D50E6D2776D301B5A7E03B662)
    • vHLZ6AHJFY.exe (PID: 4832 cmdline: C:\Users\user\Desktop\vHLZ6AHJFY.exe MD5: E7F52D9D50E6D2776D301B5A7E03B662)
  • dhcpmon.exe (PID: 2680 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: E7F52D9D50E6D2776D301B5A7E03B662)
    • dhcpmon.exe (PID: 5008 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: E7F52D9D50E6D2776D301B5A7E03B662)
    • dhcpmon.exe (PID: 6008 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: E7F52D9D50E6D2776D301B5A7E03B662)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6a1c2465-7ac5-4f1d-acc5-ef04fcf4", "Group": "Default", "Domain1": "hhjhtggfr.duckdns.org", "Domain2": "dertrefg.duckdns.org", "Port": 8234, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "hhjhtggfr.duckdns.org"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.316057670.0000000002F21000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000D.00000002.316057670.0000000002F21000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x6943f:$a: NanoCore
    • 0x69498:$a: NanoCore
    • 0x694d5:$a: NanoCore
    • 0x6954e:$a: NanoCore
    • 0x694a1:$b: ClientPlugin
    • 0x694de:$b: ClientPlugin
    • 0x69ddc:$b: ClientPlugin
    • 0x69de9:$b: ClientPlugin
    • 0x5f0a3:$e: KeepAlive
    • 0x69929:$g: LogClientMessage
    • 0x698a9:$i: get_Connected
    • 0x59875:$j: #=q
    • 0x598a5:$j: #=q
    • 0x598e1:$j: #=q
    • 0x59909:$j: #=q
    • 0x59939:$j: #=q
    • 0x59969:$j: #=q
    • 0x59999:$j: #=q
    • 0x599c9:$j: #=q
    • 0x599e5:$j: #=q
    • 0x59a15:$j: #=q
    0000000D.00000002.315036949.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000D.00000002.315036949.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000D.00000002.315036949.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      13.2.dhcpmon.exe.2f89660.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      13.2.dhcpmon.exe.2f89660.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      13.2.dhcpmon.exe.3f74565.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xb184:$x1: NanoCore.ClientPluginHost
      • 0x23c70:$x1: NanoCore.ClientPluginHost
      • 0xb1b1:$x2: IClientNetworkHost
      • 0x23c9d:$x2: IClientNetworkHost
      13.2.dhcpmon.exe.3f74565.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xb184:$x2: NanoCore.ClientPluginHost
      • 0x23c70:$x2: NanoCore.ClientPluginHost
      • 0xc25f:$s4: PipeCreated
      • 0x24d4b:$s4: PipeCreated
      • 0xb19e:$s5: IClientLoggingHost
      • 0x23c8a:$s5: IClientLoggingHost
      13.2.dhcpmon.exe.3f74565.3.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 28 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\vHLZ6AHJFY.exe, ProcessId: 4832, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\vHLZ6AHJFY.exe, ProcessId: 4832, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\vHLZ6AHJFY.exe, ProcessId: 4832, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\vHLZ6AHJFY.exe, ProcessId: 4832, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000D.00000002.316057670.0000000002F21000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6a1c2465-7ac5-4f1d-acc5-ef04fcf4", "Group": "Default", "Domain1": "hhjhtggfr.duckdns.org", "Domain2": "dertrefg.duckdns.org", "Port": 8234, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "hhjhtggfr.duckdns.org"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 21%
        Multi AV Scanner detection for submitted fileShow sources
        Source: vHLZ6AHJFY.exeVirustotal: Detection: 31%Perma Link
        Source: vHLZ6AHJFY.exeReversingLabs: Detection: 21%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f74565.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f6ff3c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f6ff3c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f6b106.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.38fe468.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.38fe468.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000D.00000002.316057670.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.315036949.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.316141333.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.302655095.00000000033E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.246214384.0000000003559000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vHLZ6AHJFY.exe PID: 4640, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2680, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6008, type: MEMORYSTR
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: vHLZ6AHJFY.exeJoe Sandbox ML: detected
        Source: 13.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: vHLZ6AHJFY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: vHLZ6AHJFY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h5_2_06983680
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h5_2_06983671
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h5_2_06984858
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h5_2_06984849

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: hhjhtggfr.duckdns.org
        Source: Malware configuration extractorURLs: dertrefg.duckdns.org
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: hhjhtggfr.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.7:49715 -> 203.159.80.186:8234
        Source: Joe Sandbox ViewIP Address: 203.159.80.186 203.159.80.186
        Source: Joe Sandbox ViewASN Name: LOVESERVERSGB LOVESERVERSGB
        Source: unknownDNS traffic detected: queries for: hhjhtggfr.duckdns.org
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: vHLZ6AHJFY.exe, 00000000.00000002.243485690.0000000002551000.00000004.00000001.sdmp, dhcpmon.exe, 00000005.00000002.293431258.00000000023E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: vHLZ6AHJFY.exe, 00000000.00000002.243024787.00000000007E9000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: dhcpmon.exe, 0000000D.00000002.316057670.0000000002F21000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f74565.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f6ff3c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f6ff3c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f6b106.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.38fe468.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.38fe468.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000D.00000002.316057670.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.315036949.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.316141333.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.302655095.00000000033E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.246214384.0000000003559000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vHLZ6AHJFY.exe PID: 4640, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2680, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6008, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 13.2.dhcpmon.exe.2f89660.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.3f74565.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.3f6ff3c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.3f6ff3c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 13.2.dhcpmon.exe.3f6b106.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 13.2.dhcpmon.exe.3f6b106.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.dhcpmon.exe.38fe468.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.dhcpmon.exe.38fe468.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.dhcpmon.exe.38fe468.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.dhcpmon.exe.38fe468.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.316057670.0000000002F21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.315036949.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000D.00000002.315036949.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000D.00000002.316141333.0000000003F29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.302655095.00000000033E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.302655095.00000000033E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.246214384.0000000003559000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.246214384.0000000003559000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: vHLZ6AHJFY.exe PID: 4640, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: vHLZ6AHJFY.exe PID: 4640, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 2680, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 2680, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6008, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6008, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeCode function: 0_2_000F4C650_2_000F4C65
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeCode function: 0_2_00A6C2B00_2_00A6C2B0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_00054C655_2_00054C65
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_00C1C2B05_2_00C1C2B0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_00C199905_2_00C19990
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_06983B805_2_06983B80
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_0698179E5_2_0698179E
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_069815BF5_2_069815BF
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_069815D05_2_069815D0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_069812105_2_06981210
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_069812005_2_06981200
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_00344C6511_2_00344C65
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_00BC4C6513_2_00BC4C65
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0540E47113_2_0540E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0540E48013_2_0540E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 13_2_0540BBD413_2_0540BBD4
        Source: vHLZ6AHJFY.exeBinary or memory string: OriginalFilename vs vHLZ6AHJFY.exe
        Source: vHLZ6AHJFY.exe, 00000000.00000000.224394981.00000000000F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGenericSecurityDescript.exe6 vs vHLZ6AHJFY.exe
        Source: vHLZ6AHJFY.exe, 00000000.00000002.252836540.0000000006AC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs vHLZ6AHJFY.exe
        Source: vHLZ6AHJFY.exe, 00000000.00000002.243485690.0000000002551000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameConfigNodeType.dll> vs vHLZ6AHJFY.exe
        Source: vHLZ6AHJFY.exe, 00000000.00000002.253509646.0000000006D90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStoreElement.dllB vs vHLZ6AHJFY.exe
        Source: vHLZ6AHJFY.exe, 00000000.00000002.243024787.00000000007E9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs vHLZ6AHJFY.exe
        Source: vHLZ6AHJFY.exe, 00000002.00000000.239859981.0000000000492000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGenericSecurityDescript.exe6 vs vHLZ6AHJFY.exe
        Source: vHLZ6AHJFY.exeBinary or memory string: OriginalFilenameGenericSecurityDescript.exe6 vs vHLZ6AHJFY.exe
        Source: vHLZ6AHJFY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 13.2.dhcpmon.exe.2f89660.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.2f89660.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.3f74565.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.3f74565.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.3f6ff3c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.3f6ff3c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.3f6ff3c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.3f6ff3c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 13.2.dhcpmon.exe.3f6b106.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 13.2.dhcpmon.exe.3f6b106.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 13.2.dhcpmon.exe.3f6b106.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.dhcpmon.exe.38fe468.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.dhcpmon.exe.38fe468.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.dhcpmon.exe.38fe468.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.dhcpmon.exe.38fe468.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.dhcpmon.exe.38fe468.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.316057670.0000000002F21000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.315036949.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000D.00000002.315036949.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000D.00000002.316141333.0000000003F29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.302655095.00000000033E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.302655095.00000000033E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.246214384.0000000003559000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.246214384.0000000003559000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: vHLZ6AHJFY.exe PID: 4640, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: vHLZ6AHJFY.exe PID: 4640, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 2680, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 2680, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6008, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6008, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: vHLZ6AHJFY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 13.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 13.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 13.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@8/8@19/2
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vHLZ6AHJFY.exe.logJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{6a1c2465-7ac5-4f1d-acc5-ef04fcf454c9}
        Source: vHLZ6AHJFY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: vHLZ6AHJFY.exeVirustotal: Detection: 31%
        Source: vHLZ6AHJFY.exeReversingLabs: Detection: 21%
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeFile read: C:\Users\user\Desktop\vHLZ6AHJFY.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\vHLZ6AHJFY.exe 'C:\Users\user\Desktop\vHLZ6AHJFY.exe'
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess created: C:\Users\user\Desktop\vHLZ6AHJFY.exe C:\Users\user\Desktop\vHLZ6AHJFY.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess created: C:\Users\user\Desktop\vHLZ6AHJFY.exe C:\Users\user\Desktop\vHLZ6AHJFY.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: vHLZ6AHJFY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: vHLZ6AHJFY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: vHLZ6AHJFY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 13.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 13.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: vHLZ6AHJFY.exeStatic PE information: 0xFAEB95B0 [Sun May 27 21:08:00 2103 UTC]
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_06980FD6 push ebx; iretd 5_2_06980FDD
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_06981002 push es; iretd 5_2_0698107C
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 5_2_0698107D push es; ret 5_2_069810BC
        Source: initial sampleStatic PE information: section name: .text entropy: 7.44654724316
        Source: initial sampleStatic PE information: section name: .text entropy: 7.44654724316
        Source: 13.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 13.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeFile opened: C:\Users\user\Desktop\vHLZ6AHJFY.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 00000000.00000002.243870600.00000000026DB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.296482527.000000000256B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vHLZ6AHJFY.exe PID: 4640, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2680, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: vHLZ6AHJFY.exe, 00000000.00000002.243870600.00000000026DB000.00000004.00000001.sdmp, dhcpmon.exe, 00000005.00000002.296482527.000000000256B000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: vHLZ6AHJFY.exe, 00000000.00000002.243870600.00000000026DB000.00000004.00000001.sdmp, dhcpmon.exe, 00000005.00000002.296482527.000000000256B000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWindow / User API: threadDelayed 3777Jump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWindow / User API: threadDelayed 4740Jump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWindow / User API: foregroundWindowGot 597Jump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWindow / User API: foregroundWindowGot 710Jump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exe TID: 4932Thread sleep time: -42714s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exe TID: 2912Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exe TID: 4736Thread sleep time: -7378697629483816s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3588Thread sleep time: -44543s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5864Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 496Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeThread delayed: delay time: 42714Jump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 44543Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: dhcpmon.exe, 00000005.00000002.296482527.000000000256B000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: dhcpmon.exe, 00000005.00000002.296482527.000000000256B000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 00000005.00000002.296482527.000000000256B000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: vHLZ6AHJFY.exeBinary or memory string: %QeMu
        Source: dhcpmon.exe, 00000005.00000002.296482527.000000000256B000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: dhcpmon.exe, 00000005.00000002.296482527.000000000256B000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: dhcpmon.exe, 00000005.00000002.296482527.000000000256B000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: dhcpmon.exe, 00000005.00000002.296482527.000000000256B000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: dhcpmon.exe, 00000005.00000002.296482527.000000000256B000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeProcess created: C:\Users\user\Desktop\vHLZ6AHJFY.exe C:\Users\user\Desktop\vHLZ6AHJFY.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Users\user\Desktop\vHLZ6AHJFY.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Users\user\Desktop\vHLZ6AHJFY.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\vHLZ6AHJFY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f74565.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f6ff3c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f6ff3c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f6b106.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.38fe468.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.38fe468.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000D.00000002.316057670.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.315036949.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.316141333.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.302655095.00000000033E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.246214384.0000000003559000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vHLZ6AHJFY.exe PID: 4640, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2680, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6008, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: vHLZ6AHJFY.exe, 00000000.00000002.246214384.0000000003559000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000005.00000002.302655095.00000000033E9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000D.00000002.316057670.0000000002F21000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000D.00000002.316057670.0000000002F21000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f74565.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f6ff3c.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f6ff3c.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 13.2.dhcpmon.exe.3f6b106.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.38fe468.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.dhcpmon.exe.38fe468.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.vHLZ6AHJFY.exe.3a6e468.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000D.00000002.316057670.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.315036949.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.316141333.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.302655095.00000000033E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.246214384.0000000003559000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vHLZ6AHJFY.exe PID: 4640, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2680, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6008, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection11Masquerading2Input Capture21Query Registry1Remote ServicesInput Capture21Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        vHLZ6AHJFY.exe31%VirustotalBrowse
        vHLZ6AHJFY.exe22%ReversingLabsWin32.Trojan.Pwsx
        vHLZ6AHJFY.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe22%ReversingLabsWin32.Trojan.Pwsx

