Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report gcsEBQO3BV.exe

Overview

General Information

Sample Name:gcsEBQO3BV.exe
Analysis ID:458901
MD5:008a85f2c1cf538f42f94a7e88ca88c7
SHA1:b7f9e6b4177b88ae459d5aee069f06f1b7ad5485
SHA256:4ee50840eec3ef82a73866bd6f2e00b42789a76f348bef3c01f98124edcef8b8
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • gcsEBQO3BV.exe (PID: 6300 cmdline: 'C:\Users\user\Desktop\gcsEBQO3BV.exe' MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
    • schtasks.exe (PID: 4240 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EA2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • gcsEBQO3BV.exe (PID: 3484 cmdline: {path} MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
    • gcsEBQO3BV.exe (PID: 6100 cmdline: {path} MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
      • schtasks.exe (PID: 6416 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A48.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6792 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E8F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • gcsEBQO3BV.exe (PID: 6664 cmdline: C:\Users\user\Desktop\gcsEBQO3BV.exe 0 MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
    • schtasks.exe (PID: 6024 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpE955.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • gcsEBQO3BV.exe (PID: 1444 cmdline: {path} MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
  • dhcpmon.exe (PID: 2456 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
    • schtasks.exe (PID: 6844 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBE5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 64 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 6408 cmdline: {path} MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
  • dhcpmon.exe (PID: 2212 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
    • schtasks.exe (PID: 6528 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 7120 cmdline: {path} MD5: 008A85F2C1CF538F42F94A7E88CA88C7)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "f0d143be-967c-4293-98d3-3a1e128b", "Group": "BotNet", "Domain1": "microsoftsecurity.sytes.net", "Domain2": "backupnew.duckdns.org", "Port": 1177, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000C.00000002.923339846.0000000007930000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x5fee:$x1: NanoCore.ClientPluginHost
      • 0x602b:$x2: IClientNetworkHost
      Click to see the 87 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      31.2.dhcpmon.exe.2fd9684.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      31.2.dhcpmon.exe.2fd9684.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      12.2.gcsEBQO3BV.exe.78a0000.26.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x3deb:$x1: NanoCore.ClientPluginHost
      • 0x3f48:$x2: IClientNetworkHost
      12.2.gcsEBQO3BV.exe.78a0000.26.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x3deb:$x2: NanoCore.ClientPluginHost
      • 0x4d41:$s3: PipeExists
      • 0x3fe1:$s4: PipeCreated
      • 0x3e05:$s5: IClientLoggingHost
      12.2.gcsEBQO3BV.exe.7880000.24.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x13a8:$x1: NanoCore.ClientPluginHost
      Click to see the 186 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gcsEBQO3BV.exe, ProcessId: 6100, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gcsEBQO3BV.exe, ProcessId: 6100, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gcsEBQO3BV.exe, ProcessId: 6100, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\gcsEBQO3BV.exe, ProcessId: 6100, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "f0d143be-967c-4293-98d3-3a1e128b", "Group": "BotNet", "Domain1": "microsoftsecurity.sytes.net", "Domain2": "backupnew.duckdns.org", "Port": 1177, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 63%
      Source: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exeReversingLabs: Detection: 63%
      Multi AV Scanner detection for submitted fileShow sources
      Source: gcsEBQO3BV.exeVirustotal: Detection: 50%Perma Link
      Source: gcsEBQO3BV.exeReversingLabs: Detection: 63%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.4394c3d.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43adc39.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe4c3d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6934629.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTR
      Machine Learning detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: gcsEBQO3BV.exeJoe Sandbox ML: detected
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 34.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 12.2.gcsEBQO3BV.exe.6930000.18.unpackAvira: Label: TR/NanoCore.fadte
      Source: 31.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: gcsEBQO3BV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: gcsEBQO3BV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmp
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]12_2_06E5BC00
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]12_2_07963660
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]12_2_079636C6
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]12_2_07963650

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49767 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49769 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49770 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49771 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49772 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49773 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49775 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49777 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49778 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49779 -> 20.197.234.75:1177
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49780 -> 20.197.234.75:1177
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: backupnew.duckdns.org
      Source: Malware configuration extractorURLs: microsoftsecurity.sytes.net
      Source: global trafficTCP traffic: 192.168.2.4:49767 -> 20.197.234.75:1177
      Source: unknownDNS traffic detected: queries for: microsoftsecurity.sytes.net
      Source: gcsEBQO3BV.exeString found in binary or memory: http://douglasheriot.com/uno/
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: gcsEBQO3BV.exe, 00000001.00000002.755783143.0000000002D11000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.869500198.0000000003071000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.869398192.0000000002D71000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: gcsEBQO3BV.exe, 00000001.00000003.653581734.0000000005BA7000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000001.00000003.653601915.0000000005BA7000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: gcsEBQO3BV.exe, 00000001.00000003.653697369.0000000005BA6000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: gcsEBQO3BV.exe, 00000001.00000003.657288065.0000000005BDD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: gcsEBQO3BV.exe, 00000001.00000003.661070555.0000000005BDD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: gcsEBQO3BV.exe, 00000001.00000003.661019805.0000000005BDD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmll-nl#
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: gcsEBQO3BV.exe, 00000001.00000003.660976926.0000000005BAB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmlion4/
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: gcsEBQO3BV.exe, 00000001.00000003.653581734.0000000005BA7000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: gcsEBQO3BV.exe, 00000001.00000003.662751805.0000000005BD7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: gcsEBQO3BV.exe, 00000001.00000003.653651828.0000000005BA6000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: gcsEBQO3BV.exe, 00000001.00000003.653651828.0000000005BA6000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.K
      Source: gcsEBQO3BV.exe, 00000001.00000002.752839329.0000000001150000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: gcsEBQO3BV.exe, 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.4394c3d.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43adc39.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe4c3d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6934629.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTR

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 31.2.dhcpmon.exe.2fd9684.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78a0000.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.7880000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78fe8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.43a9610.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.4349930.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.7930000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78f4c9f.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.46a2456.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 30.2.gcsEBQO3BV.exe.3fd4c3d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.6e30000.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.7870000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.78e0000.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.43581d4.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.78c0000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.4394c3d.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 30.2.gcsEBQO3BV.exe.3fd0614.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.7860000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.4694026.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78e0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.33ce3d8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.43adc39.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.76f0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78c0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 34.2.dhcpmon.exe.2ff9684.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.46a2456.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.dhcpmon.exe.3fc4c3d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.33da654.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.7890000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78b0000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78f0000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78f0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.434e5cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.dhcpmon.exe.3fc0614.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.dhcpmon.exe.3fc0614.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.6e30000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 34.2.dhcpmon.exe.3fe0614.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.6930000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.5ce0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 34.2.dhcpmon.exe.3fe4c3d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.6934629.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.76f0000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.6930000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.33ce3d8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.43a9610.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.4694026.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.7890000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78b0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 30.2.gcsEBQO3BV.exe.3fd0614.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.78a0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.7930000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.7870000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 30.2.gcsEBQO3BV.exe.2fe956c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.4349930.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 34.2.dhcpmon.exe.3fe0614.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 12.2.gcsEBQO3BV.exe.33da654.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 12.2.gcsEBQO3BV.exe.3384ffc.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.923339846.0000000007930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.921215035.0000000005CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.923194691.00000000078E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.921911415.0000000006E30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.923133784.00000000078C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.922985944.0000000007870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.922828441.00000000076F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.922966847.0000000007860000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000C.00000002.918972409.000000000462F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000C.00000002.923013512.0000000007880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_01127E881_2_01127E88
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_0112D4241_2_0112D424
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_01127E791_2_01127E79
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CEC5B01_2_05CEC5B0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE4D781_2_05CE4D78
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE5CC81_2_05CE5CC8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE47E01_2_05CE47E0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CEDF701_2_05CEDF70
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CEE6F81_2_05CEE6F8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE7EB01_2_05CE7EB0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE89901_2_05CE8990
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE51401_2_05CE5140
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE59081_2_05CE5908
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE4A501_2_05CE4A50
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE4D671_2_05CE4D67
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE5CB81_2_05CE5CB8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CED4581_2_05CED458
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE6C181_2_05CE6C18
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE6C281_2_05CE6C28
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE47D01_2_05CE47D0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_05CE51301_2_05CE5130
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E59CE812_2_06E59CE8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E58D9812_2_06E58D98
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E599B012_2_06E599B0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E59A6E12_2_06E59A6E
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_0796267812_2_07962678
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_07963D1012_2_07963D10
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_0796C57012_2_0796C570
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_0796BCA012_2_0796BCA0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_0796FA9812_2_0796FA98
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_079610D812_2_079610D8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_07961DAE12_2_07961DAE
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_07964DA812_2_07964DA8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_07961CF012_2_07961CF0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_07964B2E12_2_07964B2E
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_07964A7012_2_07964A70
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_0796B95812_2_0796B958
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_01097E7917_2_01097E79
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0109D42417_2_0109D424
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_05491AC017_2_05491AC0
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0549004017_2_05490040
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0549000617_2_05490006
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_05491AB117_2_05491AB1
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0709360017_2_07093600
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0709361017_2_07093610
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0709564817_2_07095648
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0709565817_2_07095658
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0709158A17_2_0709158A
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0709340017_2_07093400
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0709341017_2_07093410
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0709730817_2_07097308
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_070972F917_2_070972F9
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_070931A817_2_070931A8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_070931B817_2_070931B8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0709003E17_2_0709003E
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0709004017_2_07090040
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0709607117_2_07096071
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_0709608017_2_07096080
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07092F8817_2_07092F88
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07090F8217_2_07090F82
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07092F9817_2_07092F98
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07090FC817_2_07090FC8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07094D0017_2_07094D00
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07094DA217_2_07094DA2
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07094DE517_2_07094DE5
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07091C0217_2_07091C02
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07094CFA17_2_07094CFA
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_07095B9017_2_07095B90
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 17_2_070988A017_2_070988A0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C590818_2_085C5908
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C513018_2_085C5130
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C899018_2_085C8990
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C4A4218_2_085C4A42
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C5CC818_2_085C5CC8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C4D6718_2_085C4D67
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085CC5B018_2_085CC5B0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085CE6F818_2_085CE6F8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C7EB018_2_085C7EB0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085CDF7018_2_085CDF70
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C47E018_2_085C47E0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C385118_2_085C3851
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C58F818_2_085C58F8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C437818_2_085C4378
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C436918_2_085C4369
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C6BF018_2_085C6BF0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085CD45818_2_085CD458
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C6C1A18_2_085C6C1A
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C6C2818_2_085C6C28
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C5CB818_2_085C5CB8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C47D018_2_085C47D0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_085C478118_2_085C4781
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086EA1B818_2_086EA1B8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E622018_2_086E6220
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E423018_2_086E4230
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E4B0018_2_086E4B00
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E958818_2_086E9588
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086EA1AB18_2_086EA1AB
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086EE4F818_2_086EE4F8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086EA48818_2_086EA488
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086EA48318_2_086EA483
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E957B18_2_086E957B
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E3EE818_2_086E3EE8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E9F5818_2_086E9F58
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A004018_2_087A0040
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A88A018_2_087A88A0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A565818_2_087A5658
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A0FC818_2_087A0FC8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A607118_2_087A6071
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A602118_2_087A6021
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A001218_2_087A0012
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A341018_2_087A3410
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A1C0818_2_087A1C08
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A340018_2_087A3400
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A4CFF18_2_087A4CFF
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A608018_2_087A6080
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A4D0018_2_087A4D00
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A4DE518_2_087A4DE5
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A31B818_2_087A31B8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A31A818_2_087A31A8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A4DA218_2_087A4DA2
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A564818_2_087A5648
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A361018_2_087A3610
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A360018_2_087A3600
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A72F918_2_087A72F9
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A730818_2_087A7308
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A0FB818_2_087A0FB8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A2F9818_2_087A2F98
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A5B9018_2_087A5B90
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_087A2F8818_2_087A2F88
      Source: gcsEBQO3BV.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: eBopYzBwUYOW.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: dhcpmon.exe.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: gcsEBQO3BV.exeBinary or memory string: OriginalFilename vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000002.757219443.0000000002FEF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000002.773774990.0000000007500000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000000.646123224.0000000000962000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000002.774077342.0000000007710000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000002.773588102.00000000073C0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000002.773588102.00000000073C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000002.772900292.0000000007260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000001.00000002.752839329.0000000001150000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exeBinary or memory string: OriginalFilename vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000B.00000000.747103237.00000000003C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exeBinary or memory string: OriginalFilename vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923339846.0000000007930000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.918946745.0000000004622000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923480532.0000000007AD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000003.757194134.0000000001733000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923194691.00000000078E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.921911415.0000000006E30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000000C.00000002.921499723.0000000006840000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exeBinary or memory string: OriginalFilename vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.884753795.00000000088F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.872141291.000000000334F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.883167329.0000000007340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.885887929.000000000E560000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.860365821.00000000009F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.884529237.00000000088C0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.884529237.00000000088C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 00000011.00000002.864508050.00000000010C8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exe, 0000001E.00000002.882384708.0000000000B12000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIpTl.exe( vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exeBinary or memory string: OriginalFilenameIpTl.exe( vs gcsEBQO3BV.exe
      Source: gcsEBQO3BV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 31.2.dhcpmon.exe.2fd9684.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.dhcpmon.exe.2fd9684.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78a0000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78a0000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.7880000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7880000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78fe8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78fe8a4.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.43a9610.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.43a9610.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.4349930.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.4349930.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.7930000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7930000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78f4c9f.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78f4c9f.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.46a2456.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.46a2456.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 30.2.gcsEBQO3BV.exe.3fd4c3d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 30.2.gcsEBQO3BV.exe.3fd4c3d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.6e30000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.6e30000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.7870000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7870000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.78e0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78e0000.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.43581d4.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.43581d4.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.78c0000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78c0000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.4394c3d.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.4394c3d.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 30.2.gcsEBQO3BV.exe.3fd0614.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 30.2.gcsEBQO3BV.exe.3fd0614.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.7860000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7860000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.4694026.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.4694026.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78e0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78e0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.33ce3d8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.33ce3d8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.43adc39.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.43adc39.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.76f0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.76f0000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78c0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78c0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 34.2.dhcpmon.exe.2ff9684.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 34.2.dhcpmon.exe.2ff9684.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.46a2456.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.46a2456.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.468b1f7.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.dhcpmon.exe.3fc4c3d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.dhcpmon.exe.3fc4c3d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.33da654.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.33da654.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.7890000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7890000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78b0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78b0000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78f0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78f0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78f0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78f0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.434e5cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.434e5cf.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.dhcpmon.exe.3fc0614.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.dhcpmon.exe.3fc0614.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.dhcpmon.exe.3fc0614.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.dhcpmon.exe.3fc0614.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.6e30000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.6e30000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 34.2.dhcpmon.exe.3fe0614.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 34.2.dhcpmon.exe.3fe0614.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.6930000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.6930000.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.5ce0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.5ce0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 34.2.dhcpmon.exe.3fe4c3d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 34.2.dhcpmon.exe.3fe4c3d.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.6934629.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.6934629.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.76f0000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.76f0000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.6930000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.6930000.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.33ce3d8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.43a9610.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.43a9610.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.4694026.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.4694026.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.7890000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7890000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78b0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78b0000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 30.2.gcsEBQO3BV.exe.3fd0614.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 30.2.gcsEBQO3BV.exe.3fd0614.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.78a0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.78a0000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.7930000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7930000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.7870000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.7870000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 30.2.gcsEBQO3BV.exe.2fe956c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 30.2.gcsEBQO3BV.exe.2fe956c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.4349930.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 12.2.gcsEBQO3BV.exe.4349930.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 34.2.dhcpmon.exe.3fe0614.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 34.2.dhcpmon.exe.3fe0614.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 12.2.gcsEBQO3BV.exe.33da654.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 12.2.gcsEBQO3BV.exe.3384ffc.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.923339846.0000000007930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923339846.0000000007930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.921215035.0000000005CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.921215035.0000000005CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.923194691.00000000078E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923194691.00000000078E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.921911415.0000000006E30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.921911415.0000000006E30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.923133784.00000000078C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923133784.00000000078C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.922985944.0000000007870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.922985944.0000000007870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.922828441.00000000076F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.922828441.00000000076F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.922966847.0000000007860000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.922966847.0000000007860000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.918972409.000000000462F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000C.00000002.923013512.0000000007880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000C.00000002.923013512.0000000007880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: gcsEBQO3BV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: eBopYzBwUYOW.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: dhcpmon.exe.12.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 34.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 34.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.troj.evad.winEXE@32/16@11/2
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile created: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:64:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4588:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4972:120:WilError_01
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{f0d143be-967c-4293-98d3-3a1e128b5398}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_01
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1EA2.tmpJump to behavior
      Source: gcsEBQO3BV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: gcsEBQO3BV.exeVirustotal: Detection: 50%
      Source: gcsEBQO3BV.exeReversingLabs: Detection: 63%
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile read: C:\Users\user\Desktop\gcsEBQO3BV.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe 'C:\Users\user\Desktop\gcsEBQO3BV.exe'
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EA2.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A48.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E8F.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe C:\Users\user\Desktop\gcsEBQO3BV.exe 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpE955.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBE5.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD8.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EA2.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A48.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E8F.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpE955.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBE5.tmp'Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD8.tmp'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: gcsEBQO3BV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: gcsEBQO3BV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: gcsEBQO3BV.exe, 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 34.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 34.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_009685A5 push edx; iretd 1_2_009685A6
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 1_2_00964664 push dword ptr [edx+ebx*2+20h]; ret 1_2_0096466C
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 11_2_003C4664 push dword ptr [edx+ebx*2+20h]; ret 11_2_003C466C
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 11_2_003C85A5 push edx; iretd 11_2_003C85A6
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_00FA85A5 push edx; iretd 12_2_00FA85A6
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_00FA4664 push dword ptr [edx+ebx*2+20h]; ret 12_2_00FA466C
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E526E8 push ebp; iretd 12_2_06E526EA
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E526EB push ebp; iretd 12_2_06E526F2
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E52690 push ebp; iretd 12_2_06E52692
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E527A8 push ebp; iretd 12_2_06E52822
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E52797 push ebp; iretd 12_2_06E52822
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5273F push ebp; iretd 12_2_06E5274A
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E525F0 push esp; iretd 12_2_06E525FA
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E53549 pushad ; iretd 12_2_06E5354A
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5D535 push es; ret 12_2_06E5D524
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5D535 push es; ret 12_2_06E5D528
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5D535 push es; ret 12_2_06E5D52C
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5D535 push es; ret 12_2_06E5D530
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5D535 push es; ret 12_2_06E5D534
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5D2F2 push esi; retf 12_2_06E5D2E5
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5D2D5 push esi; retf 12_2_06E5D2E5
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5C250 pushad ; ret 12_2_06E5C251
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E53389 pushad ; iretd 12_2_06E5338A
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E52398 push esp; iretd 12_2_06E5239A
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E5239B push esp; iretd 12_2_06E523A2
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E52347 push ecx; iretd 12_2_06E5234A
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E521F7 push eax; iretd 12_2_06E521FA
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E52A11 push esi; iretd 12_2_06E52A12
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E528C8 push esi; iretd 12_2_06E5290A
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E528B7 push ebp; iretd 12_2_06E528BA
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_06E528BB push ebp; iretd 12_2_06E528C2
      Source: initial sampleStatic PE information: section name: .text entropy: 7.50200224495
      Source: initial sampleStatic PE information: section name: .text entropy: 7.50200224495
      Source: initial sampleStatic PE information: section name: .text entropy: 7.50200224495
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 31.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 34.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 34.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile created: C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exeJump to dropped file
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EA2.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeFile opened: C:\Users\user\Desktop\gcsEBQO3BV.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM3Show sources
      Source: Yara matchFile source: 00000011.00000002.869500198.0000000003071000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.755783143.0000000002D11000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.869398192.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6664, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2456, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2212, type: MEMORYSTR
      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: gcsEBQO3BV.exe, 00000001.00000002.755783143.0000000002D11000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.869500198.0000000003071000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.869398192.0000000002D71000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: gcsEBQO3BV.exe, 00000001.00000002.755783143.0000000002D11000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.869500198.0000000003071000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.869398192.0000000002D71000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWindow / User API: threadDelayed 4134Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWindow / User API: threadDelayed 4704Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWindow / User API: foregroundWindowGot 409Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWindow / User API: foregroundWindowGot 483Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exe TID: 6432Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exe TID: 6908Thread sleep time: -13835058055282155s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exe TID: 2820Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2216Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5272Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exe TID: 6040Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5864Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5908Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: dhcpmon.exe, 00000014.00000002.883754806.0000000000E39000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: gcsEBQO3BV.exe, 00000001.00000002.775365779.0000000008A9A000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware_!
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923480532.0000000007AD0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: dhcpmon.exe, 00000014.00000002.883754806.0000000000E39000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareGSZ33WSPWin32_VideoControllerR7CWK58OVideoController120060621000000.000000-0007033.8.3display.infMSBDAPNES1MC5PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZOMZ185Wd
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: gcsEBQO3BV.exe, 00000001.00000002.775365779.0000000008A9A000.00000004.00000001.sdmpBinary or memory string: VMware_!
      Source: gcsEBQO3BV.exe, 00000001.00000002.775365779.0000000008A9A000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareGSZ33WSPWin32_VideoControllerR7CWK58OVideoController120060621000000.000000-0007033.8.3display.infMSBDAPNES1MC5PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZOMZ185WrD
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923480532.0000000007AD0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923480532.0000000007AD0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: gcsEBQO3BV.exe, 00000011.00000002.866052675.00000000011A2000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMware
      Source: dhcpmon.exe, 00000012.00000002.886966777.00000000087D0000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareGSZ33WSPWin32_VideoControllerR7CWK58OVideoController120060621000000.000000-0007033.8.3display.infMSBDAPNES1MC5PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZOMZ185Wk
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: gcsEBQO3BV.exe, 0000000C.00000002.915646042.0000000001702000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923480532.0000000007AD0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeMemory written: C:\Users\user\Desktop\gcsEBQO3BV.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeMemory written: C:\Users\user\Desktop\gcsEBQO3BV.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EA2.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A48.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E8F.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpE955.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeProcess created: C:\Users\user\Desktop\gcsEBQO3BV.exe {path}Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBE5.tmp'Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}Jump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD8.tmp'
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
      Source: gcsEBQO3BV.exe, 0000000C.00000002.917953628.000000000394A000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916195693.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916195693.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923871135.0000000007EDC000.00000004.00000001.sdmpBinary or memory string: Program Managerram Manager
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916195693.0000000001D80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916987361.0000000003505000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Users\user\Desktop\gcsEBQO3BV.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Users\user\Desktop\gcsEBQO3BV.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Users\user\Desktop\gcsEBQO3BV.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Users\user\Desktop\gcsEBQO3BV.exe VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeCode function: 12_2_07962DD8 GetSystemTimes,12_2_07962DD8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 18_2_086E90D8 GetUserNameA,18_2_086E90D8
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\gcsEBQO3BV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.4394c3d.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43adc39.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe4c3d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6934629.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTR