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        13.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        hhjhtggfr.duckdns.org0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        dertrefg.duckdns.org0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        hhjhtggfr.duckdns.org
        		203.159.80.186
        		truetrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          hhjhtggfr.duckdns.orgtrue
          • Avira URL Cloud: safe
          		unknown
          dertrefg.duckdns.orgtrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
            		high
            http://www.fontbureau.comvHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersGvHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designers/?vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bThevHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                    		high
                    http://www.tiro.comdhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersdhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                      		high
                      http://www.goodfont.co.krvHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comlvHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comvHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDvHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNvHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/cThevHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmvHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comvHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnvHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlvHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                          		high
                          http://www.jiyu-kobo.co.jp/vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/DPleasevHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8vHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fonts.comvHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                              		high
                              http://www.sandoll.co.krvHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleasevHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnvHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevHLZ6AHJFY.exe, 00000000.00000002.243485690.0000000002551000.00000004.00000001.sdmp, dhcpmon.exe, 00000005.00000002.293431258.00000000023E1000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sakkal.comvHLZ6AHJFY.exe, 00000000.00000002.251061687.00000000055C0000.00000002.00000001.sdmp, dhcpmon.exe, 00000005.00000002.308306579.0000000005530000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                203.159.80.186
                                		hhjhtggfr.duckdns.orgNetherlands
                                		47987LOVESERVERSGBtrue

                                Private

                                IP
                                192.168.2.1

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:458708
                                Start date:03.08.2021
                                Start time:17:05:42
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 12m 51s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:vHLZ6AHJFY.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:27
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@8/8@19/2
                                EGA Information:Failed
                                HDC Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 51
                                • Number of non-executed functions: 4
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.42.151.234, 52.147.198.201, 23.211.4.86, 20.50.102.62, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                17:06:36API Interceptor1012x Sleep call for process: vHLZ6AHJFY.exe modified
                                17:06:44AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                17:06:57API Interceptor1x Sleep call for process: dhcpmon.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                203.159.80.186NEW PO1100372954 -.docGet hashmaliciousBrowse
                                • newhosteeeee.ydns.eu/putty.exe
                                2711164142.docGet hashmaliciousBrowse
                                • newhosteeeee.ydns.eu/microF.exe
                                N40-MR .docGet hashmaliciousBrowse
                                • newhosteeeee.ydns.eu/microC.exe
                                N40-MR 311.docGet hashmaliciousBrowse
                                • newhosteeeee.ydns.eu/microA.exe
                                PO2100382954 -.docGet hashmaliciousBrowse
                                • newhosteeeee.ydns.eu/microD.exe
                                2fja1Oszs9.exeGet hashmaliciousBrowse
                                • hutyrtit.ydns.eu/microC.exe

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                hhjhtggfr.duckdns.orgNEW PO1100372954 -.docGet hashmaliciousBrowse
                                • 203.159.80.186
                                N40-MR 311.docGet hashmaliciousBrowse
                                • 203.159.80.186
                                Xjf4yH9N2t.exeGet hashmaliciousBrowse
                                • 203.159.80.186
                                wm4J5m8pIK.exeGet hashmaliciousBrowse
                                • 203.159.80.186
                                WrNhr6yUD8.exeGet hashmaliciousBrowse
                                • 37.0.8.214
                                YjnGfifJ4X.exeGet hashmaliciousBrowse
                                • 203.159.80.101
                                E8NURjuahU.exeGet hashmaliciousBrowse
                                • 203.159.80.101
                                MkASxmQIe3.exeGet hashmaliciousBrowse
                                • 203.159.80.101
                                6rkqQM8Ldz.exeGet hashmaliciousBrowse
                                • 203.159.80.101
                                bHSfr2q0yu.exeGet hashmaliciousBrowse
                                • 203.159.80.101
                                lqtN3Z5Uzp.exeGet hashmaliciousBrowse
                                • 203.159.80.101
                                Invoice 406496.docGet hashmaliciousBrowse
                                • 203.159.80.101
                                1OLlrVAlAE.exeGet hashmaliciousBrowse
                                • 203.159.80.101
                                microC.exeGet hashmaliciousBrowse
                                • 203.159.80.101

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                LOVESERVERSGBShipping Details.exeGet hashmaliciousBrowse
                                • 203.159.80.118
                                NEW PO1100372954 -.docGet hashmaliciousBrowse
                                • 203.159.80.165
                                2711164142.docGet hashmaliciousBrowse
                                • 203.159.80.165
                                N40-MR .docGet hashmaliciousBrowse
                                • 203.159.80.186
                                N40-MR 311.docGet hashmaliciousBrowse
                                • 203.159.80.165
                                PO2100382954 -.docGet hashmaliciousBrowse
                                • 203.159.80.186
                                Xjf4yH9N2t.exeGet hashmaliciousBrowse
                                • 203.159.80.165
                                wm4J5m8pIK.exeGet hashmaliciousBrowse
                                • 203.159.80.186
                                2fja1Oszs9.exeGet hashmaliciousBrowse
                                • 203.159.80.186
                                SKM-582649274924.exeGet hashmaliciousBrowse
                                • 203.159.80.93
                                Shipping Details_PDF.exeGet hashmaliciousBrowse
                                • 203.159.80.118
                                eInvoicing.jarGet hashmaliciousBrowse
                                • 203.159.80.23
                                DyxL4y2hv3.exeGet hashmaliciousBrowse
                                • 203.159.80.165
                                ktWmI8zMGs.exeGet hashmaliciousBrowse
                                • 203.159.80.182
                                fBR05jzjti.exeGet hashmaliciousBrowse
                                • 203.159.80.165
                                Original Shipping .docGet hashmaliciousBrowse
                                • 203.159.80.165
                                hfJdO3BjO0.exeGet hashmaliciousBrowse
                                • 203.159.80.107
                                No.IV21002542.docGet hashmaliciousBrowse
                                • 203.159.80.107
                                payment details.docGet hashmaliciousBrowse
                                • 203.159.80.107
                                DblVVdaNgC.exeGet hashmaliciousBrowse
                                • 203.159.80.107

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                Process:C:\Users\user\Desktop\vHLZ6AHJFY.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):835072
                                Entropy (8bit):7.439063931141525
                                Encrypted:false
                                SSDEEP:12288:SZdWFS44N+vWrz4C89yIkjPeO6gSxW61AannR6VJj134bGlvpmjz2iN:SbWFSn+vW4F5yPeJgqWkAYngHj1dpY1
                                MD5:E7F52D9D50E6D2776D301B5A7E03B662
                                SHA1:3382B97A08277306637E074F08814B728BC225CC
                                SHA-256:FCF8936D333A76B64672AE8C445531EFC277C0AD3222720E1C4B43573B681375
                                SHA-512:924B09B696ED70EF112DE29B61F90AB01E818F901EBA58F21685E95EBE1B4F0810DFBB2D28CDF41B1E1C58CB179EB6DF0A19969180E67ED335EC084E65423FD0
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 22%
                                Reputation:low
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................P.................. ........@.. ....................... ............@.....................................O...................................x................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........l........... ...X............................................0............(....(..........(.....o.....*.....................( ......(!......("......(#......($....*N..(....o^...(%....*&..(&....*.s'........s(........s)........s*........s+........*....0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0..<........~.....(1.....,!r...p.....(2...o3...s4............~.....+..*.0......
                                C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                Process:C:\Users\user\Desktop\vHLZ6AHJFY.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview: [ZoneTransfer]....ZoneId=0
                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1314
                                Entropy (8bit):5.350128552078965
                                Encrypted:false
                                SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                Malicious:false
                                Reputation:unknown
                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vHLZ6AHJFY.exe.log
                                Process:C:\Users\user\Desktop\vHLZ6AHJFY.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1314
                                Entropy (8bit):5.350128552078965
                                Encrypted:false
                                SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                Malicious:true
                                Reputation:unknown
                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                Process:C:\Users\user\Desktop\vHLZ6AHJFY.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2088
                                Entropy (8bit):7.024371743172393
                                Encrypted:false
                                SSDEEP:48:Ik/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrwfk/lCrw8:flC0IlC0IlC0IlC0IlC0IlC0IlC0IlCe
                                MD5:0D6805D12813A857D50D42D6EE2CCAB0
                                SHA1:78D83F009D842F21FE2AB0EAFFD00E5AAD1776F4
                                SHA-256:182E0F8AA959549D61C66D049645BA8445D86AEAD2B8C3552A9836FA1E5BD484
                                SHA-512:5B29496F3AB3CCB915CF37042F4956BB00E577B5F15457A5A739BE1BD50C481FB7E3297EED575DCA7A7BD30ECBC140DD3666CD7DEDD25DFB7AEB41A1B5BEDA4A
                                Malicious:false
                                Reputation:unknown
                                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                Process:C:\Users\user\Desktop\vHLZ6AHJFY.exe
                                File Type:ISO-8859 text, with no line terminators
                                Category:dropped
                                Size (bytes):8
                                Entropy (8bit):3.0
                                Encrypted:false
                                SSDEEP:3:N4n:W
                                MD5:C2BD38A6DB63769773CAFA759E408A99
                                SHA1:C865D09925B221950EEA216FEAEF74C6F9BB4EE9
                                SHA-256:D62FD7B51C8B8FBD978A82CE646961CA86E5DEE11C3DA8CCF5DF4877A14E56C6
                                SHA-512:627141212397F00ED3D8E24BDAA2E3B1A3C60ADC3779BA24DF96773F87B04D23E98B1393E684C2B90A529C6012E5D87F818408BDDCAB2E07D0D3D24EA02EBF7A
                                Malicious:true
                                Reputation:unknown
                                Preview: "%:..V.H
                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                Process:C:\Users\user\Desktop\vHLZ6AHJFY.exe
                                File Type:data
                                Category:modified
                                Size (bytes):40
                                Entropy (8bit):5.153055907333276
                                Encrypted:false
                                SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                MD5:4E5E92E2369688041CC82EF9650EDED2
                                SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                Malicious:false
                                Reputation:unknown
                                Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                Process:C:\Users\user\Desktop\vHLZ6AHJFY.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):327432
                                Entropy (8bit):7.99938831605763
                                Encrypted:true
                                SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                Malicious:false
                                Reputation:unknown
                                Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.439063931141525
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Windows Screen Saver (13104/52) 0.07%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:vHLZ6AHJFY.exe
                                File size:835072
                                MD5:e7f52d9d50e6d2776d301b5a7e03b662
                                SHA1:3382b97a08277306637e074f08814b728bc225cc
                                SHA256:fcf8936d333a76b64672ae8c445531efc277c0ad3222720e1c4b43573b681375
                                SHA512:924b09b696ed70ef112de29b61f90ab01e818f901eba58f21685e95ebe1b4f0810dfbb2d28cdf41b1e1c58cb179eb6df0a19969180e67ed335ec084e65423fd0
                                SSDEEP:12288:SZdWFS44N+vWrz4C89yIkjPeO6gSxW61AannR6VJj134bGlvpmjz2iN:SbWFSn+vW4F5yPeJgqWkAYngHj1dpY1
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................P.................. ........@.. ....................... ............@................................