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: gcsEBQO3BV.exe, 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: gcsEBQO3BV.exe, 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: gcsEBQO3BV.exe, 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: gcsEBQO3BV.exe, 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: gcsEBQO3BV.exe, 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: gcsEBQO3BV.exe, 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: dhcpmon.exe, 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: dhcpmon.exe, 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fbb7de.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fcb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fdb7de.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.4394c3d.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43adc39.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.gcsEBQO3BV.exe.4079930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc4c3d.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.dhcpmon.exe.3ca9930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.3fc0614.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe4c3d.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6934629.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.6930000.18.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 12.2.gcsEBQO3BV.exe.43a9610.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 18.2.dhcpmon.exe.3d79930.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 30.2.gcsEBQO3BV.exe.3fd0614.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 31.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 34.2.dhcpmon.exe.3fe0614.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d4c550.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.gcsEBQO3BV.exe.3d19930.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 6100, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: gcsEBQO3BV.exe PID: 1444, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6408, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7120, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation11Scheduled Task/Job1Process Injection112Disable or Modify Tools1Input Capture21System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSSystem Information Discovery13Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol11Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsSecurity Software Discovery321VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemVirtualization/Sandbox Evasion131Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 458901 Sample: gcsEBQO3BV.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 71 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 12 other signatures 2->77 8 gcsEBQO3BV.exe 6 2->8         started        12 gcsEBQO3BV.exe 4 2->12         started        14 dhcpmon.exe 5 2->14         started        16 dhcpmon.exe 2->16         started        process3 file4 61 C:\Users\user\AppData\...\eBopYzBwUYOW.exe, PE32 8->61 dropped 63 C:\Users\user\AppData\Local\...\tmp1EA2.tmp, XML 8->63 dropped 65 C:\Users\user\AppData\...\gcsEBQO3BV.exe.log, ASCII 8->65 dropped 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 8->83 85 Injects a PE file into a foreign processes 8->85 18 gcsEBQO3BV.exe 1 15 8->18         started        23 schtasks.exe 1 8->23         started        25 gcsEBQO3BV.exe 8->25         started        27 schtasks.exe 12->27         started        29 gcsEBQO3BV.exe 12->29         started        31 schtasks.exe 14->31         started        33 dhcpmon.exe 14->33         started        35 schtasks.exe 16->35         started        37 dhcpmon.exe 16->37         started        signatures5 process6 dnsIp7 67 microsoftsecurity.sytes.net 20.197.234.75, 1177, 49767, 49769 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->67 69 192.168.2.1 unknown unknown 18->69 55 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->55 dropped 57 C:\Users\user\AppData\Roaming\...\run.dat, data 18->57 dropped 59 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->59 dropped 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->79 39 schtasks.exe 1 18->39         started        41 schtasks.exe 1 18->41         started        43 conhost.exe 23->43         started        45 conhost.exe 27->45         started        47 conhost.exe 31->47         started        49 conhost.exe 35->49         started        file8 signatures9 process10 process11 51 conhost.exe 39->51         started        53 conhost.exe 41->53         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      gcsEBQO3BV.exe51%VirustotalBrowse
      gcsEBQO3BV.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
      gcsEBQO3BV.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe100%Joe Sandbox ML
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
      C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      12.2.gcsEBQO3BV.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      30.2.gcsEBQO3BV.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      34.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      12.2.gcsEBQO3BV.exe.6930000.18.unpack100%AviraTR/NanoCore.fadteDownload File
      31.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      microsoftsecurity.sytes.net0%Avira URL Cloudsafe
      http://www.galapagosdesign.com/0%URL Reputationsafe
      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
      http://www.tiro.com0%URL Reputationsafe
      http://www.goodfont.co.kr0%URL Reputationsafe
      http://www.carterandcone.com0%URL Reputationsafe
      http://www.carterandcone.coml0%URL Reputationsafe
      http://www.sajatypeworks.com0%URL Reputationsafe
      http://www.zhongyicts.com.cno.K0%Avira URL Cloudsafe
      http://www.typography.netD0%URL Reputationsafe
      backupnew.duckdns.org0%Avira URL Cloudsafe
      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
      http://fontfabrik.com0%URL Reputationsafe
      http://www.founder.com.cn/cn0%URL Reputationsafe
      http://douglasheriot.com/uno/0%Avira URL Cloudsafe
      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
      http://www.sandoll.co.kr0%URL Reputationsafe
      http://www.urwpp.deDPlease0%URL Reputationsafe
      http://www.zhongyicts.com.cn0%URL Reputationsafe
      http://www.sakkal.com0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      microsoftsecurity.sytes.net
      		20.197.234.75
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        microsoftsecurity.sytes.nettrue
        • Avira URL Cloud: safe
        		unknown
        backupnew.duckdns.orgtrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.apache.org/licenses/LICENSE-2.0gcsEBQO3BV.exe, 00000001.00000003.653581734.0000000005BA7000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000001.00000003.653601915.0000000005BA7000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
          		high
          http://www.fontbureau.comgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
            		high
            http://www.fontbureau.com/designersGgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
              		high
              http://www.galapagosdesign.com/gcsEBQO3BV.exe, 00000001.00000003.662751805.0000000005BD7000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designers/?gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bThegcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                  		high
                  http://www.tiro.comdhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersdhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://google.comgcsEBQO3BV.exe, 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmpfalse
                      		high
                      http://www.carterandcone.comgcsEBQO3BV.exe, 00000001.00000003.653697369.0000000005BA6000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comlgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cno.KgcsEBQO3BV.exe, 00000001.00000003.653651828.0000000005BA6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-user.htmlion4/gcsEBQO3BV.exe, 00000001.00000003.660976926.0000000005BAB000.00000004.00000001.sdmpfalse
                        		high
                        http://www.typography.netDgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cThegcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmll-nl#gcsEBQO3BV.exe, 00000001.00000003.661019805.0000000005BDD000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cngcsEBQO3BV.exe, 00000001.00000003.653581734.0000000005BA7000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-user.htmlgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/cabarga.htmlgcsEBQO3BV.exe, 00000001.00000003.661070555.0000000005BDD000.00000004.00000001.sdmpfalse
                                		high
                                http://douglasheriot.com/uno/gcsEBQO3BV.exefalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleasegcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8gcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fonts.comgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleasegcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cngcsEBQO3BV.exe, 00000001.00000003.653651828.0000000005BA6000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namegcsEBQO3BV.exe, 00000001.00000002.755783143.0000000002D11000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.869500198.0000000003071000.00000004.00000001.sdmp, dhcpmon.exe, 00000012.00000002.869398192.0000000002D71000.00000004.00000001.sdmp, dhcpmon.exe, 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sakkal.comgcsEBQO3BV.exe, 00000001.00000002.771689569.0000000006E82000.00000004.00000001.sdmp, gcsEBQO3BV.exe, 00000011.00000002.879666740.0000000005F00000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.879921974.0000000005D50000.00000002.00000001.sdmp, dhcpmon.exe, 00000014.00000002.905386773.0000000005D60000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/gcsEBQO3BV.exe, 00000001.00000003.657288065.0000000005BDD000.00000004.00000001.sdmpfalse
                                        		high

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        20.197.234.75
                                        		microsoftsecurity.sytes.netUnited States
                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                        Private

                                        IP
                                        192.168.2.1

                                        General Information

                                        Joe Sandbox Version:33.0.0 White Diamond
                                        Analysis ID:458901
                                        Start date:03.08.2021
                                        Start time:21:01:16
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 12m 54s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Sample file name:gcsEBQO3BV.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:35
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@32/16@11/2
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 1.5% (good quality ratio 0.9%)
                                        • Quality average: 40.1%
                                        • Quality standard deviation: 36.9%
                                        HCA Information:
                                        • Successful, ratio: 98%
                                        • Number of executed functions: 309
                                        • Number of non-executed functions: 8
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .exe
                                        Warnings:
                                        Show All
                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                        • Excluded IPs from analysis (whitelisted): 52.147.198.201, 23.35.237.194, 23.211.6.115, 20.82.209.183, 168.61.161.212, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.50.102.62
                                        • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, storeedgefd.dsx.mp.microsoft.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        21:02:59Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\gcsEBQO3BV.exe" s>$(Arg0)
                                        21:02:59API Interceptor606x Sleep call for process: gcsEBQO3BV.exe modified
                                        21:02:59AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        21:03:00Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASN

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):703488
                                        Entropy (8bit):7.478742406317566
                                        Encrypted:false
                                        SSDEEP:12288:n+J70shAUfvBweg+wToULrNMmnjx05WqV+60RiVycWTQLbOQDFi14Bp/j+PIH3mq:n+J70cLvBwP+8oUSmntIV+60wST8OQp9
                                        MD5:008A85F2C1CF538F42F94A7E88CA88C7
                                        SHA1:B7F9E6B4177B88AE459D5AEE069F06F1B7AD5485
                                        SHA-256:4EE50840EEC3EF82A73866BD6F2E00B42789A76F348BEF3C01F98124EDCEF8B8
                                        SHA-512:444BB1A3A5083DA55963429649E079742E212690D1AC18AEEDAB4F2ECBB5F1A68641F19A9533E7F428130D225F35BEF70A59D44D9B05744963A5C5CE147C6860
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 63%
                                        Reputation:unknown
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`.................x...B......^.... ........@.. ....................................@.....................................O.......P?........................................................................... ............... ..H............text...dw... ...x.................. ..`.rsrc...P?.......@...z..............@..@.reloc..............................@..B................@.......H......................0...._...........................................0..........*....0..............s....(.....*.0...........(.....*.0............}......}.....(.........}........(...s'...}.......}......}.....u....,9..o.......(....r...p(....-...o.......(....r...p(....+..+....,...t....s0........}....*.0..I...............(.... N... !l..a%..^E................+.... ...Z ..a+....}....*....0..E........ q[0. ..L.a%..^E............#...+!....$...s#...}..... .(.+Z ]r..a+.*....0..
                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Reputation:unknown
                                        Preview: [ZoneTransfer]....ZoneId=0
                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1308
                                        Entropy (8bit):5.345811588615766
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                        MD5:2E016B886BDB8389D2DD0867BE55F87B
                                        SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                        SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                        SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gcsEBQO3BV.exe.log
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1308
                                        Entropy (8bit):5.345811588615766
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                        MD5:2E016B886BDB8389D2DD0867BE55F87B
                                        SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                        SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                        SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                        Malicious:true
                                        Reputation:unknown
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                        C:\Users\user\AppData\Local\Temp\tmp1EA2.tmp
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1645
                                        Entropy (8bit):5.189102630149273
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGsFtn:cbhK79lNQR/rydbz9I3YODOLNdq39v
                                        MD5:74CF069D4425306450AF9C459BBCE9F7
                                        SHA1:6A1FA39E22803D57BAA3695F3F4581C2DFF68556
                                        SHA-256:9C0B7CE4B179D72EA019469E600307BF2B5A048804941BFEFD12FEBCFCA1709B
                                        SHA-512:230E79DA950F63BEAFF52D674070954466E9B677D1987372A53B2C953BF80B9F30BBE24D3A981656C8081F76816A153726B1FAE9823C2EAB7327D25813F206B7
                                        Malicious:true
                                        Reputation:unknown
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        C:\Users\user\AppData\Local\Temp\tmp3A48.tmp
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1300
                                        Entropy (8bit):5.115086565855345
                                        Encrypted:false
                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Yixtn:cbk4oL600QydbQxIYODOLedq3uj
                                        MD5:ECD2C93B3D28A0B0E2F428E0264D7B6B
                                        SHA1:09DEA2B0683368E8F8BCEA7B5C6EBE439AEE0133
                                        SHA-256:6DA36228CAC1E211B86A10B0C6A9031C1D5FEABF3E7D796776376BCBC11088B8
                                        SHA-512:E1EF65805F0F0BEEE893C5DEE5A087CF84612A61C2451BFC1125F7F0E455F4B14F0303FBD467FCFE3A67AD883E3FAA1548DB760D674F3F2F64E7CEE6D419ADA1
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                        C:\Users\user\AppData\Local\Temp\tmp3E8F.tmp
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1310
                                        Entropy (8bit):5.109425792877704
                                        Encrypted:false
                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                        MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                        SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                        SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                        SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                        C:\Users\user\AppData\Local\Temp\tmpE955.tmp
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1645
                                        Entropy (8bit):5.189102630149273
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGsFtn:cbhK79lNQR/rydbz9I3YODOLNdq39v
                                        MD5:74CF069D4425306450AF9C459BBCE9F7
                                        SHA1:6A1FA39E22803D57BAA3695F3F4581C2DFF68556
                                        SHA-256:9C0B7CE4B179D72EA019469E600307BF2B5A048804941BFEFD12FEBCFCA1709B
                                        SHA-512:230E79DA950F63BEAFF52D674070954466E9B677D1987372A53B2C953BF80B9F30BBE24D3A981656C8081F76816A153726B1FAE9823C2EAB7327D25813F206B7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        C:\Users\user\AppData\Local\Temp\tmpEBE5.tmp
                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1645
                                        Entropy (8bit):5.189102630149273
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGsFtn:cbhK79lNQR/rydbz9I3YODOLNdq39v
                                        MD5:74CF069D4425306450AF9C459BBCE9F7
                                        SHA1:6A1FA39E22803D57BAA3695F3F4581C2DFF68556
                                        SHA-256:9C0B7CE4B179D72EA019469E600307BF2B5A048804941BFEFD12FEBCFCA1709B
                                        SHA-512:230E79DA950F63BEAFF52D674070954466E9B677D1987372A53B2C953BF80B9F30BBE24D3A981656C8081F76816A153726B1FAE9823C2EAB7327D25813F206B7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        C:\Users\user\AppData\Local\Temp\tmpFD8.tmp
                                        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1645
                                        Entropy (8bit):5.189102630149273
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGsFtn:cbhK79lNQR/rydbz9I3YODOLNdq39v
                                        MD5:74CF069D4425306450AF9C459BBCE9F7
                                        SHA1:6A1FA39E22803D57BAA3695F3F4581C2DFF68556
                                        SHA-256:9C0B7CE4B179D72EA019469E600307BF2B5A048804941BFEFD12FEBCFCA1709B
                                        SHA-512:230E79DA950F63BEAFF52D674070954466E9B677D1987372A53B2C953BF80B9F30BBE24D3A981656C8081F76816A153726B1FAE9823C2EAB7327D25813F206B7
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1160
                                        Entropy (8bit):7.089541637477408
                                        Encrypted:false
                                        SSDEEP:24:IQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4jh+K:IknjhUknjhUknjhUknjhUknjhL
                                        MD5:7BEBBE1F1511163A3243CD8E0C75CC69
                                        SHA1:216B3AB5D802FA037A6EC5348B189398D8980B3C
                                        SHA-256:79A130865E9EFFFAA6C2E453942CE87F652681BCD76AAF987318300CAF5E3778
                                        SHA-512:4DCCB32411DEF72C938022B8675DA50B2DC4CD2C051B1C0377F63D6AAC42FC3D128B0ED580FB88954AB04A9E9EC8D272EBCCF74EB3F136BEF41ADBB845A1A530
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):8
                                        Entropy (8bit):3.0
                                        Encrypted:false
                                        SSDEEP:3:fot:o
                                        MD5:5D50F3D2AC1305B0B1D14FF65E96BFC7
                                        SHA1:0815E076D2FF28BE4A8EDE8ED7242ADCD14472C8
                                        SHA-256:6968FFB9754308FBCA0DEE1158F38AAE070055DE1E93FB716E8B1AF1048EF2DE
                                        SHA-512:E376A82EE3278D9D1FD05CEEF1B6938BCE2A156F7F77E07DFDE9BF5238342EDEC7A99C185147DC35C29AA41FBE5722EEF7A72A2EC1A548AF7175A87C5594CF49
                                        Malicious:true
                                        Reputation:unknown
                                        Preview: ...M.V.H
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):40
                                        Entropy (8bit):5.153055907333276
                                        Encrypted:false
                                        SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                        MD5:4E5E92E2369688041CC82EF9650EDED2
                                        SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                        SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                        SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):327768
                                        Entropy (8bit):7.999367066417797
                                        Encrypted:true
                                        SSDEEP:6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
                                        MD5:2E52F446105FBF828E63CF808B721F9C
                                        SHA1:5330E54F238F46DC04C1AC62B051DB4FCD7416FB
                                        SHA-256:2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
                                        SHA-512:C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):37
                                        Entropy (8bit):4.257580907551286
                                        Encrypted:false
                                        SSDEEP:3:oNt+WfWCGnnT20C:oNwvCWSJ
                                        MD5:DC939810D8F43EB38ADAEFB85AD0CEDA
                                        SHA1:2BB19FE8337D3C2CAF8EE02D1BDEC8D38B918E7B
                                        SHA-256:C2D5CEEEE6CC36CB0E1B8D95AFC3BCDF5D6147ECF29A5D463C5BC713DD3FAF3F
                                        SHA-512:4D254397E0259D87C7DA4715BF0224FD0E9282BE96A5F84A00ACFBA384AEA5D990F47D122E4A4AD75AA28313634AFFF27661D43D97154C42F70980801408B8F5
                                        Malicious:false
                                        Reputation:unknown
                                        Preview: C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        C:\Users\user\AppData\Roaming\eBopYzBwUYOW.exe
                                        Process:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):703488
                                        Entropy (8bit):7.478742406317566
                                        Encrypted:false
                                        SSDEEP:12288:n+J70shAUfvBweg+wToULrNMmnjx05WqV+60RiVycWTQLbOQDFi14Bp/j+PIH3mq:n+J70cLvBwP+8oUSmntIV+60wST8OQp9
                                        MD5:008A85F2C1CF538F42F94A7E88CA88C7
                                        SHA1:B7F9E6B4177B88AE459D5AEE069F06F1B7AD5485
                                        SHA-256:4EE50840EEC3EF82A73866BD6F2E00B42789A76F348BEF3C01F98124EDCEF8B8
                                        SHA-512:444BB1A3A5083DA55963429649E079742E212690D1AC18AEEDAB4F2ECBB5F1A68641F19A9533E7F428130D225F35BEF70A59D44D9B05744963A5C5CE147C6860
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 63%
                                        Reputation:unknown
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`.................x...B......^.... ........@.. ....................................@.....................................O.......P?........................................................................... ............... ..H............text...dw... ...x.................. ..`.rsrc...P?.......@...z..............@..@.reloc..............................@..B................@.......H......................0...._...........................................0..........*....0..............s....(.....*.0...........(.....*.0............}......}.....(.........}........(...s'...}.......}......}.....u....,9..o.......(....r...p(....-...o.......(....r...p(....+..+....,...t....s0........}....*.0..I...............(.... N... !l..a%..^E................+.... ...Z ..a+....}....*....0..E........ q[0. ..L.a%..^E............#...+!....$...s#...}..... .(.+Z ]r..a+.*....0..