                                File Icon

                                Icon Hash:00828e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x4cd3e6
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0xFAEB95B0 [Sun May 27 21:08:00 2103 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:v4.0.30319
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xcd3940x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xce0000x5ec.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0xcd3780x1c.text
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000xcb3ec0xcb400False0.789118955643data7.44654724316IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rsrc0xce0000x5ec0x600False0.430989583333data4.2010150696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xd00000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_VERSION0xce0900x35cdata
                                RT_MANIFEST0xce3fc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Version Infos

                                DescriptionData
                                Translation0x0000 0x04b0
                                LegalCopyrightCopyright 2020
                                Assembly Version1.0.0.0
                                InternalNameGenericSecurityDescript.exe
                                FileVersion1.0.0.0
                                CompanyName
                                LegalTrademarks
                                Comments
                                ProductNameModul VB 3
                                ProductVersion1.0.0.0
                                FileDescriptionModul VB 3
                                OriginalFilenameGenericSecurityDescript.exe

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 3, 2021 17:06:41.419050932 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.447469950 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.447678089 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.492496967 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.549215078 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.559194088 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.588100910 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.627763987 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.704857111 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.705209970 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.749450922 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.749484062 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.749509096 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.749532938 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.749650002 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.778403997 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.778470039 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.778492928 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.778517962 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.778541088 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.778562069 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.778578997 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.778590918 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.778614998 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.778701067 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.778711081 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.807434082 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.807476044 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.807497978 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.807518005 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.807537079 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.807554960 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.807564974 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.807574034 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.807595015 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.807598114 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.807615042 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.807637930 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.807640076 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.807660103 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.807678938 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.807687044 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.807760000 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.807764053 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.808185101 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.808218002 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.808238029 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.808255911 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.808341026 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.836631060 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.836668015 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.836693048 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.836714029 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.836739063 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.836761951 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.836771011 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.836785078 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.836807966 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.836831093 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.836852074 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.836857080 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.836877108 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.836899042 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.836924076 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.836925030 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.836949110 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.836971045 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.836977959 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.836993933 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837017059 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837018013 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.837039948 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837061882 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837084055 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837088108 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.837110043 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837133884 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837155104 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837157965 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.837177992 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837199926 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837223053 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837224007 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.837245941 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837269068 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837269068 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.837295055 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837316990 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837338924 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837341070 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.837362051 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.837387085 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.837642908 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.866172075 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866205931 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866225004 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866242886 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866260052 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866277933 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866293907 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866312027 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866328955 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866345882 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866362095 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866378069 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866395950 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866411924 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866429090 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866444111 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866460085 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866475105 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866491079 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866508961 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866525888 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866544962 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866563082 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866578102 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866595030 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866611958 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866630077 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866646051 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866663933 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866681099 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866698980 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866723061 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866749048 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866766930 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866791964 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866815090 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866831064 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.866836071 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866858006 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866880894 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866882086 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.866904020 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866928101 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866930008 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.866951942 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.866954088 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.866980076 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.867002964 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.867012024 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.867026091 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.867048025 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.867069006 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.867072105 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.867093086 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.867125034 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.867212057 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898163080 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898207903 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898231983 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898255110 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898272991 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898277998 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898302078 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898324966 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898327112 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898349047 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898371935 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898372889 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898396015 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898399115 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898425102 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898444891 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898448944 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898468971 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898492098 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898504972 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898514032 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898538113 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898560047 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898564100 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898586988 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898612022 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898617029 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898634911 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898659945 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898660898 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898684025 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898684978 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898708105 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898730993 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898731947 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898752928 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898777008 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898777962 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898803949 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898825884 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898825884 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898849964 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898871899 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898878098 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898894072 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898916006 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898936987 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898957968 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.898962021 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.898987055 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.899008036 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.899015903 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.899032116 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.899054050 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.899059057 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.899077892 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.899100065 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.899125099 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.899137974 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.899161100 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.899163008 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.899185896 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.899209023 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.899230003 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.899234056 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.899252892 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.899255037 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.899276018 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.899297953 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.899298906 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.899672985 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.928554058 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928596020 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928620100 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928642035 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928664923 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928689003 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928710938 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928719044 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.928735018 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928756952 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.928760052 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928787947 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928809881 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.928812981 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928836107 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928836107 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.928860903 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928889990 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928910971 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.928913116 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928936958 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.928936958 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928962946 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.928985119 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929004908 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929008007 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929030895 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929053068 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929058075 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929080009 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929085016 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929110050 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929132938 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929153919 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929156065 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929178953 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929182053 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929207087 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929229975 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929248095 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929256916 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929282904 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929303885 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929306984 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929326057 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929328918 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929352999 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929375887 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929397106 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929398060 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929423094 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929447889 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929455996 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929478884 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929482937 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929506063 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929526091 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929533005 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929555893 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929579020 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929579020 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929605007 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929609060 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929629087 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929652929 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929673910 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929676056 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929701090 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929722071 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.929728031 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.929841995 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.958849907 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.958884954 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.958908081 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.958926916 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.958949089 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.958976984 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959000111 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959000111 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959023952 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959047079 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959048986 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959069967 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959072113 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959091902 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959122896 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959130049 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959163904 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959187031 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959208965 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959230900 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959235907 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959254980 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959279060 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959301949 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959301949 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959327936 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959353924 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959358931 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959378958 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959383011 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959403038 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959424973 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959431887 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959458113 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959480047 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959501982 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959511042 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959526062 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959530115 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959552050 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959575891 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959584951 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959598064 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959620953 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959641933 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959664106 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959666967 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959691048 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959713936 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959714890 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959738016 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959739923 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959759951 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959781885 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959783077 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959806919 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959827900 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959829092 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959850073 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959851980 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959877014 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959898949 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959919930 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.959942102 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.959943056 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960014105 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.960017920 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.960021019 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960045099 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960066080 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960087061 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960108042 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.960108995 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960130930 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960153103 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960172892 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.960172892 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960201025 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960223913 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.960223913 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960247993 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960249901 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.960270882 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960293055 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.960293055 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960316896 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960336924 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.960338116 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960361004 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960381031 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.960386992 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960410118 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:41.960410118 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:41.960530996 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:42.721518040 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:42.806343079 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:43.106822968 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:43.199670076 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:43.373306990 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:43.423626900 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:43.452375889 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:43.496203899 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:43.635279894 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:43.726114035 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:43.726186037 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:43.730990887 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:43.759551048 CEST823449715203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:43.759659052 CEST497158234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:48.526257992 CEST497218234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:48.571677923 CEST823449721203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:48.571770906 CEST497218234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:48.576494932 CEST497218234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:48.627063036 CEST823449721203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:48.627424955 CEST497218234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:48.662981033 CEST823449721203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:48.664768934 CEST497218234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:48.753715038 CEST823449721203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:48.801146984 CEST497218234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:48.892659903 CEST823449721203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:49.010313988 CEST823449721203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:49.055007935 CEST497218234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:49.085387945 CEST823449721203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:49.126516104 CEST497218234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:49.179481030 CEST823449721203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:49.223654985 CEST497218234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:49.253230095 CEST823449721203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:49.258130074 CEST497218234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:49.298063993 CEST823449721203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:49.298156977 CEST497218234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:49.328324080 CEST823449721203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:49.337188005 CEST497218234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:49.423973083 CEST823449721203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:49.424124002 CEST497218234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:49.504483938 CEST823449721203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:49.838992119 CEST497218234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:49.923592091 CEST823449721203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:50.846786022 CEST497218234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:54.925400019 CEST497268234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:54.954674006 CEST823449726203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:54.955992937 CEST497268234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:54.956532955 CEST497268234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:55.006112099 CEST823449726203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:55.006453991 CEST497268234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:55.040153980 CEST823449726203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:55.041879892 CEST497268234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:55.126796007 CEST823449726203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:55.385163069 CEST823449726203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:55.386470079 CEST497268234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:55.414794922 CEST823449726203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:55.455271006 CEST497268234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:55.680583954 CEST823449726203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:55.722079992 CEST497268234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:55.728912115 CEST497268234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:55.750449896 CEST823449726203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:55.802752972 CEST497268234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:55.816200972 CEST823449726203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:55.818831921 CEST497268234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:55.852577925 CEST823449726203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:55.852720022 CEST497268234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:55.883362055 CEST823449726203.159.80.186192.168.2.7
                                Aug 3, 2021 17:06:55.924122095 CEST497268234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:06:56.861908913 CEST497268234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:01.014367104 CEST497278234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:01.049118042 CEST823449727203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:01.050467968 CEST497278234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:01.050657034 CEST497278234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:01.148693085 CEST823449727203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:01.208693027 CEST823449727203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:01.210216045 CEST497278234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:01.241077900 CEST823449727203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:01.245893002 CEST497278234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:01.329593897 CEST823449727203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:01.568006039 CEST823449727203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:01.569493055 CEST497278234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:01.599030018 CEST823449727203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:01.600552082 CEST497278234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:01.630060911 CEST823449727203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:01.630227089 CEST497278234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:01.659980059 CEST823449727203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:01.660523891 CEST497278234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:01.735805988 CEST823449727203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:01.940772057 CEST497278234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:02.033094883 CEST823449727203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:02.956407070 CEST497278234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:07.081504107 CEST497288234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:07.110884905 CEST823449728203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:07.111008883 CEST497288234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:07.111814976 CEST497288234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:07.146775007 CEST823449728203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:07.221803904 CEST497288234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:07.251710892 CEST823449728203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:07.259974957 CEST497288234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:07.290853977 CEST823449728203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:07.313666105 CEST497288234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:07.405239105 CEST823449728203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:07.622720957 CEST823449728203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:07.625304937 CEST497288234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:07.654581070 CEST823449728203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:07.721837997 CEST497288234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:07.750494003 CEST823449728203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:07.750885963 CEST497288234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:07.784698009 CEST823449728203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:07.784785032 CEST497288234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:07.819202900 CEST823449728203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:07.821115971 CEST497288234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:07.899569988 CEST823449728203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:08.019423008 CEST497288234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:12.737549067 CEST497298234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:12.767461061 CEST823449729203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:12.767551899 CEST497298234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:12.768237114 CEST497298234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:12.815283060 CEST823449729203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:12.815538883 CEST497298234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:12.844954967 CEST823449729203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:12.846575022 CEST497298234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:12.928488016 CEST823449729203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:13.147233009 CEST823449729203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:13.148230076 CEST497298234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:13.186942101 CEST823449729203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:13.237935066 CEST497298234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:13.266920090 CEST823449729203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:13.267193079 CEST497298234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:13.297333002 CEST823449729203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:13.297403097 CEST497298234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:13.327326059 CEST823449729203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:13.327413082 CEST497298234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:13.412143946 CEST823449729203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:13.723911047 CEST497298234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:13.815445900 CEST823449729203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:14.810436010 CEST497298234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:18.884246111 CEST497318234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:18.914035082 CEST823449731203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:18.914176941 CEST497318234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:18.914622068 CEST497318234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:19.002111912 CEST823449731203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:19.113146067 CEST823449731203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:19.113614082 CEST497318234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:19.146533012 CEST823449731203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:19.148149014 CEST497318234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:19.236541986 CEST823449731203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:19.568384886 CEST823449731203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:19.569622040 CEST497318234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:19.602605104 CEST823449731203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:19.722856998 CEST497318234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:19.738945007 CEST497318234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:19.751666069 CEST823449731203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:19.817034006 CEST823449731203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:19.817128897 CEST497318234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:19.846126080 CEST823449731203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:19.846224070 CEST497318234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:19.874526978 CEST823449731203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:19.926016092 CEST497318234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:20.770421028 CEST497318234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:24.886889935 CEST497408234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:24.915456057 CEST823449740203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:24.915549994 CEST497408234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:24.958379030 CEST497408234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:25.026984930 CEST823449740203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:25.027328968 CEST497408234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:25.057230949 CEST823449740203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:25.058815956 CEST497408234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:25.142599106 CEST823449740203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:25.434545040 CEST823449740203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:25.440268993 CEST497408234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:25.469793081 CEST823449740203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:25.567140102 CEST497408234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:25.597848892 CEST823449740203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:25.770281076 CEST497408234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:25.799956083 CEST823449740203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:25.800359964 CEST497408234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:25.829735041 CEST823449740203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:25.830079079 CEST497408234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:25.866868973 CEST823449740203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:25.867017031 CEST497408234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:25.953707933 CEST823449740203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:25.958245993 CEST497408234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:26.047585964 CEST823449740203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:26.911622047 CEST497408234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:30.998208046 CEST497438234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:31.027093887 CEST823449743203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:31.027245998 CEST497438234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:31.027714968 CEST497438234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:31.073856115 CEST823449743203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:31.074153900 CEST497438234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:31.102833986 CEST823449743203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:31.104394913 CEST497438234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:31.184974909 CEST823449743203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:31.440108061 CEST823449743203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:31.541593075 CEST497438234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:31.574187994 CEST823449743203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:31.575355053 CEST497438234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:31.603904009 CEST823449743203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:31.604023933 CEST497438234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:31.632771969 CEST823449743203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:31.701618910 CEST497438234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:31.802210093 CEST823449743203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:31.943154097 CEST497438234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:32.035202980 CEST823449743203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:32.811266899 CEST823449743203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:32.959044933 CEST497438234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:32.959074020 CEST497438234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:37.175744057 CEST497498234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:37.204768896 CEST823449749203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:37.204927921 CEST497498234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:37.205801964 CEST497498234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:37.257471085 CEST823449749203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:37.270029068 CEST497498234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:37.299228907 CEST823449749203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:37.301058054 CEST497498234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:37.375317097 CEST823449749203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:37.534161091 CEST823449749203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:37.535693884 CEST497498234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:37.567775965 CEST823449749203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:37.569590092 CEST497498234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:37.598402977 CEST823449749203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:37.598597050 CEST497498234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:37.628292084 CEST823449749203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:37.677659035 CEST497498234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:37.764910936 CEST497498234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:37.845264912 CEST823449749203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:38.118846893 CEST497498234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:38.196507931 CEST823449749203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:39.116125107 CEST497498234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:43.244412899 CEST497508234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:43.274101019 CEST823449750203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:43.274220943 CEST497508234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:43.274912119 CEST497508234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:43.336612940 CEST823449750203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:43.337085962 CEST497508234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:43.369898081 CEST823449750203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:43.371495962 CEST497508234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:43.449182034 CEST823449750203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:43.705878019 CEST823449750203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:43.710982084 CEST497508234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:43.741163969 CEST823449750203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:43.743252993 CEST497508234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:43.772268057 CEST823449750203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:43.772455931 CEST497508234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:43.801592112 CEST823449750203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:43.852391005 CEST497508234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:43.901864052 CEST497508234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:43.996131897 CEST823449750203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:44.101079941 CEST497508234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:44.186983109 CEST823449750203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:45.086016893 CEST497508234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:49.255630970 CEST497518234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:49.284758091 CEST823449751203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:49.284893990 CEST497518234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:49.285712004 CEST497518234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:49.329952955 CEST823449751203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:49.330327034 CEST497518234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:49.360291004 CEST823449751203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:49.369986057 CEST497518234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:49.473856926 CEST823449751203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:49.657722950 CEST823449751203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:49.706130981 CEST497518234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:49.735888958 CEST823449751203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:49.737313986 CEST497518234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:49.766655922 CEST823449751203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:49.769011021 CEST497518234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:49.804266930 CEST823449751203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:49.804598093 CEST497518234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:49.895309925 CEST823449751203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:50.085702896 CEST497518234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:50.176938057 CEST823449751203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:51.085913897 CEST497518234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:51.366291046 CEST497518234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:51.396306992 CEST823449751203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:52.086210966 CEST497518234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:56.167769909 CEST497528234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:56.196454048 CEST823449752203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:56.198208094 CEST497528234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:56.199259043 CEST497528234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:56.295098066 CEST823449752203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:56.295196056 CEST823449752203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:56.298388004 CEST497528234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:56.376179934 CEST823449752203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:56.376847982 CEST497528234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:56.408174038 CEST823449752203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:56.412332058 CEST497528234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:56.499891996 CEST823449752203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:56.851061106 CEST823449752203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:56.852881908 CEST497528234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:56.882944107 CEST823449752203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:56.884936094 CEST497528234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:56.915317059 CEST823449752203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:56.915425062 CEST497528234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:56.946609974 CEST823449752203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:56.991714001 CEST497528234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:57.066952944 CEST497528234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:57.092442989 CEST823449752203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:57.134110928 CEST497528234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:57.144366980 CEST823449752203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:57.195497990 CEST497528234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:07:57.282814026 CEST823449752203.159.80.186192.168.2.7
                                Aug 3, 2021 17:07:58.226843119 CEST497528234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:02.455507040 CEST497538234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:02.485275984 CEST823449753203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:02.485493898 CEST497538234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:02.487915993 CEST497538234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:02.544874907 CEST823449753203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:02.545198917 CEST497538234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:02.579443932 CEST823449753203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:02.580991983 CEST497538234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:02.673430920 CEST823449753203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:02.881875992 CEST823449753203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:02.885284901 CEST497538234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:02.917288065 CEST823449753203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:02.921513081 CEST497538234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:02.953090906 CEST823449753203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:02.956645966 CEST497538234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:02.988224983 CEST823449753203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:03.019445896 CEST497538234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:03.110241890 CEST823449753203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:03.243483067 CEST497538234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:03.326483965 CEST823449753203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:04.243247986 CEST497538234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:04.326639891 CEST823449753203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:05.203648090 CEST823449753203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:05.242993116 CEST497538234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:09.622169018 CEST497568234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:09.652043104 CEST823449756203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:09.652157068 CEST497568234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:09.673048973 CEST497568234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:09.724513054 CEST823449756203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:09.726010084 CEST497568234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:09.759418011 CEST823449756203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:09.762219906 CEST497568234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:09.852384090 CEST823449756203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:10.063718081 CEST823449756203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:10.064599991 CEST497568234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:10.094758034 CEST823449756203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:10.095940113 CEST497568234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:10.126723051 CEST823449756203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:10.126945019 CEST497568234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:10.156347036 CEST823449756203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:10.211694002 CEST497568234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:10.337296009 CEST497568234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:10.419640064 CEST823449756203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:11.353045940 CEST497568234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:11.444211960 CEST823449756203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:12.400043964 CEST497568234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:16.500989914 CEST497578234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:16.530553102 CEST823449757203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:16.530796051 CEST497578234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:16.531399012 CEST497578234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:16.593184948 CEST823449757203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:16.594063997 CEST497578234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:16.624038935 CEST823449757203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:16.625888109 CEST497578234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:16.704998970 CEST823449757203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:16.705122948 CEST497578234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:16.792190075 CEST823449757203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:16.988661051 CEST823449757203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:16.990417957 CEST497578234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:17.019299030 CEST823449757203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:17.071683884 CEST497578234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:17.666790009 CEST497578234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:17.714317083 CEST823449757203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:17.759059906 CEST497578234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:17.787853003 CEST823449757203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:17.791385889 CEST497578234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:17.822164059 CEST823449757203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:17.822379112 CEST497578234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:17.852746964 CEST823449757203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:17.899697065 CEST497578234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:18.650876999 CEST497578234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:22.729934931 CEST497588234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:22.761147976 CEST823449758203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:22.762411118 CEST497588234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:22.795623064 CEST497588234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:22.849622011 CEST823449758203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:22.850121021 CEST497588234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:22.880563974 CEST823449758203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:22.882731915 CEST497588234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:23.094213009 CEST823449758203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:23.098165035 CEST497588234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:23.135845900 CEST823449758203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:23.181513071 CEST497588234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:23.210546017 CEST823449758203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:23.211153030 CEST497588234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:23.240161896 CEST823449758203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:23.240397930 CEST497588234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:23.270136118 CEST823449758203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:23.322202921 CEST497588234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:23.776185036 CEST497588234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:23.866684914 CEST823449758203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:24.745383024 CEST497588234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:28.842664003 CEST497598234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:28.871329069 CEST823449759203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:28.871474981 CEST497598234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:28.872469902 CEST497598234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:28.927962065 CEST823449759203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:28.965029001 CEST497598234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:28.994873047 CEST823449759203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:29.041256905 CEST497598234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:29.067025900 CEST497598234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:29.146749973 CEST823449759203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:29.562422991 CEST823449759203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:29.563651085 CEST497598234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:29.593547106 CEST823449759203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:29.635425091 CEST497598234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:29.667346001 CEST823449759203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:29.713176012 CEST497598234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:29.718251944 CEST497598234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:29.748380899 CEST823449759203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:29.748606920 CEST497598234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:29.779402018 CEST823449759203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:29.779689074 CEST497598234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:29.808800936 CEST823449759203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:29.853967905 CEST497598234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:29.883708000 CEST823449759203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:29.932120085 CEST497598234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:30.745222092 CEST497598234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:34.823502064 CEST497608234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:34.853494883 CEST823449760203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:34.853648901 CEST497608234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:34.856930017 CEST497608234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:34.906431913 CEST823449760203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:34.906913996 CEST497608234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:34.936635017 CEST823449760203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:34.938385010 CEST497608234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:35.025913954 CEST823449760203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:35.438770056 CEST823449760203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:35.440076113 CEST497608234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:35.469183922 CEST823449760203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:35.510544062 CEST497608234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:35.542313099 CEST823449760203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:35.542912960 CEST497608234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:35.575583935 CEST823449760203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:35.575654984 CEST497608234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:35.606777906 CEST823449760203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:35.651261091 CEST497608234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:35.746001959 CEST497608234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:35.838310003 CEST823449760203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:37.544517994 CEST823449760203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:37.588884115 CEST497608234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:39.901520967 CEST823449760203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:39.948426008 CEST497608234192.168.2.7203.159.80.186
                                Aug 3, 2021 17:08:44.917691946 CEST823449760203.159.80.186192.168.2.7
                                Aug 3, 2021 17:08:44.964485884 CEST497608234192.168.2.7203.159.80.186