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.478742406317566
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:gcsEBQO3BV.exe
                                        File size:703488
                                        MD5:008a85f2c1cf538f42f94a7e88ca88c7
                                        SHA1:b7f9e6b4177b88ae459d5aee069f06f1b7ad5485
                                        SHA256:4ee50840eec3ef82a73866bd6f2e00b42789a76f348bef3c01f98124edcef8b8
                                        SHA512:444bb1a3a5083da55963429649e079742e212690d1ac18aeedab4f2ecbb5f1a68641f19a9533e7f428130d225f35bef70a59d44d9b05744963a5c5ce147c6860
                                        SSDEEP:12288:n+J70shAUfvBweg+wToULrNMmnjx05WqV+60RiVycWTQLbOQDFi14Bp/j+PIH3mq:n+J70cLvBwP+8oUSmntIV+60wST8OQp9
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].`.................x...B......^.... ........@.. ....................................@................................

                                        File Icon

                                        Icon Hash:8099b8acdce4e1e5

                                        Static PE Info

                                        General

                                        Entrypoint:0x4a975e
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x60FF5D0A [Tue Jul 27 01:10:34 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa970c0x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x3f50.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xa77640xa7800False0.768110132929data7.50200224495IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rsrc0xaa0000x3f500x4000False0.627807617188data5.5633177152IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xae0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0xaa1480x468GLS_BINARY_LSB_FIRST
                                        RT_ICON0xaa5b00x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4278781961, next used block 4287640619
                                        RT_ICON0xab6580x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4280485632, next used block 4284557590
                                        RT_GROUP_ICON0xadc000x30data
                                        RT_VERSION0xadc300x320data

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyrightCopyright 2010 - 2021
                                        Assembly Version1.0.0.0
                                        InternalNameIpTl.exe
                                        FileVersion1.0.0.0
                                        CompanyNameDouglas Heriot
                                        LegalTrademarks
                                        Comments
                                        ProductNameUno
                                        ProductVersion1.0.0.0
                                        FileDescriptionUno
                                        OriginalFilenameIpTl.exe

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        08/03/21-21:03:03.070861TCP2025019ET TROJAN Possible NanoCore C2 60B497671177192.168.2.420.197.234.75
                                        08/03/21-21:03:10.961626TCP2025019ET TROJAN Possible NanoCore C2 60B497691177192.168.2.420.197.234.75
                                        08/03/21-21:03:18.292169TCP2025019ET TROJAN Possible NanoCore C2 60B497701177192.168.2.420.197.234.75
                                        08/03/21-21:03:25.266257TCP2025019ET TROJAN Possible NanoCore C2 60B497711177192.168.2.420.197.234.75
                                        08/03/21-21:03:32.318494TCP2025019ET TROJAN Possible NanoCore C2 60B497721177192.168.2.420.197.234.75
                                        08/03/21-21:03:39.569786TCP2025019ET TROJAN Possible NanoCore C2 60B497731177192.168.2.420.197.234.75
                                        08/03/21-21:03:44.455750TCP2025019ET TROJAN Possible NanoCore C2 60B497751177192.168.2.420.197.234.75
                                        08/03/21-21:03:49.468825TCP2025019ET TROJAN Possible NanoCore C2 60B497771177192.168.2.420.197.234.75
                                        08/03/21-21:03:56.009783TCP2025019ET TROJAN Possible NanoCore C2 60B497781177192.168.2.420.197.234.75
                                        08/03/21-21:04:03.242027TCP2025019ET TROJAN Possible NanoCore C2 60B497791177192.168.2.420.197.234.75
                                        08/03/21-21:04:09.616586TCP2025019ET TROJAN Possible NanoCore C2 60B497801177192.168.2.420.197.234.75