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Aug 3, 2021 17:06:21.542763948 CEST5659053192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:21.571151018 CEST53565908.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:22.590699911 CEST6050153192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:22.618423939 CEST53605018.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:23.600570917 CEST5377553192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:23.626568079 CEST53537758.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:24.638501883 CEST5183753192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:24.671672106 CEST53518378.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:26.135978937 CEST5541153192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:26.164107084 CEST53554118.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:27.495162010 CEST6366853192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:27.527815104 CEST53636688.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:28.636183023 CEST5464053192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:28.668950081 CEST53546408.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:29.894224882 CEST5873953192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:29.929974079 CEST53587398.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:31.288849115 CEST6033853192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:31.316510916 CEST53603388.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:32.746481895 CEST5871753192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:32.773911953 CEST53587178.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:35.052634954 CEST5976253192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:35.077202082 CEST53597628.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:36.071739912 CEST5432953192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:36.102565050 CEST53543298.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:37.123631001 CEST5805253192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:37.151098013 CEST53580528.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:38.190502882 CEST5400853192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:38.225246906 CEST53540088.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:39.252865076 CEST5945153192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:39.285063982 CEST53594518.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:39.957365990 CEST5291453192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:39.991733074 CEST53529148.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:41.237966061 CEST6456953192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:41.265094995 CEST5281653192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:41.265448093 CEST53645698.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:41.395359993 CEST53528168.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:42.283556938 CEST5078153192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:42.315649986 CEST53507818.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:43.006484985 CEST5423053192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:43.031563997 CEST53542308.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:43.664462090 CEST5491153192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:43.690613031 CEST53549118.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:46.775603056 CEST4995853192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:46.811254978 CEST53499588.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:48.393317938 CEST5086053192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:48.524399996 CEST53508608.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:50.426842928 CEST5045253192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:50.462388992 CEST53504528.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:54.451605082 CEST5973053192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:54.484944105 CEST53597308.8.8.8192.168.2.7
                                Aug 3, 2021 17:06:54.889625072 CEST5931053192.168.2.78.8.8.8
                                Aug 3, 2021 17:06:54.923458099 CEST53593108.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:00.969794989 CEST5191953192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:01.004370928 CEST53519198.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:07.044657946 CEST6429653192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:07.080137014 CEST53642968.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:12.698101997 CEST5668053192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:12.732578993 CEST53566808.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:18.692414045 CEST5882053192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:18.732935905 CEST53588208.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:18.848773003 CEST6098353192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:18.882757902 CEST53609838.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:19.188673019 CEST4924753192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:19.221285105 CEST53492478.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:19.272763968 CEST5228653192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:19.307548046 CEST53522868.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:19.954912901 CEST5606453192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:20.017827988 CEST53560648.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:20.513102055 CEST6374453192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:20.548520088 CEST53637448.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:21.143942118 CEST6145753192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:21.179691076 CEST53614578.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:21.657195091 CEST5836753192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:21.692867994 CEST53583678.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:22.437619925 CEST6059953192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:22.470551014 CEST53605998.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:23.949278116 CEST5957153192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:23.984989882 CEST53595718.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:24.825263023 CEST5268953192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:24.858367920 CEST53526898.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:25.584248066 CEST5029053192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:25.617404938 CEST53502908.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:26.557281017 CEST6042753192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:26.591330051 CEST53604278.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:30.959038019 CEST5620953192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:30.991909981 CEST53562098.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:31.709007025 CEST5958253192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:31.752811909 CEST53595828.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:37.138364077 CEST6094953192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:37.173894882 CEST53609498.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:43.207992077 CEST5854253192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:43.240693092 CEST53585428.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:49.125431061 CEST5917953192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:49.254106998 CEST53591798.8.8.8192.168.2.7
                                Aug 3, 2021 17:07:56.132236004 CEST6092753192.168.2.78.8.8.8
                                Aug 3, 2021 17:07:56.166098118 CEST53609278.8.8.8192.168.2.7
                                Aug 3, 2021 17:08:02.321283102 CEST5785453192.168.2.78.8.8.8
                                Aug 3, 2021 17:08:02.454139948 CEST53578548.8.8.8192.168.2.7
                                Aug 3, 2021 17:08:03.787842035 CEST6202653192.168.2.78.8.8.8
                                Aug 3, 2021 17:08:03.835972071 CEST53620268.8.8.8192.168.2.7
                                Aug 3, 2021 17:08:06.960706949 CEST5945353192.168.2.78.8.8.8
                                Aug 3, 2021 17:08:07.011775970 CEST53594538.8.8.8192.168.2.7
                                Aug 3, 2021 17:08:09.583043098 CEST6246853192.168.2.78.8.8.8
                                Aug 3, 2021 17:08:09.619055033 CEST53624688.8.8.8192.168.2.7
                                Aug 3, 2021 17:08:16.466579914 CEST5256353192.168.2.78.8.8.8
                                Aug 3, 2021 17:08:16.499321938 CEST53525638.8.8.8192.168.2.7
                                Aug 3, 2021 17:08:22.695369959 CEST5472153192.168.2.78.8.8.8
                                Aug 3, 2021 17:08:22.728216887 CEST53547218.8.8.8192.168.2.7
                                Aug 3, 2021 17:08:28.805661917 CEST6282653192.168.2.78.8.8.8
                                Aug 3, 2021 17:08:28.840946913 CEST53628268.8.8.8192.168.2.7
                                Aug 3, 2021 17:08:34.787343025 CEST6204653192.168.2.78.8.8.8
                                Aug 3, 2021 17:08:34.821742058 CEST53620468.8.8.8192.168.2.7

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Aug 3, 2021 17:06:41.265094995 CEST192.168.2.78.8.8.80xcfe7Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:06:48.393317938 CEST192.168.2.78.8.8.80x7cddStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:06:54.889625072 CEST192.168.2.78.8.8.80x11f3Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:00.969794989 CEST192.168.2.78.8.8.80x402aStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:07.044657946 CEST192.168.2.78.8.8.80xfdcaStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:12.698101997 CEST192.168.2.78.8.8.80x22a8Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:18.848773003 CEST192.168.2.78.8.8.80xe20eStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:24.825263023 CEST192.168.2.78.8.8.80xa8bdStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:30.959038019 CEST192.168.2.78.8.8.80x6954Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:37.138364077 CEST192.168.2.78.8.8.80xc73bStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:43.207992077 CEST192.168.2.78.8.8.80x73bStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:49.125431061 CEST192.168.2.78.8.8.80x93cfStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:56.132236004 CEST192.168.2.78.8.8.80x9baaStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:08:02.321283102 CEST192.168.2.78.8.8.80x992fStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:08:09.583043098 CEST192.168.2.78.8.8.80xef63Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:08:16.466579914 CEST192.168.2.78.8.8.80xf44bStandard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:08:22.695369959 CEST192.168.2.78.8.8.80xa8b4Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:08:28.805661917 CEST192.168.2.78.8.8.80x812Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)
                                Aug 3, 2021 17:08:34.787343025 CEST192.168.2.78.8.8.80x4c87Standard query (0)hhjhtggfr.duckdns.orgA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Aug 3, 2021 17:06:41.395359993 CEST8.8.8.8192.168.2.70xcfe7No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:06:48.524399996 CEST8.8.8.8192.168.2.70x7cddNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:06:54.923458099 CEST8.8.8.8192.168.2.70x11f3No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:01.004370928 CEST8.8.8.8192.168.2.70x402aNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:07.080137014 CEST8.8.8.8192.168.2.70xfdcaNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:12.732578993 CEST8.8.8.8192.168.2.70x22a8No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:18.882757902 CEST8.8.8.8192.168.2.70xe20eNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:24.858367920 CEST8.8.8.8192.168.2.70xa8bdNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:30.991909981 CEST8.8.8.8192.168.2.70x6954No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:37.173894882 CEST8.8.8.8192.168.2.70xc73bNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:43.240693092 CEST8.8.8.8192.168.2.70x73bNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:49.254106998 CEST8.8.8.8192.168.2.70x93cfNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:07:56.166098118 CEST8.8.8.8192.168.2.70x9baaNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:08:02.454139948 CEST8.8.8.8192.168.2.70x992fNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:08:09.619055033 CEST8.8.8.8192.168.2.70xef63No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:08:16.499321938 CEST8.8.8.8192.168.2.70xf44bNo error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:08:22.728216887 CEST8.8.8.8192.168.2.70xa8b4No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:08:28.840946913 CEST8.8.8.8192.168.2.70x812No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)
                                Aug 3, 2021 17:08:34.821742058 CEST8.8.8.8192.168.2.70x4c87No error (0)hhjhtggfr.duckdns.org203.159.80.186A (IP address)IN (0x0001)

                                Code Manipulations

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: vHLZ6AHJFY.exe PID: 4640 Parent PID: 5608

                                General

                                Start time:17:06:30
                                Start date:03/08/2021
                                Path:C:\Users\user\Desktop\vHLZ6AHJFY.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\vHLZ6AHJFY.exe'
                                Imagebase:0xf0000
                                File size:835072 bytes
                                MD5 hash:E7F52D9D50E6D2776D301B5A7E03B662
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.243870600.00000000026DB000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.246214384.0000000003559000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.246214384.0000000003559000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.246214384.0000000003559000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                Reputation:low

                                Chronological Activities

                                Analysis Process: vHLZ6AHJFY.exe PID: 4832 Parent PID: 4640

                                General

                                Start time:17:06:37
                                Start date:03/08/2021
                                Path:C:\Users\user\Desktop\vHLZ6AHJFY.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\vHLZ6AHJFY.exe
                                Imagebase:0x490000
                                File size:835072 bytes
                                MD5 hash:E7F52D9D50E6D2776D301B5A7E03B662
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Reputation:low

                                Chronological Activities

                                Analysis Process: dhcpmon.exe PID: 2680 Parent PID: 3292

                                General

                                Start time:17:06:53
                                Start date:03/08/2021
                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                Imagebase:0x50000
                                File size:835072 bytes
                                MD5 hash:E7F52D9D50E6D2776D301B5A7E03B662
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.296482527.000000000256B000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.302655095.00000000033E9000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.302655095.00000000033E9000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.302655095.00000000033E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 22%, ReversingLabs
                                Reputation:low

                                Chronological Activities

                                Analysis Process: dhcpmon.exe PID: 5008 Parent PID: 2680

                                General

                                Start time:17:06:59
                                Start date:03/08/2021
                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                Imagebase:0x340000
                                File size:835072 bytes
                                MD5 hash:E7F52D9D50E6D2776D301B5A7E03B662
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low

                                Chronological Activities

                                Analysis Process: dhcpmon.exe PID: 6008 Parent PID: 2680

                                General

                                Start time:17:07:00
                                Start date:03/08/2021
                                Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                Imagebase:0xbc0000
                                File size:835072 bytes
                                MD5 hash:E7F52D9D50E6D2776D301B5A7E03B662
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.316057670.0000000002F21000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.316057670.0000000002F21000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.315036949.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.315036949.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.315036949.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.316141333.0000000003F29000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.316141333.0000000003F29000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                Reputation:low