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Aug 3, 2021 21:03:02.716253042 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:02.924279928 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:02.924441099 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:03.070861101 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:03.294045925 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:03.317348003 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:03.521399975 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:03.567558050 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:03.823771000 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:03.823849916 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.070944071 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086047888 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086071014 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086086035 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086098909 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086117983 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086136103 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086148977 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086163044 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086182117 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086208105 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.086226940 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.086229086 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.086235046 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.086740017 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.297836065 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.297868967 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.297898054 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.297924042 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.297946930 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.297971010 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.297980070 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.297993898 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298017979 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298019886 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298023939 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298043013 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298067093 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298095942 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298165083 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298171997 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298180103 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298202991 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298227072 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298249960 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298273087 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298273087 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298278093 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298296928 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298321009 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298348904 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298373938 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.298376083 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298381090 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.298556089 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503231049 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503293037 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503340960 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503366947 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503376961 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503410101 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503442049 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503470898 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503478050 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503508091 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503511906 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503551960 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503591061 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503611088 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503624916 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503645897 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503659010 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503695011 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503748894 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503748894 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503804922 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503827095 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503844023 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503891945 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503914118 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.503926039 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.503963947 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504000902 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504002094 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504054070 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504090071 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504113913 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504163980 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504210949 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504245043 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504247904 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504287004 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504307985 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504323959 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504371881 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504439116 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504477024 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504530907 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504534006 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504570961 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504591942 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504609108 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504643917 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504677057 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504698992 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504715919 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504738092 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504754066 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504795074 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504818916 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504836082 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504868984 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504918098 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.504940987 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.504988909 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.531816006 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.708646059 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708681107 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708700895 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708719969 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708738089 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708755970 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708771944 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708770990 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.708790064 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708801985 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.708808899 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708828926 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708839893 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.708847046 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708864927 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708872080 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.708883047 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708899975 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708906889 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.708916903 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708935022 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708941936 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.708952904 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708964109 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.708973885 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.708995104 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709002972 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709012985 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709029913 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709037066 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709048986 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709058046 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709067106 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709084988 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709095955 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709103107 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709124088 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709134102 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709144115 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709161043 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709165096 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709178925 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709184885 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709197998 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709216118 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709233046 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709239960 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709250927 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709271908 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709279060 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709291935 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709306002 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709310055 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709328890 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709342957 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709347010 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709363937 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709379911 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709387064 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709397078 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709407091 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709419012 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709436893 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709444046 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709454060 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709461927 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709472895 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709490061 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709500074 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709506989 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709525108 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.709536076 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.709563971 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.781496048 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.913512945 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.913574934 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.913610935 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.913646936 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.913647890 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.913686037 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.913722038 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.913779020 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.913816929 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.913851976 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.913872004 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.913888931 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.913907051 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.913940907 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.913979053 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.913999081 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914014101 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914076090 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914098978 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914114952 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914148092 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914181948 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914201975 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914217949 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914220095 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914252996 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914287090 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914323092 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914328098 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914357901 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914360046 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914392948 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914428949 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914462090 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914472103 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914486885 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914509058 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914525032 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914534092 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914556026 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914556980 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914580107 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914601088 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914613008 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914623976 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914634943 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914645910 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914669037 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914691925 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914693117 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914720058 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914729118 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914745092 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914764881 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914788008 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914808989 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914808989 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914830923 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914844036 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914855003 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914876938 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914880037 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914901018 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914918900 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.914925098 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914948940 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914972067 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914994001 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.914994955 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.915015936 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:04.915034056 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:04.915056944 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.118871927 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.118922949 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.118940115 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.118963003 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.118980885 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.118998051 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.119015932 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.119031906 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.119046926 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.119072914 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.119090080 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.119146109 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.119167089 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.119188070 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.119208097 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.119208097 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.119227886 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.119246960 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.119271040 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.119291067 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.119371891 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.120162964 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120203972 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120225906 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120249033 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120266914 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120289087 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120312929 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120336056 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120353937 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120377064 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120399952 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120424032 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120448112 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120465994 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.120470047 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120495081 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120498896 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.120502949 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.120506048 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.120507956 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.120511055 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.120517969 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120543957 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.120543957 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120567083 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120589018 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120589972 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.120610952 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120629072 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120649099 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120666027 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120682955 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120701075 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120728016 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120748043 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120765924 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.120826006 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.120836973 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.120840073 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.120846033 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.121881962 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.323333979 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323373079 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323396921 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323441029 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323466063 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323487043 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323489904 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.323513985 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323535919 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323539972 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.323559999 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323582888 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323595047 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.323605061 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323625088 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.323626995 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323652029 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323674917 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.323681116 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323702097 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323729992 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323733091 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.323754072 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323776960 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.323777914 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.323817968 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.325052977 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325093985 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325117111 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325159073 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325170040 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.325177908 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325200081 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325223923 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.325226068 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325261116 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.325300932 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325329065 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325351000 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325372934 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325383902 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.325397015 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325419903 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325421095 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.325443029 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325450897 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.325465918 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325488091 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325490952 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.325512886 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325536013 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325541019 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.325558901 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325581074 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325588942 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.325602055 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325623035 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325637102 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.325642109 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325664997 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325689077 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325690031 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.325714111 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.325719118 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325741053 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325761080 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325772047 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.325783014 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325804949 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.325819969 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.325861931 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.527546883 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.527601957 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.527692080 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.527717113 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.527718067 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.527740002 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.527762890 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.527762890 CEST11774976720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:05.527837038 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:05.760375023 CEST497671177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:10.743659973 CEST497691177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:10.948873997 CEST11774976920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:10.950031042 CEST497691177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:10.961626053 CEST497691177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:11.181233883 CEST11774976920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:11.181900978 CEST497691177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:11.748985052 CEST497691177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:11.903294086 CEST11774976920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:11.903418064 CEST497691177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:11.953742027 CEST11774976920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:11.953844070 CEST497691177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:12.153079033 CEST11774976920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:12.153830051 CEST497691177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:12.403049946 CEST11774976920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:12.485392094 CEST11774976920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:12.545844078 CEST497691177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:12.750750065 CEST11774976920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:12.798858881 CEST497691177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:12.930396080 CEST497691177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:13.059135914 CEST11774976920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:13.059254885 CEST497691177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:18.086905956 CEST497701177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:18.291327000 CEST11774977020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:18.291532040 CEST497701177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:18.292169094 CEST497701177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:18.510891914 CEST11774977020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:18.511389017 CEST497701177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:18.715389013 CEST11774977020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:18.721396923 CEST497701177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:18.970627069 CEST11774977020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:18.970760107 CEST497701177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:19.049820900 CEST11774977020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:19.174626112 CEST11774977020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:19.174856901 CEST497701177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:19.424297094 CEST11774977020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:19.424907923 CEST497701177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:19.629013062 CEST11774977020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:19.650650024 CEST497701177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:19.854681015 CEST11774977020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:19.856067896 CEST497701177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:20.107021093 CEST11774977020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:20.107208967 CEST497701177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:20.357104063 CEST11774977020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:20.906521082 CEST497701177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:25.059530973 CEST497711177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:25.264837980 CEST11774977120.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:25.265001059 CEST497711177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:25.266257048 CEST497711177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:25.547755957 CEST11774977120.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:25.551501989 CEST497711177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:25.779056072 CEST11774977120.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:25.800096989 CEST497711177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:26.052395105 CEST11774977120.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:26.054677010 CEST497711177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:26.132033110 CEST11774977120.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:26.187561035 CEST497711177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:26.259542942 CEST11774977120.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:26.259620905 CEST497711177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:26.519875050 CEST11774977120.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:26.519938946 CEST497711177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:26.725388050 CEST11774977120.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:26.766232967 CEST497711177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:26.971362114 CEST11774977120.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:26.990480900 CEST497711177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:27.249473095 CEST11774977120.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:28.016583920 CEST497711177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:32.111877918 CEST497721177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:32.316760063 CEST11774977220.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:32.317049980 CEST497721177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:32.318494081 CEST497721177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:32.540591955 CEST11774977220.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:32.546544075 CEST497721177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:32.752376080 CEST11774977220.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:32.754434109 CEST497721177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:33.001986027 CEST11774977220.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:33.064016104 CEST497721177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:33.096776009 CEST11774977220.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:33.141374111 CEST497721177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:33.268584967 CEST11774977220.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:33.268706083 CEST497721177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:33.518429041 CEST11774977220.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:33.518501043 CEST497721177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:33.723232031 CEST11774977220.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:33.766343117 CEST497721177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:33.971019983 CEST11774977220.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:34.016443968 CEST497721177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:34.080087900 CEST497721177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:34.338535070 CEST11774977220.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:35.096086979 CEST497721177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:39.361135960 CEST497731177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:39.566626072 CEST11774977320.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:39.568936110 CEST497731177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:39.569786072 CEST497731177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:39.777348042 CEST11774977320.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:39.830171108 CEST497731177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:40.037786961 CEST11774977320.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:40.079411983 CEST497731177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:40.091834068 CEST497731177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:40.115621090 CEST497731177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:40.297105074 CEST11774977320.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:40.297192097 CEST497731177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:44.246330023 CEST497751177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:44.452254057 CEST11774977520.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:44.452409983 CEST497751177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:44.455749989 CEST497751177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:44.706365108 CEST11774977520.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:44.706382990 CEST11774977520.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:44.708865881 CEST497751177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:44.917452097 CEST11774977520.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:44.970479965 CEST497751177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:45.081109047 CEST497751177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:45.178440094 CEST11774977520.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:45.182719946 CEST497751177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:49.260581017 CEST497771177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:49.467479944 CEST11774977720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:49.468780994 CEST497771177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:49.468825102 CEST497771177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:49.699388981 CEST11774977720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:49.700830936 CEST497771177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:49.907342911 CEST11774977720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:49.910291910 CEST497771177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:50.172652006 CEST11774977720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:50.222425938 CEST497771177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:50.268620968 CEST11774977720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:50.315896988 CEST497771177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:50.428915024 CEST11774977720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:50.433670044 CEST497771177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:50.688568115 CEST11774977720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:50.688678980 CEST497771177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:51.041917086 CEST11774977720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:51.042869091 CEST497771177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:51.249819994 CEST11774977720.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:51.300893068 CEST497771177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:51.367880106 CEST497771177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:55.772155046 CEST497781177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:55.982892990 CEST11774977820.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:55.983902931 CEST497781177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:56.009783030 CEST497781177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:56.234093904 CEST11774977820.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:56.234556913 CEST497781177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:56.438548088 CEST11774977820.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:56.440891981 CEST497781177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:56.690711021 CEST11774977820.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:56.690886974 CEST497781177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:56.785645962 CEST11774977820.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:56.830867052 CEST497781177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:56.895066977 CEST11774977820.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:56.895180941 CEST497781177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:57.147686005 CEST11774977820.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:57.147866964 CEST497781177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:57.351933002 CEST11774977820.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:57.409008980 CEST497781177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:57.612868071 CEST11774977820.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:57.639659882 CEST497781177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:03:57.891684055 CEST11774977820.197.234.75192.168.2.4
                                        Aug 3, 2021 21:03:58.473232031 CEST497781177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:03.030096054 CEST497791177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:03.238970041 CEST11774977920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:03.239219904 CEST497791177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:03.242027044 CEST497791177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:03.481019974 CEST11774977920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:03.534719944 CEST497791177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:03.539314985 CEST497791177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:03.746809959 CEST11774977920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:03.749231100 CEST497791177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:04.002053022 CEST11774977920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:04.163234949 CEST497791177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:04.220119953 CEST11774977920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:04.269026041 CEST497791177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:04.410448074 CEST11774977920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:04.411587954 CEST497791177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:04.668364048 CEST11774977920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:04.668461084 CEST497791177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:04.861804962 CEST11774977920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:04.861932039 CEST497791177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:04.920178890 CEST11774977920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:05.068082094 CEST11774977920.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:05.112828970 CEST497791177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:05.313555956 CEST497791177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:09.395082951 CEST497801177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:09.599184036 CEST11774978020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:09.599306107 CEST497801177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:09.616585970 CEST497801177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:09.838654995 CEST11774978020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:09.843163013 CEST497801177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:10.047024965 CEST11774978020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:10.047812939 CEST497801177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:10.304208040 CEST11774978020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:10.383785009 CEST11774978020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:10.384318113 CEST497801177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:10.600678921 CEST11774978020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:10.601608992 CEST497801177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:10.805593967 CEST11774978020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:10.805725098 CEST497801177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:11.009275913 CEST11774978020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:11.051250935 CEST497801177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:13.429500103 CEST11774978020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:13.472970963 CEST497801177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:14.819828033 CEST11774978020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:14.863879919 CEST497801177192.168.2.420.197.234.75
                                        Aug 3, 2021 21:04:19.836597919 CEST11774978020.197.234.75192.168.2.4
                                        Aug 3, 2021 21:04:19.895313025 CEST497801177192.168.2.420.197.234.75

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Aug 3, 2021 21:01:56.952795029 CEST4991053192.168.2.48.8.8.8
                                        Aug 3, 2021 21:01:56.985332966 CEST53499108.8.8.8192.168.2.4
                                        Aug 3, 2021 21:01:57.568849087 CEST5585453192.168.2.48.8.8.8
                                        Aug 3, 2021 21:01:57.601205111 CEST6454953192.168.2.48.8.8.8
                                        Aug 3, 2021 21:01:57.607832909 CEST53558548.8.8.8192.168.2.4
                                        Aug 3, 2021 21:01:57.628736019 CEST53645498.8.8.8192.168.2.4
                                        Aug 3, 2021 21:01:58.217888117 CEST6315353192.168.2.48.8.8.8
                                        Aug 3, 2021 21:01:58.247701883 CEST53631538.8.8.8192.168.2.4
                                        Aug 3, 2021 21:01:58.375174046 CEST5299153192.168.2.48.8.8.8
                                        Aug 3, 2021 21:01:58.409279108 CEST53529918.8.8.8192.168.2.4
                                        Aug 3, 2021 21:01:58.945774078 CEST5370053192.168.2.48.8.8.8
                                        Aug 3, 2021 21:01:58.971837044 CEST53537008.8.8.8192.168.2.4
                                        Aug 3, 2021 21:01:59.843838930 CEST5172653192.168.2.48.8.8.8
                                        Aug 3, 2021 21:01:59.888303041 CEST53517268.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:01.114497900 CEST5679453192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:01.142318964 CEST53567948.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:26.074865103 CEST5653453192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:26.131671906 CEST53565348.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:30.935095072 CEST5662753192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:30.967444897 CEST53566278.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:31.618459940 CEST5662153192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:31.643320084 CEST53566218.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:32.320250988 CEST6311653192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:32.347923994 CEST53631168.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:33.247595072 CEST6407853192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:33.282898903 CEST53640788.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:35.248843908 CEST6480153192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:35.273719072 CEST53648018.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:36.348207951 CEST6172153192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:36.376005888 CEST53617218.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:37.560930014 CEST5125553192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:37.585814953 CEST53512558.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:38.261316061 CEST6152253192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:38.296255112 CEST53615228.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:39.084752083 CEST5233753192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:39.120351076 CEST53523378.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:39.795377970 CEST5504653192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:39.829566956 CEST53550468.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:40.587006092 CEST4961253192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:40.622190952 CEST53496128.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:41.739749908 CEST4928553192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:41.765579939 CEST53492858.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:44.346476078 CEST5060153192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:44.451740980 CEST53506018.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:44.917742968 CEST6087553192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:44.969218016 CEST53608758.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:45.592982054 CEST5644853192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:45.599087000 CEST5917253192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:45.635855913 CEST53591728.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:45.641344070 CEST53564488.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:46.000205994 CEST6242053192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:46.055917025 CEST53624208.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:46.581522942 CEST6057953192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:46.616116047 CEST53605798.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:47.445801020 CEST5018353192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:47.483532906 CEST53501838.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:48.080143929 CEST6153153192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:48.115200043 CEST53615318.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:50.090269089 CEST4922853192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:50.125478983 CEST53492288.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:50.950118065 CEST5979453192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:50.982645988 CEST53597948.8.8.8192.168.2.4
                                        Aug 3, 2021 21:02:51.368928909 CEST5591653192.168.2.48.8.8.8
                                        Aug 3, 2021 21:02:51.405291080 CEST53559168.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:02.669002056 CEST5275253192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:02.703749895 CEST53527528.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:06.806513071 CEST6054253192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:06.841006041 CEST53605428.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:10.531178951 CEST6068953192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:10.568053961 CEST53606898.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:17.960906029 CEST6420653192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:17.996409893 CEST53642068.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:25.024315119 CEST5090453192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:25.057940006 CEST53509048.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:32.071710110 CEST5752553192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:32.109904051 CEST53575258.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:39.324357033 CEST5381453192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:39.359462023 CEST53538148.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:43.347390890 CEST5341853192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:43.380333900 CEST53534188.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:44.149097919 CEST6283353192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:44.181466103 CEST53628338.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:47.680023909 CEST5926053192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:47.720510006 CEST53592608.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:49.132050037 CEST4994453192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:49.165702105 CEST53499448.8.8.8192.168.2.4
                                        Aug 3, 2021 21:03:55.735852957 CEST6330053192.168.2.48.8.8.8
                                        Aug 3, 2021 21:03:55.768687010 CEST53633008.8.8.8192.168.2.4
                                        Aug 3, 2021 21:04:02.992939949 CEST6144953192.168.2.48.8.8.8
                                        Aug 3, 2021 21:04:03.026909113 CEST53614498.8.8.8192.168.2.4
                                        Aug 3, 2021 21:04:09.355088949 CEST5127553192.168.2.48.8.8.8
                                        Aug 3, 2021 21:04:09.391959906 CEST53512758.8.8.8192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Aug 3, 2021 21:03:02.669002056 CEST192.168.2.48.8.8.80x96adStandard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:10.531178951 CEST192.168.2.48.8.8.80x8d7bStandard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:17.960906029 CEST192.168.2.48.8.8.80x9de4Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:25.024315119 CEST192.168.2.48.8.8.80xc473Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:32.071710110 CEST192.168.2.48.8.8.80xd17eStandard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:39.324357033 CEST192.168.2.48.8.8.80xc6e4Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:44.149097919 CEST192.168.2.48.8.8.80x25a2Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:49.132050037 CEST192.168.2.48.8.8.80x4f92Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:55.735852957 CEST192.168.2.48.8.8.80x1981Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:04:02.992939949 CEST192.168.2.48.8.8.80xef0Standard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)
                                        Aug 3, 2021 21:04:09.355088949 CEST192.168.2.48.8.8.80x766eStandard query (0)microsoftsecurity.sytes.netA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Aug 3, 2021 21:03:02.703749895 CEST8.8.8.8192.168.2.40x96adNo error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:10.568053961 CEST8.8.8.8192.168.2.40x8d7bNo error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:17.996409893 CEST8.8.8.8192.168.2.40x9de4No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:25.057940006 CEST8.8.8.8192.168.2.40xc473No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:32.109904051 CEST8.8.8.8192.168.2.40xd17eNo error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:39.359462023 CEST8.8.8.8192.168.2.40xc6e4No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:44.181466103 CEST8.8.8.8192.168.2.40x25a2No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:49.165702105 CEST8.8.8.8192.168.2.40x4f92No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:03:55.768687010 CEST8.8.8.8192.168.2.40x1981No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:04:03.026909113 CEST8.8.8.8192.168.2.40xef0No error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)
                                        Aug 3, 2021 21:04:09.391959906 CEST8.8.8.8192.168.2.40x766eNo error (0)microsoftsecurity.sytes.net20.197.234.75A (IP address)IN (0x0001)

                                        Code Manipulations

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: gcsEBQO3BV.exe PID: 6300 Parent PID: 6084

                                        General

                                        Start time:21:02:04
                                        Start date:03/08/2021
                                        Path:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\gcsEBQO3BV.exe'
                                        Imagebase:0x960000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.755783143.0000000002D11000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.758869447.0000000003D19000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        Chronological Activities

                                        Analysis Process: schtasks.exe PID: 4240 Parent PID: 6300

                                        General

                                        Start time:21:02:50
                                        Start date:03/08/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmp1EA2.tmp'
                                        Imagebase:0x160000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: conhost.exe PID: 4972 Parent PID: 4240

                                        General

                                        Start time:21:02:51
                                        Start date:03/08/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: gcsEBQO3BV.exe PID: 3484 Parent PID: 6300

                                        General

                                        Start time:21:02:51
                                        Start date:03/08/2021
                                        Path:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        Wow64 process (32bit):false
                                        Commandline:{path}
                                        Imagebase:0x3c0000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        Chronological Activities

                                        Analysis Process: gcsEBQO3BV.exe PID: 6100 Parent PID: 6300

                                        General

                                        Start time:21:02:52
                                        Start date:03/08/2021
                                        Path:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0xfa0000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.918302480.0000000004391000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923339846.0000000007930000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923339846.0000000007930000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.921215035.0000000005CE0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.921215035.0000000005CE0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923227921.00000000078F0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923077412.00000000078A0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.921626812.0000000006930000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923194691.00000000078E0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923194691.00000000078E0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923044394.0000000007890000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.921911415.0000000006E30000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.921911415.0000000006E30000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923105492.00000000078B0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.913770641.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923133784.00000000078C0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923133784.00000000078C0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.922985944.0000000007870000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.922985944.0000000007870000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.916355133.0000000003341000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.922828441.00000000076F0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.922828441.00000000076F0000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.922966847.0000000007860000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.922966847.0000000007860000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.918972409.000000000462F000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.923013512.0000000007880000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.923013512.0000000007880000.00000004.00000001.sdmp, Author: Florian Roth
                                        Reputation:low

                                        Chronological Activities

                                        Analysis Process: schtasks.exe PID: 6416 Parent PID: 6100

                                        General

                                        Start time:21:02:57
                                        Start date:03/08/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp3A48.tmp'
                                        Imagebase:0x160000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: conhost.exe PID: 6380 Parent PID: 6416

                                        General

                                        Start time:21:02:57
                                        Start date:03/08/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: schtasks.exe PID: 6792 Parent PID: 6100

                                        General

                                        Start time:21:02:58
                                        Start date:03/08/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3E8F.tmp'
                                        Imagebase:0x160000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: conhost.exe PID: 4088 Parent PID: 6792

                                        General

                                        Start time:21:02:58
                                        Start date:03/08/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: gcsEBQO3BV.exe PID: 6664 Parent PID: 968

                                        General

                                        Start time:21:03:00
                                        Start date:03/08/2021
                                        Path:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\gcsEBQO3BV.exe 0
                                        Imagebase:0x9f0000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000011.00000002.869500198.0000000003071000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000011.00000002.875420533.0000000004079000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        Chronological Activities

                                        Analysis Process: dhcpmon.exe PID: 2456 Parent PID: 968

                                        General

                                        Start time:21:03:01
                                        Start date:03/08/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                        Imagebase:0x9e0000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.875421468.0000000003D79000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000012.00000002.869398192.0000000002D71000.00000004.00000001.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 63%, ReversingLabs
                                        Reputation:low

                                        Chronological Activities

                                        Analysis Process: dhcpmon.exe PID: 2212 Parent PID: 3424

                                        General

                                        Start time:21:03:08
                                        Start date:03/08/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                        Imagebase:0x8a0000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.898848134.0000000003CA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000014.00000002.887889351.0000000002CA1000.00000004.00000001.sdmp, Author: Joe Security
                                        Reputation:low

                                        Chronological Activities

                                        Analysis Process: schtasks.exe PID: 6024 Parent PID: 6664

                                        General

                                        Start time:21:03:42
                                        Start date:03/08/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpE955.tmp'
                                        Imagebase:0x160000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: conhost.exe PID: 6404 Parent PID: 6024

                                        General

                                        Start time:21:03:43
                                        Start date:03/08/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: schtasks.exe PID: 6844 Parent PID: 2456

                                        General

                                        Start time:21:03:43
                                        Start date:03/08/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpEBE5.tmp'
                                        Imagebase:0x160000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: conhost.exe PID: 64 Parent PID: 6844

                                        General

                                        Start time:21:03:43
                                        Start date:03/08/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Chronological Activities

                                        Analysis Process: gcsEBQO3BV.exe PID: 1444 Parent PID: 6664

                                        General

                                        Start time:21:03:43
                                        Start date:03/08/2021
                                        Path:C:\Users\user\Desktop\gcsEBQO3BV.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0xb10000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.888954904.0000000003F89000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.888483621.0000000002F81000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000001E.00000002.882125201.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                        Chronological Activities

                                        Analysis Process: dhcpmon.exe PID: 6408 Parent PID: 2456

                                        General

                                        Start time:21:03:44
                                        Start date:03/08/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0xc00000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.884398030.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.890669255.0000000002F71000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 0000001F.00000002.891289633.0000000003F79000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                        Chronological Activities

                                        Analysis Process: schtasks.exe PID: 6528 Parent PID: 2212

                                        General

                                        Start time:21:03:52
                                        Start date:03/08/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eBopYzBwUYOW' /XML 'C:\Users\user\AppData\Local\Temp\tmpFD8.tmp'
                                        Imagebase:0x160000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Chronological Activities

                                        Analysis Process: conhost.exe PID: 4588 Parent PID: 6528

                                        General

                                        Start time:21:03:53
                                        Start date:03/08/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff724c50000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Chronological Activities

                                        Analysis Process: dhcpmon.exe PID: 7120 Parent PID: 2212

                                        General

                                        Start time:21:03:54
                                        Start date:03/08/2021
                                        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0xa90000
                                        File size:703488 bytes
                                        MD5 hash:008A85F2C1CF538F42F94A7E88CA88C7
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.908292630.0000000003F99000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.908102746.0000000002F91000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000022.00000002.905512607.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

                                        Chronological Activities

                                        Disassembly

                                        Code Analysis

                                        Reset < >

                                          Analysis Process: gcsEBQO3BV.exe PID: 6300 Parent PID: 6084 gcsEBQO3BV.exeCOMMON

                                          Executed Functions

                                          Function 05CEC5B0, Relevance: 2.9, Strings: 2, Instructions: 447COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: Xc%l$Xc%l
                                          • API String ID: 0-1338683366
                                          • Opcode ID: d5dbda79a8f9a4829dfe0ea4f70bc101565c346f203746f3aeb5c9b895acdc15
                                          • Instruction ID: 9e62d71f8928d46e781f7d6b096c671b61b2bb5fc8c78fa11316592484304605
                                          • Opcode Fuzzy Hash: d5dbda79a8f9a4829dfe0ea4f70bc101565c346f203746f3aeb5c9b895acdc15
                                          • Instruction Fuzzy Hash: 00F1D475B04214CFCB18DF69C494AAEBBB2FF86300F158869D846AB361DB34ED41CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CEE6F8, Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: Yy@$Yy@+e=
                                          • API String ID: 0-3438994167
                                          • Opcode ID: 16fc78c5cc4705fe173ffa5c4a1fe9abc4f0c18784f4890513982001b5c359e8
                                          • Instruction ID: 1151c0edf4f9c3bac2b39084f5e81fda7a2fef3c0891b148d9955007d30781fc
                                          • Opcode Fuzzy Hash: 16fc78c5cc4705fe173ffa5c4a1fe9abc4f0c18784f4890513982001b5c359e8
                                          • Instruction Fuzzy Hash: 265107B0E04619CFDB08CFAAD8806AEFBF2BF89340F15D42AD519B7254D7349A41CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE4A50, Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: EuR$L-uI
                                          • API String ID: 0-3189475397
                                          • Opcode ID: 12a79dfc854296a41d2f5dd66374cb63664c8775426cf7abb6a835e81bf43d18
                                          • Instruction ID: 8cc4478b16cfb2c31557a3e1847a53b6de44586dbbff678375b7c8904ac7f6af
                                          • Opcode Fuzzy Hash: 12a79dfc854296a41d2f5dd66374cb63664c8775426cf7abb6a835e81bf43d18
                                          • Instruction Fuzzy Hash: 7F51F474E0521A9BCF08CFAAD582AAEFBF2FB88310F10942AD515B7254D7309A41CF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE5CB8, Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: d-%l
                                          • API String ID: 0-157456239
                                          • Opcode ID: fa1c965f7c8a6b524df54826260a68b86770d024e9517b9a5fa6442471bfd21d
                                          • Instruction ID: f556ebe9f8d97841b75aa5fae25bd3156bdf9a375204d0b17505824c2097948c
                                          • Opcode Fuzzy Hash: fa1c965f7c8a6b524df54826260a68b86770d024e9517b9a5fa6442471bfd21d
                                          • Instruction Fuzzy Hash: 6A81C074E002189FDB58DFA9D885BDEBBB2FF89300F1081AAE509AB354DB306945CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE5CC8, Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: d-%l
                                          • API String ID: 0-157456239
                                          • Opcode ID: 340b7faf115d3e55b016b4287dd56f5d98f63001794d2bdb39ee73b31310d123
                                          • Instruction ID: de27f63127ba92807cef5f7f411d08b44f72880a28f56f61170bd748122ed346
                                          • Opcode Fuzzy Hash: 340b7faf115d3e55b016b4287dd56f5d98f63001794d2bdb39ee73b31310d123
                                          • Instruction Fuzzy Hash: 7A81C174E002189FDB58DFA9D895ADEBBB2FF89304F1081AAE509AB354DB306D41CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01127E79, Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752754013.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: 2/:
                                          • API String ID: 0-213780787
                                          • Opcode ID: 6e1ac6a7ccd280f80beb68900f0e4d1154395124a14d350a3d4c215761c61785
                                          • Instruction ID: c591311ca0e9ca00f7888417fa1e1aef842bca5258faf7a6813357d25fb022b6
                                          • Opcode Fuzzy Hash: 6e1ac6a7ccd280f80beb68900f0e4d1154395124a14d350a3d4c215761c61785
                                          • Instruction Fuzzy Hash: DC518E34E05219EFDB48CFA5C58159EFFB6EF89200F24D8A9D006E72A8DB349F408B15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01127E88, Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752754013.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: 2/:
                                          • API String ID: 0-213780787
                                          • Opcode ID: fe5c74ca076b680c974f595afde7b7e56504aea3cb5ba4f0a59d7f7b49f43d88
                                          • Instruction ID: 0ab102e9360aed75899613e5abdcd2409c0e9b3c7a46082a1d859b7ff90b5281
                                          • Opcode Fuzzy Hash: fe5c74ca076b680c974f595afde7b7e56504aea3cb5ba4f0a59d7f7b49f43d88
                                          • Instruction Fuzzy Hash: 23518D34E05219EFDB4CCFA5C18159EFFB6EF89200F24D8A9C006E72A8DB349E418B15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE8990, Relevance: .7, Instructions: 722COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 150e26ae3b789efbe199f05a42aa56cffadd7c5f76e8fa779cfc2474d3a34edd
                                          • Instruction ID: 7f4dacf5e40dbd399e4f71b46a6765e3fc53995393d4f531add198df301e947f
                                          • Opcode Fuzzy Hash: 150e26ae3b789efbe199f05a42aa56cffadd7c5f76e8fa779cfc2474d3a34edd
                                          • Instruction Fuzzy Hash: C0529235B04119DFCB18DF69C884AAEB7B2BF89314F158469E906DB3A4DB31ED01CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CEDF70, Relevance: .2, Instructions: 195COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c89522dc47f9da3d529ccd3d6c227d4456cda24a3e5ba05400bb5de1e36c9b1b
                                          • Instruction ID: 98ff861c5453beaea3c3dbbcb40333bad1e0d189a99b71226782a3e215b1e859
                                          • Opcode Fuzzy Hash: c89522dc47f9da3d529ccd3d6c227d4456cda24a3e5ba05400bb5de1e36c9b1b
                                          • Instruction Fuzzy Hash: 5981B174E102188FDB08CFEAC8946EEFBB2EF89300F14842AE519AB354D7349946CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE7EB0, Relevance: .2, Instructions: 156COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c5542cd32c1e9d3f59e2d0754a27536b4db390cb7db537d68c8679bea0d7c308
                                          • Instruction ID: 721759e80d579f5127d0e5d35252800244ab106d1b950b31bfc5d85573e84110
                                          • Opcode Fuzzy Hash: c5542cd32c1e9d3f59e2d0754a27536b4db390cb7db537d68c8679bea0d7c308
                                          • Instruction Fuzzy Hash: 2151B374E052199FDB08DFAAC881AAEFBF2FF89300F14C566D514AB355DB349942CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE47E0, Relevance: .2, Instructions: 154COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 28f1e917caf91a181bce46ece5f81564b12b4f1c9334360f8e7544ae4a98d21a
                                          • Instruction ID: 125dd8b65fd28dd38a02917438d1459a1c22dcf1a2007195f82385557ac16f49
                                          • Opcode Fuzzy Hash: 28f1e917caf91a181bce46ece5f81564b12b4f1c9334360f8e7544ae4a98d21a
                                          • Instruction Fuzzy Hash: E2611470E15209DBCF18CFA6D5855AEFBB2FB88300F20982AD506B7354D7309A42CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE47D0, Relevance: .1, Instructions: 148COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d57941a91815684da7d95bb60906e5c23871491b6b9d7950fedeab22d24a7108
                                          • Instruction ID: 133bb112feb15db7f7a1ea0ebd0f77452d30f00b45f2d6033f519accf9d96b60
                                          • Opcode Fuzzy Hash: d57941a91815684da7d95bb60906e5c23871491b6b9d7950fedeab22d24a7108
                                          • Instruction Fuzzy Hash: C9510474E1524ADBCF18CFA6D5859AEFBB2FB88300F10982AE505E7254D7309A42CF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE4D67, Relevance: .1, Instructions: 142COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7767aae02aeb51e946c13ed7a510088ca24d6437123260fa9170a56b802f1bd9
                                          • Instruction ID: 63af82db6d762045ca322f636bf60dffdb93aad5ca29cd65a52c56f434bc10b8
                                          • Opcode Fuzzy Hash: 7767aae02aeb51e946c13ed7a510088ca24d6437123260fa9170a56b802f1bd9
                                          • Instruction Fuzzy Hash: 8551E275E012099BDB08CFAAD5859AEFBB2FF88300F14952AE815A7354DB34AA418F51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE4D78, Relevance: .1, Instructions: 142COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33a7e911811b865a46eadfe2772f46c3686d536febd9be0512275f245a4c3ade
                                          • Instruction ID: a0ba149dc81d2627c57fcfd685555c0ea9f5ee042ab83649e26d595b0999d6d5
                                          • Opcode Fuzzy Hash: 33a7e911811b865a46eadfe2772f46c3686d536febd9be0512275f245a4c3ade
                                          • Instruction Fuzzy Hash: 8F51F374E11219DBCB08CFAAD5849AEFBF2FF88300F14952AE415A7354DB34AA41CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE5908, Relevance: .1, Instructions: 124COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e451aabd31b71ede8f88f1ff3b13d5668cfd239dda283ef93df1c88f2ff14181
                                          • Instruction ID: faa2520960416b7640e7926a62274a6847067563e9cd95b01f2652a0bea0f733
                                          • Opcode Fuzzy Hash: e451aabd31b71ede8f88f1ff3b13d5668cfd239dda283ef93df1c88f2ff14181
                                          • Instruction Fuzzy Hash: 2B51E174E152199FCB08CFA6D9815EEBBF2FB89310F10842AE415B7354DB349A028F90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE5140, Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 948640491bfd493acc5c8811d50310db667fb161e76fab99e3c783f86a35f0b8
                                          • Instruction ID: 40bdd756a78a85e995a98cdc0cea79359623029e8ddfbea009acf7a9900210e6
                                          • Opcode Fuzzy Hash: 948640491bfd493acc5c8811d50310db667fb161e76fab99e3c783f86a35f0b8
                                          • Instruction Fuzzy Hash: 0341F174E15219AFDB08CFAAD9405EEFBB2FF88310F14D52AE415A7264EB345A01CF64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE5130, Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3b1432dd83e3f89717cdc21446e6a245ccecc9a45598780c070184812185b126
                                          • Instruction ID: 1983c4612768f56cb719a637349a794cd10d66a6bc45f392d637de22388f1d55
                                          • Opcode Fuzzy Hash: 3b1432dd83e3f89717cdc21446e6a245ccecc9a45598780c070184812185b126
                                          • Instruction Fuzzy Hash: 0941F274E11219ABDB08CFA6D9406EEFBB2FF88310F14D52AE415B7264EB345A01CF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE8208, Relevance: 5.1, Strings: 4, Instructions: 144COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: Xc%l$Xc%l$Xc%l$Xc%l
                                          • API String ID: 0-1413160688
                                          • Opcode ID: c2c1301c31d331de8677978bd35aa0f411375dcc0c5be0e50db91114d6084487
                                          • Instruction ID: 0154f14fdaeb3831eb2b4c0319f87e543d2dc330ad81ebad24f72361e8efa34c
                                          • Opcode Fuzzy Hash: c2c1301c31d331de8677978bd35aa0f411375dcc0c5be0e50db91114d6084487
                                          • Instruction Fuzzy Hash: E1514D35B10108EFCB08DF64D499AEDBBB2FB88711F145869E902A73A0CB31AD41CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0112AC08, Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0112AE4E
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752754013.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: e8d997927ac2ec0450b77c79aaab08db9a41ffa7b02d05f97ac207db89026dec
                                          • Instruction ID: c4f34aeed664a399e9e0a44462a2688d1fd26b23efae2e13ebe7555fcc1ee180
                                          • Opcode Fuzzy Hash: e8d997927ac2ec0450b77c79aaab08db9a41ffa7b02d05f97ac207db89026dec
                                          • Instruction Fuzzy Hash: DD712370A00B198FDB68DF29D44075ABBF1BF88204F008929E54AD7A40DB75E966CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CECD18, Relevance: 1.6, Strings: 1, Instructions: 382COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: <%l
                                          • API String ID: 0-1285486688
                                          • Opcode ID: c92b8aa597780722bfe70aad5379ae59975e8e77047fe099899c3f5f3cf70f54
                                          • Instruction ID: 171a9369db4dbd591b51e6d916178757c0ac52542705019503bb64c4b6dd4b14
                                          • Opcode Fuzzy Hash: c92b8aa597780722bfe70aad5379ae59975e8e77047fe099899c3f5f3cf70f54
                                          • Instruction Fuzzy Hash: A5E19E34B102089FCB55DF68D859AAEBBF2BF89304F148469F906DB3A1DB349D01CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0112423C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01125741
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752754013.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 08afb14c8a7b59467d959d75fcb2e0f9e95918bb18f0024a6e66cf2e5fb5c1b6
                                          • Instruction ID: de9d82bd1492dba66bba772b60766bf551314a70b89122707df20127a5985112
                                          • Opcode Fuzzy Hash: 08afb14c8a7b59467d959d75fcb2e0f9e95918bb18f0024a6e66cf2e5fb5c1b6
                                          • Instruction Fuzzy Hash: 0741F2B1C0462CCBDB28DFA9C884BDDBBF6BF48304F508169D508AB251DBB56946CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01125685, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01125741
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752754013.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 29936662619d2718df6116658e2d7006eebe35b2bd48969a191fbcf79379f394
                                          • Instruction ID: 08b99edce08060acc5a9337bbe15d6ac701faba363c60b5cd82273c8c50bc60d
                                          • Opcode Fuzzy Hash: 29936662619d2718df6116658e2d7006eebe35b2bd48969a191fbcf79379f394
                                          • Instruction Fuzzy Hash: 1041F371C04629CADB28CFA9C884BDDBBF2BF48304F548169D508AB255DBB56946CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0112B5C4, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0112D4E6,?,?,?,?,?), ref: 0112D5A7
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752754013.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 773c74e40a783bf1db2543493205f6de5127d87ba889d1ee93290fea3ba9e829
                                          • Instruction ID: a07d08c183d5de6e98cc5ecf0f8452d7df3e61d2ae4e48ee87b49628613d9b5b
                                          • Opcode Fuzzy Hash: 773c74e40a783bf1db2543493205f6de5127d87ba889d1ee93290fea3ba9e829
                                          • Instruction Fuzzy Hash: 5321E3B59002189FDF10CF9AD984ADEBBF8FB48324F14842AE915B7310D3B4A954CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0112D518, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0112D4E6,?,?,?,?,?), ref: 0112D5A7
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752754013.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 549d805670eb6e5a24a69b68a4923bf15898b9e114b0f3af7cc07ed7dab9c7b0
                                          • Instruction ID: e2295ef622581a1a3254f4efbdf6f7dea97f0cf0a3197f17001ae6269118b272
                                          • Opcode Fuzzy Hash: 549d805670eb6e5a24a69b68a4923bf15898b9e114b0f3af7cc07ed7dab9c7b0
                                          • Instruction Fuzzy Hash: 0C21C4B5D002189FDF10CFA9D585AEEBBF4FB48324F14842AE915A7310D378A954CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0112B068, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0112AEC9,00000800,00000000,00000000), ref: 0112B0DA