                                Chronological Activities

                                Disassembly

                                Code Analysis

                                Reset < >

                                  Analysis Process: vHLZ6AHJFY.exe PID: 4640 Parent PID: 5608 vHLZ6AHJFY.exeCOMMON

                                  Executed Functions

                                  Function 00A66B80, Relevance: 6.1, APIs: 4, Instructions: 125threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 00A66BF0
                                  • GetCurrentThread.KERNEL32 ref: 00A66C2D
                                  • GetCurrentProcess.KERNEL32 ref: 00A66C6A
                                  • GetCurrentThreadId.KERNEL32 ref: 00A66CC3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.243239898.0000000000A60000.00000040.00000001.sdmp, Offset: 00A60000, based on PE: false
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 524439edc9f94387bb0b7b6a75d2adf01bbf3fe09164cebe301df6ed375db113
                                  • Instruction ID: b8eeb242c000a56d3611468b6f47876acc1e9fbd343880c21d2d78c9d9ec5f3e
                                  • Opcode Fuzzy Hash: 524439edc9f94387bb0b7b6a75d2adf01bbf3fe09164cebe301df6ed375db113
                                  • Instruction Fuzzy Hash: F45154B49006498FDB14CFAAD988BDEBBF0FF88304F24806AE459A7260D7745945CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A66B90, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 00A66BF0
                                  • GetCurrentThread.KERNEL32 ref: 00A66C2D
                                  • GetCurrentProcess.KERNEL32 ref: 00A66C6A
                                  • GetCurrentThreadId.KERNEL32 ref: 00A66CC3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.243239898.0000000000A60000.00000040.00000001.sdmp, Offset: 00A60000, based on PE: false
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 1cfdff903214bb505859b1c1de3bac9d10d2ea013ccae98128119b78f233d54a
                                  • Instruction ID: cd941151cdb767c18155e1981ea11a0fbcc708ec230b6fdb43bcbc39279749ff
                                  • Opcode Fuzzy Hash: 1cfdff903214bb505859b1c1de3bac9d10d2ea013ccae98128119b78f233d54a
                                  • Instruction Fuzzy Hash: 8D5146B09006498FDB14CFAAD588BDEBBF0FF48304F208459E459A7350D7746944CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A6BBB8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 200COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00A6BE0E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.243239898.0000000000A60000.00000040.00000001.sdmp, Offset: 00A60000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID: 4mx$4mx
                                  • API String ID: 4139908857-1043820660
                                  • Opcode ID: 44780aff2f1b5a0adbf1aff323757f4929ebc8934d529e75d295b48e8264650d
                                  • Instruction ID: ee1bccbbddfff0bffdc5b710a549284d44270394c852d1b231f8f5cffc97ac75
                                  • Opcode Fuzzy Hash: 44780aff2f1b5a0adbf1aff323757f4929ebc8934d529e75d295b48e8264650d
                                  • Instruction Fuzzy Hash: A97134B0A10B058FDB24DF2AC55575ABBF1FF88304F00892DD58ADBA50DB35E946CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A6DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00A6DD8A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.243239898.0000000000A60000.00000040.00000001.sdmp, Offset: 00A60000, based on PE: false
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: dc55180650e2155ca7c29632bbe1369db56ef9882bd233aaa3e615aee98a87ca
                                  • Instruction ID: c374b90cea806544e5997978d29fa17b1d3f4c73599b3369597af62ee7b6725f
                                  • Opcode Fuzzy Hash: dc55180650e2155ca7c29632bbe1369db56ef9882bd233aaa3e615aee98a87ca
                                  • Instruction Fuzzy Hash: B841B0B1D00309EFDF14DFA9C884ADEBBB5BF88354F24812AE819AB210D7759945CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A66D41, Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A66E3F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.243239898.0000000000A60000.00000040.00000001.sdmp, Offset: 00A60000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: db69fc8ab5b6bfd84c2843c13fc0cbab724a020709d968aca89b748585d0d020
                                  • Instruction ID: 352decfadecb998e4b757772d96b2652e7f7334179380a9cee8709c85dcdb225
                                  • Opcode Fuzzy Hash: db69fc8ab5b6bfd84c2843c13fc0cbab724a020709d968aca89b748585d0d020
                                  • Instruction Fuzzy Hash: E04168B6900248AFCF11CF99D884AEEBFF5EB88310F14806AE944A7360C3359915CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A66DB0, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A66E3F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.243239898.0000000000A60000.00000040.00000001.sdmp, Offset: 00A60000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: fff880f93866991a9dfeec50fc93c23e916e88baae11e59f954cad2ca42002ba
                                  • Instruction ID: 8da5ba4ca4d7e5b61446fa3c79651b8dc18b3f83e542ec186a10625d6635a8ba
                                  • Opcode Fuzzy Hash: fff880f93866991a9dfeec50fc93c23e916e88baae11e59f954cad2ca42002ba
                                  • Instruction Fuzzy Hash: 502103B59002089FDB10CFA9D884AEEFBF4FF48320F14801AE954A7310D375A955CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A66DB8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A66E3F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.243239898.0000000000A60000.00000040.00000001.sdmp, Offset: 00A60000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 4075ae129c6d67d211ce857f5d1e8a6b81ac0ebc00a80f7abf57013bfbfcb690
                                  • Instruction ID: be9c013772a5090cf2db27c347329ef5b6e529de2250bcfb8ed589b21642fe98
                                  • Opcode Fuzzy Hash: 4075ae129c6d67d211ce857f5d1e8a6b81ac0ebc00a80f7abf57013bfbfcb690
                                  • Instruction Fuzzy Hash: 0821E4B59003089FDB10CFA9D884BEEBBF8FB48320F14801AE914A7310D375A954CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A6B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A6BE89,00000800,00000000,00000000), ref: 00A6C09A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.243239898.0000000000A60000.00000040.00000001.sdmp, Offset: 00A60000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 78260b69eb0c4e1a2fe9d47aab6f05c51b32b7108b741c1d99ba1dadb5abdb63
                                  • Instruction ID: b534e720f4834add3824a9286c666cd4264cf3600fb331d40b10b5f3645f2d5f
                                  • Opcode Fuzzy Hash: 78260b69eb0c4e1a2fe9d47aab6f05c51b32b7108b741c1d99ba1dadb5abdb63
                                  • Instruction Fuzzy Hash: C11106B2904349CFCB20CF9AD444BAEFBF4AB88324F11842EE555A7200C375A945CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A6C028, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A6BE89,00000800,00000000,00000000), ref: 00A6C09A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.243239898.0000000000A60000.00000040.00000001.sdmp, Offset: 00A60000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: f62558778e43b851e4e3941e0cd0903680afb42d54f06605b44b159fa0ba1203
                                  • Instruction ID: 66ae66467da663b23cd1bc3f37fcf7f6cf6eb95a11d82e17f4796e7d55691e6c
                                  • Opcode Fuzzy Hash: f62558778e43b851e4e3941e0cd0903680afb42d54f06605b44b159fa0ba1203
                                  • Instruction Fuzzy Hash: 741114B6C00349CFDB24CF9AD484BEEFBF4AB88324F15852AD455A7200C375A945CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A6BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00A6BE0E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.243239898.0000000000A60000.00000040.00000001.sdmp, Offset: 00A60000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 17fe211cbdd45f40ea1b553bacc63240109856b720cd90b6941cb70d3b4909b0
                                  • Instruction ID: 2149e3ca0f404fea7341841443f527828e7e43207c1a584509ddeb27fa96022e
                                  • Opcode Fuzzy Hash: 17fe211cbdd45f40ea1b553bacc63240109856b720cd90b6941cb70d3b4909b0
                                  • Instruction Fuzzy Hash: 1A11D2B6C006498FCB10CF9AC444BDEFBF4EB88324F14845AD969A7600C379A945CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A6DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?), ref: 00A6DF1D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.243239898.0000000000A60000.00000040.00000001.sdmp, Offset: 00A60000, based on PE: false
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: 8981f831216e9b9009413ef6d99ade333068bb4677526aabb43ab8648f8958ff
                                  • Instruction ID: e2206aaf33f50dc1bc22b9fd47cd394c303dcac8b5176c0c8d92a3a6a66af2c1
                                  • Opcode Fuzzy Hash: 8981f831216e9b9009413ef6d99ade333068bb4677526aabb43ab8648f8958ff
                                  • Instruction Fuzzy Hash: BD11D0B59002499FDB10CF9AD588BDEBBF8EB88324F10845AE959A7600C374A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0078D01C, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242953054.000000000078D000.00000040.00000001.sdmp, Offset: 0078D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 741a9c502663439a743eaf37f0b0dd72c820d103188ce8cb260a8d82347e6f0b
                                  • Instruction ID: 348ab70bc2973870eba098a806629b301cb7e8d91783c0cde9bd2526c966b5e2
                                  • Opcode Fuzzy Hash: 741a9c502663439a743eaf37f0b0dd72c820d103188ce8cb260a8d82347e6f0b
                                  • Instruction Fuzzy Hash: B221F5B1588344DFDB24EF14D9C4B26BB65FB88324F24C569D9494B286C33ADC46CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0078D1D4, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242953054.000000000078D000.00000040.00000001.sdmp, Offset: 0078D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6f442e12a0ed85cfe1762be029f9334f1e608e9f993b798becb561f8831fe14b
                                  • Instruction ID: 6e2fe59541919f7a5495822346d7020c1d83b32346b69b4bb81ace93995b7058
                                  • Opcode Fuzzy Hash: 6f442e12a0ed85cfe1762be029f9334f1e608e9f993b798becb561f8831fe14b
                                  • Instruction Fuzzy Hash: 472107B1588244DFDB15EF54D9C4F26BBA5FB88324F24C569E9094B282C33ADC46CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0078D1CF, Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242953054.000000000078D000.00000040.00000001.sdmp, Offset: 0078D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 140eabb80c80f3bcf642b4b34e196c70f529ea9b94f5b972a75821fe3ac4ed61
                                  • Instruction ID: 37704266f578c76046663b190622c881b169f8b908eaba4e5f3077438652d577
                                  • Opcode Fuzzy Hash: 140eabb80c80f3bcf642b4b34e196c70f529ea9b94f5b972a75821fe3ac4ed61
                                  • Instruction Fuzzy Hash: DE119D75944280DFCB11DF14D5C4B15FBB1FB84324F28C6ADD8494B696C33AD84ACB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0078D017, Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242953054.000000000078D000.00000040.00000001.sdmp, Offset: 0078D000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 140eabb80c80f3bcf642b4b34e196c70f529ea9b94f5b972a75821fe3ac4ed61
                                  • Instruction ID: 46dd96d6f0dfb21d16782382bf2011b32e91818ed2cfce370f58cb52e4bc120e
                                  • Opcode Fuzzy Hash: 140eabb80c80f3bcf642b4b34e196c70f529ea9b94f5b972a75821fe3ac4ed61
                                  • Instruction Fuzzy Hash: B311D075548280CFCB11DF10D5C4B15FB71FB48324F24C6A9D8494B696C33AD84ACBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 000F4C65, Relevance: 3.5, Instructions: 3474COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242593423.00000000000F2000.00000002.00020000.sdmp, Offset: 000F0000, based on PE: true
                                  • Associated: 00000000.00000002.242585861.00000000000F0000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d84788326d140bcfde10dc07da9d92289429e532c9b23f0d54c49f940813853a
                                  • Instruction ID: e0f3ff24f4b89d73b0bc32185bbf724ecd8b2805c7525715c084f0b6eb90e5f5
                                  • Opcode Fuzzy Hash: d84788326d140bcfde10dc07da9d92289429e532c9b23f0d54c49f940813853a
                                  • Instruction Fuzzy Hash: E143F00104FBC21FD7038BB82D316E6BFB66E9322434E44C7D9C08B9A3D5055A69E776
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00A6C2B0, Relevance: .5, Instructions: 522COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.243239898.0000000000A60000.00000040.00000001.sdmp, Offset: 00A60000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 62f9aecb0eee588d5587ed95c0ab9d42ff497068c37d5bd2008be3befdde3b14
                                  • Instruction ID: 4090b3f25dd9f4a2944e49342b20514d9195163ae22a9ccb4900b2982e650bb7
                                  • Opcode Fuzzy Hash: 62f9aecb0eee588d5587ed95c0ab9d42ff497068c37d5bd2008be3befdde3b14
                                  • Instruction Fuzzy Hash: 2A5238B1501B46CBD720CF96EC983AD7BB1FB44328FA04318D2A15BAA2D7F4654ADF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: dhcpmon.exe PID: 2680 Parent PID: 3292 dhcpmon.exeCOMMON

                                  Executed Functions

                                  Function 06983680, Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.311516315.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d12bd52ce20f8416c245573c49ebda5086b4a3555cca758f9744ac8783fd2061
                                  • Instruction ID: 0e6c52f3978c07b4a8384320454b41356a91195c92e1e37c9eea354d0cb284e5
                                  • Opcode Fuzzy Hash: d12bd52ce20f8416c245573c49ebda5086b4a3555cca758f9744ac8783fd2061
                                  • Instruction Fuzzy Hash: 1D215574E15219DFEB50EFA9D854BEEBBF8AF4A701F24542AE405F3640EB34C940CA64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06983671, Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.311516315.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52a783bc8eb97e69a19423ac1a96a6b44e62113cdfc9e2a8e6b208d8e41da2a2
                                  • Instruction ID: b78b2b035bfabc8295ec43eb4123afd7c07ca8e876c98bccb421abc323a89e90
                                  • Opcode Fuzzy Hash: 52a783bc8eb97e69a19423ac1a96a6b44e62113cdfc9e2a8e6b208d8e41da2a2
                                  • Instruction Fuzzy Hash: 80213370E11219AFDB51DFA8D898BEEBBF5AB0A700F244429E441F3680D738C944CB64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C1BBB8, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 197COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00C1BE0E
                                  Strings
                                  • AAABAC4AAAABAC4AAAABAC4AAAABAC4AAAABAAwEAAACABEEAAADABYEAAABAAwEAAACABEEAAADABYEAAABAEgEAAABAEgEAAABAEgEAAABAKEEAAABAKEEAAABAKEEAA, xrefs: 00C1BC60
                                  • 4mn, xrefs: 00C1BD6B
                                  • 4mn, xrefs: 00C1BD46
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.293270772.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID: 4mn$4mn$AAABAC4AAAABAC4AAAABAC4AAAABAC4AAAABAAwEAAACABEEAAADABYEAAABAAwEAAACABEEAAADABYEAAABAEgEAAABAEgEAAABAEgEAAABAKEEAAABAKEEAAABAKEEAA
                                  • API String ID: 4139908857-690385783
                                  • Opcode ID: 45af586c5f4f7397e4133f4c51695ed2fb567c16f9283e456a7083b7ba7c2109
                                  • Instruction ID: 156e83037cfebf2515df3f58eddd9702fbf924bef8f2bd859e11dfa2efd73dc8
                                  • Opcode Fuzzy Hash: 45af586c5f4f7397e4133f4c51695ed2fb567c16f9283e456a7083b7ba7c2109
                                  • Instruction Fuzzy Hash: 947125B0A00B058FD724DF2AD45179ABBF1BF89304F00892DE59ADBA40DB34E9458F91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06980006, Relevance: 1.8, APIs: 1, Instructions: 270processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06980276
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.311516315.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 0f19ed42d6e7b2636b187317ef77568fac00b8b9e37cec576656a0a5949bfafd
                                  • Instruction ID: b75e922eb3cd42649740bdfad99f3267d607e25173681d4da3cb5f95b39628b1
                                  • Opcode Fuzzy Hash: 0f19ed42d6e7b2636b187317ef77568fac00b8b9e37cec576656a0a5949bfafd
                                  • Instruction Fuzzy Hash: 55A1CB30D04359CFDB11DFA4C880BDEBBB2AF49314F1581AAE848A7690DB749989CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06980040, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06980276
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.311516315.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 197bcc0cfba95966c5611fc6bec383eb45c54964879674b699f00ba8b57fbcf5
                                  • Instruction ID: 8e8800462a18f563a9731be7376c8b54d4443a665ebbe4296cc1f5f669a9865f
                                  • Opcode Fuzzy Hash: 197bcc0cfba95966c5611fc6bec383eb45c54964879674b699f00ba8b57fbcf5
                                  • Instruction Fuzzy Hash: 6F915971D00219CFDF60DFA8C880BDEBAB2BF48314F158569E859A7680DB749989CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C1B214, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C1DD8A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.293270772.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: f56964a1afae890e969fc53f0d45ca23ba1b4938065aa9f5d32fb60024a78431
                                  • Instruction ID: 9f02c0eed47a5288a4473312ffe9d87bdbd69c0f43684bede5268abba138f342
                                  • Opcode Fuzzy Hash: f56964a1afae890e969fc53f0d45ca23ba1b4938065aa9f5d32fb60024a78431
                                  • Instruction Fuzzy Hash: 6B51D1B1D00349EFDF14CF99D884ADEBBB5BF49310F24852AE819AB210D7749985CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C1DC6D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00C1DD8A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.293270772.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 6117dc9735a1504b81b9900590b91f2efc78f16611751d30036a681b2dc31b5e
                                  • Instruction ID: 538a06c8053e8d0fd813a8de6b03eb4ae90e7a1de524605b690c7ee4ddb65680
                                  • Opcode Fuzzy Hash: 6117dc9735a1504b81b9900590b91f2efc78f16611751d30036a681b2dc31b5e
                                  • Instruction Fuzzy Hash: 4751D0B1D00349EFDF14DF9AD884ADEBBB1BF48314F24812AE819AB210D7749985CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C16D41, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C16E3F
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.293270772.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 05bb0ca931898d6577b507548acc5491eeb5ace5b24200a955aba84c5b49dff8
                                  • Instruction ID: 8d9d2eeb73cd25e826b80680f72f54f2fc08af72946810b8ab61b89310164567
                                  • Opcode Fuzzy Hash: 05bb0ca931898d6577b507548acc5491eeb5ace5b24200a955aba84c5b49dff8
                                  • Instruction Fuzzy Hash: 474159769002589FCF01CF99D884ADEBFF5EB49320F14802AE954E7261D3349955DFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C1DE81, Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?), ref: 00C1DF1D
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.293270772.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: 0292ad1bf7116a5061f695b530acbdafc8bbbfaca0dc74fd9bda96c8d9691af6
                                  • Instruction ID: fdcf1c70981a7a30e7290b9f5cff5f1cac0ef5a5ac2bb009acec7a9bea84e567
                                  • Opcode Fuzzy Hash: 0292ad1bf7116a5061f695b530acbdafc8bbbfaca0dc74fd9bda96c8d9691af6
                                  • Instruction Fuzzy Hash: EE21A9B5800249DFDB10CFA4D488BDEBFF4EF89324F08805AE419AB211C334AA45DFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C16DB0, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C16E3F
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.293270772.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 22bab4171af813491aa4f8683f353ed1d201f0514d21b493dbbea48961ecbea1
                                  • Instruction ID: 1eac605a9d70c8dcceffc50c0e9f3b3d83ca42f709b8663dd8f51500b3effef0
                                  • Opcode Fuzzy Hash: 22bab4171af813491aa4f8683f353ed1d201f0514d21b493dbbea48961ecbea1
                                  • Instruction Fuzzy Hash: E021D2B59012499FDB10CFA9D884ADEBBF4EF48324F14842AE914A7250D378AA55CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C16DB8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C16E3F
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.293270772.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: d65dadf9e7fbebef111c743ce5bcbf4639bc59e6f95556c8804d441b89cf8fed
                                  • Instruction ID: f337ac1da7be9f3693d274f3e637bfea894055fcae0d17b67272c290c21711a0
                                  • Opcode Fuzzy Hash: d65dadf9e7fbebef111c743ce5bcbf4639bc59e6f95556c8804d441b89cf8fed
                                  • Instruction Fuzzy Hash: 4721C4B59002499FDF10CFA9D884ADEBBF8FF48324F14851AE914A7310D374AA54CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C1B0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C1BE89,00000800,00000000,00000000), ref: 00C1C09A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.293270772.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 592037ddeb73d4077b3d962837629a3f6faca759704968706352c7d78e4ecb73
                                  • Instruction ID: 4cbf86293bb456503f70f08557c4c072c58b3cc712200fb9260d8de8f7824268
                                  • Opcode Fuzzy Hash: 592037ddeb73d4077b3d962837629a3f6faca759704968706352c7d78e4ecb73
                                  • Instruction Fuzzy Hash: 921106B6900309DFDB10CF9AC484BDEFBF4AB49354F14852AE515A7200C375AA45CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C1C028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C1BE89,00000800,00000000,00000000), ref: 00C1C09A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.293270772.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: c545abf69108d57189594e685cc8148f191e7acd29030c4fc88f50a8b5906bd5
                                  • Instruction ID: e99aed4157b476b5269bf457b83e56bc1abdd6024a5462a6c605f4613740ebf7
                                  • Opcode Fuzzy Hash: c545abf69108d57189594e685cc8148f191e7acd29030c4fc88f50a8b5906bd5
                                  • Instruction Fuzzy Hash: 1B1106B69003099FCB10CF9AC484BDEFBF4EB49324F15852AE519A7200C375AA45CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06983058, Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,?,?,?), ref: 069830BD
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.311516315.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: ee0d6a4cc8dd6124e634386dccbdde047d6046ed2136be8dc0485c5545b47cca
                                  • Instruction ID: a1f82b385e841fb81bbedc394d32c229d20dd577207243a18b6ed7dc74c6c8e4
                                  • Opcode Fuzzy Hash: ee0d6a4cc8dd6124e634386dccbdde047d6046ed2136be8dc0485c5545b47cca
                                  • Instruction Fuzzy Hash: 0A11F2B68003499FDB10DF99D885BDEBBF8EB48364F10841AE459A7600D375AA85CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C1BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00C1BE0E
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.293270772.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: d643ec3068cb434f50e3063157094be85ee8381f172a25bc8b0526f1e247e9eb
                                  • Instruction ID: 2e9b4e8dd9e5155795b1a4abe313857b46180764e9f464c5e7f595a8a9265a19
                                  • Opcode Fuzzy Hash: d643ec3068cb434f50e3063157094be85ee8381f172a25bc8b0526f1e247e9eb
                                  • Instruction Fuzzy Hash: 2111E3B5D006498FDB10CF9AD444BDEFBF4EF89324F14855AD529A7600C374AA45CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00C1DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?), ref: 00C1DF1D
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.293270772.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: 2528783c5796c2b64452e57ac8afaf107097451e68d224bc0121c170f804339d
                                  • Instruction ID: 23855a4bdc1102e2e8ee6a3b6d7a8b5e9a092a10dd5451ee84546b7cbee86e4e
                                  • Opcode Fuzzy Hash: 2528783c5796c2b64452e57ac8afaf107097451e68d224bc0121c170f804339d
                                  • Instruction Fuzzy Hash: 3811E5B58002499FDB10CF99D484BDEFBF8EB49324F14851AE955A7700C374AA45CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06983060, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,?,?,?), ref: 069830BD
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.311516315.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 0d08fc0a9743a719112801671bf4859906a72f74906f8a8acff439169a92ac53
                                  • Instruction ID: d6d81ecf3a2bd8eb836214cc7dce98990a334f07f274e1cd554aeeef637bafd8
                                  • Opcode Fuzzy Hash: 0d08fc0a9743a719112801671bf4859906a72f74906f8a8acff439169a92ac53
                                  • Instruction Fuzzy Hash: 8B11D3B58003499FDB10DF99D884BDEBBF8EB48324F148459E555A7600C375AA84CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006DD4D8, Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.291589884.00000000006DD000.00000040.00000001.sdmp, Offset: 006DD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ee436d51eff081b4daa1bab19b2cd33866105f4bf41f94d56dd553eec8bbded8
                                  • Instruction ID: 827e4f0dbba42893885f7c4c28f197ae08a5fccf3fdee4d2f733b8dcf0ea50ac
                                  • Opcode Fuzzy Hash: ee436d51eff081b4daa1bab19b2cd33866105f4bf41f94d56dd553eec8bbded8
                                  • Instruction Fuzzy Hash: E72128B1904244DFCB14EF14E9C0F26BBA6FB88328F24856AE9054B346C336DC56CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006ED01C, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.291645597.00000000006ED000.00000040.00000001.sdmp, Offset: 006ED000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 54b18e0d06a78167ac9b39003ec345654c6f805972789d4e728802208d23d671
                                  • Instruction ID: ce1badb36cfabca77a920788aec29caa2916ee971b5f35a9f945f4c04420f4f9
                                  • Opcode Fuzzy Hash: 54b18e0d06a78167ac9b39003ec345654c6f805972789d4e728802208d23d671
                                  • Instruction Fuzzy Hash: 6D21C2B5508384DFDB14DF14D9C4B26BBA6FB88314F38C569E94A4B346C33AD847CA61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006ED1D4, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.291645597.00000000006ED000.00000040.00000001.sdmp, Offset: 006ED000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a4823ef9808b37ada3f23253a2a5718a39e00c7bdc2e51d906f976cf9278fd8
                                  • Instruction ID: b839ac1e1c5b0ce647322f4cedc6a8a26b250611cf02a052568ff82732872509
                                  • Opcode Fuzzy Hash: 7a4823ef9808b37ada3f23253a2a5718a39e00c7bdc2e51d906f976cf9278fd8
                                  • Instruction Fuzzy Hash: 732107B5508384EFDB05CF11D9C0B26BBA6FB88318F24C569EB094B346C336DD46CA61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006ED006, Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.291645597.00000000006ED000.00000040.00000001.sdmp, Offset: 006ED000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 45b14485200c083e6e4f5e7da07dc4ca3aabfc7fcdabea57ac3579e83add840e
                                  • Instruction ID: 1aac10c2cb3b0895a6878172a15c3981d468121b022cd5d8b566636e73ea9854
                                  • Opcode Fuzzy Hash: 45b14485200c083e6e4f5e7da07dc4ca3aabfc7fcdabea57ac3579e83add840e
                                  • Instruction Fuzzy Hash: BF2162755093C08FCB12CF24D994B55BF71EB46314F28C5DAD8498F6A7C33A984ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006DD4D3, Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.291589884.00000000006DD000.00000040.00000001.sdmp, Offset: 006DD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c7feb3e148df0d882d57e988f233f348349f9b6130584996fd795daa038d2b7a
                                  • Instruction ID: 9d3d9ff45570fe1882ba7d43be11d04cba418f24bcbfd14601dca60fa424fe0d
                                  • Opcode Fuzzy Hash: c7feb3e148df0d882d57e988f233f348349f9b6130584996fd795daa038d2b7a
                                  • Instruction Fuzzy Hash: 9811B176804280DFCB11DF10D9C4B56BF72FB98324F2486AAD8050B756C33AD856CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006ED1CF, Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.291645597.00000000006ED000.00000040.00000001.sdmp, Offset: 006ED000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 140eabb80c80f3bcf642b4b34e196c70f529ea9b94f5b972a75821fe3ac4ed61
                                  • Instruction ID: 6621e2a294ea128e9b8c914c7230332680760b7c4315b2ebdc90d349078e7a80
                                  • Opcode Fuzzy Hash: 140eabb80c80f3bcf642b4b34e196c70f529ea9b94f5b972a75821fe3ac4ed61
                                  • Instruction Fuzzy Hash: E9118B75904280DFCB11CF10D5C4B55BBB2FB84324F28C6A9DA494B796C33AD94ACB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006DD75D, Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.291589884.00000000006DD000.00000040.00000001.sdmp, Offset: 006DD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 29a115cbbe6d7a405b0244620159870bcc959a84b0e8dbea16705af4fc3cbf27
                                  • Instruction ID: 70429060be4bebf54d39039b7e3e51d354102f91270005c7a50b8b24ccb3f1f7
                                  • Opcode Fuzzy Hash: 29a115cbbe6d7a405b0244620159870bcc959a84b0e8dbea16705af4fc3cbf27
                                  • Instruction Fuzzy Hash: 8801A771909344AEE7106A15DCC4BA6BBA8EF45764F18C4ABED445A346C3789C44CAB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006DD75C, Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.291589884.00000000006DD000.00000040.00000001.sdmp, Offset: 006DD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 088dbba4d99e431c742933cfa046a59cf9a4de7b81aaed06d4b99aef7234a2e0
                                  • Instruction ID: 7c953506089b292e08102212b3d094617d59c52e3511bd16809a560024e8088d
                                  • Opcode Fuzzy Hash: 088dbba4d99e431c742933cfa046a59cf9a4de7b81aaed06d4b99aef7234a2e0
                                  • Instruction Fuzzy Hash: 82F062718042449EEB248A16DCC4BA2FBA8EB55734F18C59AED485B386C3789C44CAB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 06984849, Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.311516315.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 016fa2c45d6094ee2080be195ae3861e468388cba16f4076f33dc15a7a0d144b
                                  • Instruction ID: 27c3170c5c333ad4b72b56562ea3a8ecb6779ff79d3d85e811ec4ccd2959293b
                                  • Opcode Fuzzy Hash: 016fa2c45d6094ee2080be195ae3861e468388cba16f4076f33dc15a7a0d144b
                                  • Instruction Fuzzy Hash: B0119630C012A98FDB10EFA4C458BFEBBF0AF4A305F14506AD442B7280CB388945CAA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06984858, Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.311516315.0000000006980000.00000040.00000001.sdmp, Offset: 06980000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eb353abf5ea4bc08262bd98e45a6e690e50f360cc03d6c934ac756e3db76260e
                                  • Instruction ID: 0bba7b44930bdcaf01d7db56d63b91fcb186d8ca6348006fd9cb3a9ebabccda1
                                  • Opcode Fuzzy Hash: eb353abf5ea4bc08262bd98e45a6e690e50f360cc03d6c934ac756e3db76260e
                                  • Instruction Fuzzy Hash: F9115730D052998FDB54EFA5C818BEEBAF1AF4E700F14946AD101B7690CB788944CBA8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: dhcpmon.exe PID: 6008 Parent PID: 2680 dhcpmon.exeCOMMON