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752754013.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 12f72e31d0fb06b9a9a09a2b42c28cffbb2254728cd28d004eb06b405f721d94
                                          • Instruction ID: 6a01f008929d79e8df5bd59e7a0fe13237e3234a8719877c55b6140dabba4e52
                                          • Opcode Fuzzy Hash: 12f72e31d0fb06b9a9a09a2b42c28cffbb2254728cd28d004eb06b405f721d94
                                          • Instruction Fuzzy Hash: 791117B29042099FDB14CF9AC484BDEFBF4EB88314F04852AE515B7700C7B9A545CFA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01129FB8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0112AEC9,00000800,00000000,00000000), ref: 0112B0DA
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752754013.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: ae64baf9bf8bf16101e51b9151c694fc1decde1c4a930ea1f86f8129f85e9fce
                                          • Instruction ID: 92d8144d87df7c102b3f06601f4a09bce91303b2d6e8633a51b44c7c52025549
                                          • Opcode Fuzzy Hash: ae64baf9bf8bf16101e51b9151c694fc1decde1c4a930ea1f86f8129f85e9fce
                                          • Instruction Fuzzy Hash: FF1106B29042198FDB14CF9AC484B9EFBF4EB48310F04842AE525B7200D779A555CFA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0112ADE8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0112AE4E
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752754013.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 790f49a772f1881559ed403ce09d8b645accdad5c9d5e23c10d918e43159900e
                                          • Instruction ID: 3af0832237a59b9c8d739719fbfe2b6b9719ffecefda76ce5c37a493eb16d1ae
                                          • Opcode Fuzzy Hash: 790f49a772f1881559ed403ce09d8b645accdad5c9d5e23c10d918e43159900e
                                          • Instruction Fuzzy Hash: 0B11D2B5C006598FDB14CF9AD444BDEFBF4AF88224F14852AD829A7600D375A546CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE71D8, Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: `$l
                                          • API String ID: 0-784925101
                                          • Opcode ID: 6ba58f3e4faaa576143f5a72210a571cdabfededfdb962504d65f8a1f4724d0d
                                          • Instruction ID: baa0df27daee92a969ab12d87bba9e7aa616ed3e89d175fbe773bc3ca575b638
                                          • Opcode Fuzzy Hash: 6ba58f3e4faaa576143f5a72210a571cdabfededfdb962504d65f8a1f4724d0d
                                          • Instruction Fuzzy Hash: C081E234D00219CFDB18DFA5D845BEEBBB2FF89304F1484A9E508AB251DB309A85CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE71CB, Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: `$l
                                          • API String ID: 0-784925101
                                          • Opcode ID: 59dbfdfa204dbd6beb15225919627a0517675ff6c5f16bd1c3730c8aa1b14873
                                          • Instruction ID: da2f4d7e03db655c9456569522dec7b2173c35fd2d9d76b4bbfd4493f0b0a6ca
                                          • Opcode Fuzzy Hash: 59dbfdfa204dbd6beb15225919627a0517675ff6c5f16bd1c3730c8aa1b14873
                                          • Instruction Fuzzy Hash: 55310670E012189BEB58DFAAD8417DDBBB2EF89304F00C4AAD40CA7251EB345A858F81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE55CC, Relevance: .2, Instructions: 155COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d78d711fa7603bff3fde3e758761364baa1fa643dafd5d815f2004fadf132389
                                          • Instruction ID: c6b697e02445531414883ea7e21f80bf0605c05d87c5dc59d51c8ef0c8f83819
                                          • Opcode Fuzzy Hash: d78d711fa7603bff3fde3e758761364baa1fa643dafd5d815f2004fadf132389
                                          • Instruction Fuzzy Hash: 8C51B171B102198FCB04DBB9D8489BEBBF7EFC5264B148929E419DB391EF309D068790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE7EA0, Relevance: .1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a1961b6e7ae1ac3d9c899156ceaea155a678412a3234ea0394c1d29ad08f2b45
                                          • Instruction ID: e0b0ff8546b7559fd988ac8cf627c086c4bb5edb8bf2ffb93636fe359aeee878
                                          • Opcode Fuzzy Hash: a1961b6e7ae1ac3d9c899156ceaea155a678412a3234ea0394c1d29ad08f2b45
                                          • Instruction Fuzzy Hash: 3141D675E042189FDB08DFAAC9416EEBBF2EF88300F14C56AE514AB354DB749942CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE2B30, Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6446f5697b58e4ee5c892efe563c49a5d35d7a32087253c90c75376cfbb52c3b
                                          • Instruction ID: 102d90e428d0c8020346ef3912fa276b2d4bbce433f7de2cc196db324a0825b9
                                          • Opcode Fuzzy Hash: 6446f5697b58e4ee5c892efe563c49a5d35d7a32087253c90c75376cfbb52c3b
                                          • Instruction Fuzzy Hash: 63316534E15109EFCB48CFA5D941A9DFBF6FF89200F10D9AAD00AE7254EB709A418B44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CEE9F8, Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a95f713c8dab8d509b0bddf4acfab067d8c43eca1c22b7f64452db6025cefe22
                                          • Instruction ID: e32bbd4f10be9c561a2eb9d98c92faea19555f4312413d9ad935e1478e4e6d0c
                                          • Opcode Fuzzy Hash: a95f713c8dab8d509b0bddf4acfab067d8c43eca1c22b7f64452db6025cefe22
                                          • Instruction Fuzzy Hash: 9B310970E042099FCB48CFAAC5825AEFFF6FB89340F50D8A9D418A7254E7309A418F50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CEE8D8, Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 598382c97df8adc518e10a324622e71c7a8ed743df174bc70942779a141f58bd
                                          • Instruction ID: 9c13ba735d155ff615010083ad9facb9a46d3b4b9629b08d32fc3aeb5a59975e
                                          • Opcode Fuzzy Hash: 598382c97df8adc518e10a324622e71c7a8ed743df174bc70942779a141f58bd
                                          • Instruction Fuzzy Hash: C131CA74E14219DFCB84CF9AC5815AEBBF6FF88340F109966D819A7714D734AA41CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FAD3D8, Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752381467.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 15a1b7e02357a6451bbd6b118ada5ca161dac9add6394285dc72954299a892de
                                          • Instruction ID: 8f8fdb3c39c5e997428da22c2546d3fc4556ee867f4be039cb07ecf2c634258c
                                          • Opcode Fuzzy Hash: 15a1b7e02357a6451bbd6b118ada5ca161dac9add6394285dc72954299a892de
                                          • Instruction Fuzzy Hash: 432128F6504200DFDB04DF10D9C4B16BBA5FB9D324F24C569ED0A4B60AC336E846EBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FBD01C, Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752444453.0000000000FBD000.00000040.00000001.sdmp, Offset: 00FBD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f9d0a0ede7b7ad685fd8bc900ebaa3da55edd38155b2d9e98e5631157332e7d1
                                          • Instruction ID: 16c089176438d06e33d4cecb20c9c76654868d8e83600eff4fefd0b527f0948d
                                          • Opcode Fuzzy Hash: f9d0a0ede7b7ad685fd8bc900ebaa3da55edd38155b2d9e98e5631157332e7d1
                                          • Instruction Fuzzy Hash: 122149B5A08200DFCB14EF10D8C4B56BBA1FB88364F24C56DD8094B24AD376D847DF62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FBD1D4, Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752444453.0000000000FBD000.00000040.00000001.sdmp, Offset: 00FBD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 149ecb1ce21abd2f306ad5005ccf0c28cef91d79a5a9dbbe8893101e370480e5
                                          • Instruction ID: c11f012eb651dde0a6b1ae44b509e9250b9741dcb9c955e5ff9a7638ecb1426d
                                          • Opcode Fuzzy Hash: 149ecb1ce21abd2f306ad5005ccf0c28cef91d79a5a9dbbe8893101e370480e5
                                          • Instruction Fuzzy Hash: 312129B1904280DFDB05DF11D9C0B66BBA5FB84324F24C56DE9094B246D376D846DF62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE8630, Relevance: .1, Instructions: 71COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 74a17d8bc520a08ea917bdba8587afe2cc2b692973cb4143c1840635f383be92
                                          • Instruction ID: d68bc1bdf8500b2748bcc656c3ffedc6fe90a506fd782b03a3a47efb6c889580
                                          • Opcode Fuzzy Hash: 74a17d8bc520a08ea917bdba8587afe2cc2b692973cb4143c1840635f383be92
                                          • Instruction Fuzzy Hash: 5D217F34B041098FCB14DF68C485A6EBBF5BF8A314F158865E905DB361DB30ED41CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE576C, Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 711869ba7ec49b51f5e371efd788f62eaf29c1a35556cdec8bae8a437f9e1a5f
                                          • Instruction ID: 7e6a65457fe0445589c4bba2222532f5358b72b1add69ae13eaeeacdc74db79c
                                          • Opcode Fuzzy Hash: 711869ba7ec49b51f5e371efd788f62eaf29c1a35556cdec8bae8a437f9e1a5f
                                          • Instruction Fuzzy Hash: 3031CEB0D15218DFDB20CF99D588BCEBBF5BB48718F14942AE405BB280C7B55985CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE81F8, Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8d48f26e35b8ecd82bd62c61339260fc2cb5189c05faf68b5a114a7aa23b719d
                                          • Instruction ID: 19fef5c9f85282e589126fbcc007ec1db7f57d401a0a6c54e8521f791853d945
                                          • Opcode Fuzzy Hash: 8d48f26e35b8ecd82bd62c61339260fc2cb5189c05faf68b5a114a7aa23b719d
                                          • Instruction Fuzzy Hash: A0211931A00208EFCF04DFA4D845ADD7FB2EB89311F144469E902B7290CB31AD55DB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE55BE, Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0adb720688914bcc2cc1148a557b2fcef0bee69bfc0ad8a14a3fb3cec129868c
                                          • Instruction ID: 3d44683db1b6ec74c6de81ac12952d1ae20647a454a77d9520f91d106832417e
                                          • Opcode Fuzzy Hash: 0adb720688914bcc2cc1148a557b2fcef0bee69bfc0ad8a14a3fb3cec129868c
                                          • Instruction Fuzzy Hash: E711CE75A102159F8B55EB799C888BFBBFBFFC52643184929E819D7341DF309A0287A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FBD005, Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752444453.0000000000FBD000.00000040.00000001.sdmp, Offset: 00FBD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2a9a0fc8948040da2208f2c30f8942bc2aeacb8e18b6fd1fe0d3dd4523d99ac5
                                          • Instruction ID: ccdea1c070ae4a1a1934bdaae82f5e6ce84c21a368980edf06ba0092e17f47b3
                                          • Opcode Fuzzy Hash: 2a9a0fc8948040da2208f2c30f8942bc2aeacb8e18b6fd1fe0d3dd4523d99ac5
                                          • Instruction Fuzzy Hash: 302192755093C08FCB12CF20D994755BF71EB46324F28C5EBD8498B697C33A980ADB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE6138, Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bbdfe95f49751f750fc1ae40d65511f28e1ed278b42b3a2942c2449d60cf4624
                                          • Instruction ID: 8999f85cdd27f90e94f043bb4cc8b36336595d051f1649140f4a85b6357100cf
                                          • Opcode Fuzzy Hash: bbdfe95f49751f750fc1ae40d65511f28e1ed278b42b3a2942c2449d60cf4624
                                          • Instruction Fuzzy Hash: 22110275B003159B8B15EB799C849BFBBFBFFC4260B144928E419D3340EF309A058760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE6068, Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba135adb8a5a05ee9a9fbc4a197449a0db9b2f287a84e58e4d601fe155ae03f2
                                          • Instruction ID: d59a2cc7fdfc36949f34bb18cd11110ae0b5cb0b328a3c29ffa088fb65ba1139
                                          • Opcode Fuzzy Hash: ba135adb8a5a05ee9a9fbc4a197449a0db9b2f287a84e58e4d601fe155ae03f2
                                          • Instruction Fuzzy Hash: 97117032B002198B8B15EBB8A8116FEB7F7AFC5254F14403AD505EB340EF369D46CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FAD3D3, Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752381467.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
                                          • Instruction ID: 63a74b8765bbc6fc9aaa18f3dcd24575e12a969feed88ca58ac0e49822eb52e6
                                          • Opcode Fuzzy Hash: abf9d05837f20679d6678064280a21b40d007861ebc24b3ccb10da70a24719c3
                                          • Instruction Fuzzy Hash: 6C11D3B6904280DFDB15CF10D5C4B16BF71FB99324F28C6A9DC090BA16C33AE856DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE53E0, Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 59df780b3cc67928a88182246bd7e1cc83ce5c0788fb6aad7e1eb903e046c967
                                          • Instruction ID: fb31ac15c722df8c96c3478b12a8b9a82128dbeedc07189da46b3ba71ef27de8
                                          • Opcode Fuzzy Hash: 59df780b3cc67928a88182246bd7e1cc83ce5c0788fb6aad7e1eb903e046c967
                                          • Instruction Fuzzy Hash: 42115EB4E15209EFCB44CFA9D54159EBBF2FB89305F20D569D409A3354EB305A01CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FBD1CF, Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752444453.0000000000FBD000.00000040.00000001.sdmp, Offset: 00FBD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
                                          • Instruction ID: 091ce804a45543c4cf7e3a240ddf294660a05fe79747171a87bd1f421d10b644
                                          • Opcode Fuzzy Hash: 21dbda9fffde9beb189af7165341122266bd3c9337f42a4093e234a02c9dbdce
                                          • Instruction Fuzzy Hash: 8B11BB75904280DFCB15CF10C9C4B55BBB1FB85324F28C6AAD8494B656C33AD84ACF62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FAD745, Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752381467.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1fe90ba2de3ab5207f34cc1d82615b1e21c02ab354aba58a188384574e76aa41
                                          • Instruction ID: bb5151b7960bec4c6a3a81f4faa8b142add95c9e7822aa482b62ab84764def7e
                                          • Opcode Fuzzy Hash: 1fe90ba2de3ab5207f34cc1d82615b1e21c02ab354aba58a188384574e76aa41
                                          • Instruction Fuzzy Hash: 33012BB24083509AEB184E15CCC4B66FBD8EF47338F18C55AED064BA46D7799841E6B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE66AC, Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 792358ae184c3635a908244f429aa516e0bda7174c5f1f72f8cd95bd04d615a5
                                          • Instruction ID: f39e04ec9488388dde6c3743ccb03deb1f3f01d5f89069a4a7ea6eb9bba6136c
                                          • Opcode Fuzzy Hash: 792358ae184c3635a908244f429aa516e0bda7174c5f1f72f8cd95bd04d615a5
                                          • Instruction Fuzzy Hash: A3012C71814219DFDB14DF96D8047EE7AF5FF48354F14C526E425AA290D7744A80CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CED3C0, Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 12b587616fd2899d2994263aeae86e7f71671207e6e0c9fc9b48547f10d19df5
                                          • Instruction ID: 65755c6f4347b64c37ccb77407f5aee400f3085a0426b14d27f37450683855f8
                                          • Opcode Fuzzy Hash: 12b587616fd2899d2994263aeae86e7f71671207e6e0c9fc9b48547f10d19df5
                                          • Instruction Fuzzy Hash: FCF0AF70E18208EBC748DFA8D58969DBEF6EB89201F24C8A9D80A97244DB309E408A50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE6748, Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e421cfe6f776282184c116a5d4a092f6b39325773151e353201bbf11a6623412
                                          • Instruction ID: f54d12f983891ca05453fe806f56f85552e602426c18e1d0e05df2e33bcac262
                                          • Opcode Fuzzy Hash: e421cfe6f776282184c116a5d4a092f6b39325773151e353201bbf11a6623412
                                          • Instruction Fuzzy Hash: 5EF0E2727082646FE304D76EEC80DABBBEEEBCA260B508179F509C7310DE309C0586A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00FAD744, Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752381467.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9213571f65233509260fdc1554a3578bde68297fb8d698fc601d00163c