                                  Executed Functions

                                  Function 054093E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.316545194.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 694c57ed2eb8f0a04844a98ae0f57efb56c7547f81fac264b6c096163109834e
                                  • Instruction ID: b9ceee020c26337169750ed82f947f80ad2fd566dd06395034debb11a7d79fb0
                                  • Opcode Fuzzy Hash: 694c57ed2eb8f0a04844a98ae0f57efb56c7547f81fac264b6c096163109834e
                                  • Instruction Fuzzy Hash: 4F712470A04B058FD764DF2AC444BABB7F1BF88204F108A6ED58AD7B80DB34E845CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0540FB20, Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0540FD0A
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.316545194.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: b562a76821d4c122e983bc31e8fb1e8d7cd6f7f8dda230d125c4441dd8397f84
                                  • Instruction ID: 56c4fef7ac14d99e74a35835efca9fc87288367b603d0bc150271008aeace701
                                  • Opcode Fuzzy Hash: b562a76821d4c122e983bc31e8fb1e8d7cd6f7f8dda230d125c4441dd8397f84
                                  • Instruction Fuzzy Hash: F06156B1D04348AFCB15CFA9C890ACEBFB1BF49314F2881AEE415AB252D7359846CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0540FB98, Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0540FD0A
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.316545194.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: dc3dfb51d178f095fb8fc246d0eb81493a8a9282e24d0a876f16983e24d38d43
                                  • Instruction ID: 8976f3cbd406db769535442ebb77a4f76a38092d03a106bf39e4a1c839b78776
                                  • Opcode Fuzzy Hash: dc3dfb51d178f095fb8fc246d0eb81493a8a9282e24d0a876f16983e24d38d43
                                  • Instruction Fuzzy Hash: FC511271C04249AFCF15CFA9C884ADEBFB1FF49314F24816AE819AB261D7359985CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0540DA04, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0540FD0A
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.316545194.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 602795c582f42977ffadeb164aa013c5241f1068d73d44abbc170427a3211830
                                  • Instruction ID: 65d8fb99475b3341019389f21dbb09adca5d61504fc6ad49a74a6f16bb96061e
                                  • Opcode Fuzzy Hash: 602795c582f42977ffadeb164aa013c5241f1068d73d44abbc170427a3211830
                                  • Instruction Fuzzy Hash: 7151C0B1D10309AFDB14CFA9C884ADEBBB5BF48314F24816AE819AB250D7759985CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0540A14C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0540BCC6,?,?,?,?,?), ref: 0540BD87
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.316545194.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 3279d77e70ed96b86e519c6a0a671b69fbe84e2e1c30e0f72d3ee2f329857a6a
                                  • Instruction ID: 7829bdcbc048413a3b46de2a3729fd53de8d34e152e3d2ed499795d4eed47266
                                  • Opcode Fuzzy Hash: 3279d77e70ed96b86e519c6a0a671b69fbe84e2e1c30e0f72d3ee2f329857a6a
                                  • Instruction Fuzzy Hash: BB21F4B59002089FCB10CF99D884BDEFBF4FB48310F14806AE914A3350C378A941CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0540BCF9, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0540BCC6,?,?,?,?,?), ref: 0540BD87
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.316545194.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: fb5dbfa838d5b9d3dddca519996cafdbd09629aa1581a18743df4eda85e3f71f
                                  • Instruction ID: 6f188637cf4ae1e408ff64980965f306fd2174cf0644361deec54340d67a2e62
                                  • Opcode Fuzzy Hash: fb5dbfa838d5b9d3dddca519996cafdbd09629aa1581a18743df4eda85e3f71f
                                  • Instruction Fuzzy Hash: 0B2105B59002489FCB10CF99D584AEEFBF4FF48324F14846AE954A3310C338AA45CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05408768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,054096A9,00000800,00000000,00000000), ref: 054098BA
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.316545194.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: aa40becde9a57a5648d71df4d35b2ae104f17b1c39790274319d50347f195307
                                  • Instruction ID: 154dd9abc8e9777d8494f630364a76607ccf6fd0defbb7bbfb2ada4d17a13fef
                                  • Opcode Fuzzy Hash: aa40becde9a57a5648d71df4d35b2ae104f17b1c39790274319d50347f195307
                                  • Instruction Fuzzy Hash: 0311F2B69042098BDB10CF9AC444BDEBBF4EB48324F14846AE529A7740C375A945CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05409849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,054096A9,00000800,00000000,00000000), ref: 054098BA
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.316545194.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: fee72af651ecdaf70215befda1dea120116836b2a64c0b38ebd10beb6e5405cd
                                  • Instruction ID: 3daf0b2ce945fb33f0343417da0df5b9569e33d3beccd7c8b201e0cc540a7827
                                  • Opcode Fuzzy Hash: fee72af651ecdaf70215befda1dea120116836b2a64c0b38ebd10beb6e5405cd
                                  • Instruction Fuzzy Hash: 001103B28002098FDB10CF9AC444BDEFBF4EB88324F14846AD429A7340C379A945CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05408704, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,054093FB), ref: 0540962E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.316545194.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 7e89e7d5b01ee0729926c6af706f11769006b086c53e77a9ef9549dcc95a38ef
                                  • Instruction ID: a976df746b8a6a91416b3676865fcd0de1a28a777477465dca478a1364ddfc30
                                  • Opcode Fuzzy Hash: 7e89e7d5b01ee0729926c6af706f11769006b086c53e77a9ef9549dcc95a38ef
                                  • Instruction Fuzzy Hash: 5F1104B1D006498FCB10CF9AD444BDFFBF4EB88214F14886AD429A7241C374A545CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0540FE38, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0540FE28,?,?,?,?), ref: 0540FE9D
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.316545194.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: 8a9ee2e2338ad6d00957e118bb16c354346f2bc57fb03f8f540555ed905499e5
                                  • Instruction ID: 91ea2b584f73245d4a2d60e9cb59d3f4d251cb2d041b43e91e50c37a9a22e462
                                  • Opcode Fuzzy Hash: 8a9ee2e2338ad6d00957e118bb16c354346f2bc57fb03f8f540555ed905499e5
                                  • Instruction Fuzzy Hash: B011E0B58002489FDB10CF99D489BDEBBF8EB48324F10845AE819A7241C378A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0540DA3C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,0540FE28,?,?,?,?), ref: 0540FE9D
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.316545194.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: 1f283340fc1600f186db3b24b8e61908c3626b4a1fa4802512919920d2457697
                                  • Instruction ID: 3b0e39a74801e0822c259d5590304335903de9eae78da4d30f12440ca5450fb4
                                  • Opcode Fuzzy Hash: 1f283340fc1600f186db3b24b8e61908c3626b4a1fa4802512919920d2457697
                                  • Instruction Fuzzy Hash: 6A1106B59002489FDB20CF99D485BDFBBF8FB48324F10846AE915A7341C374A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions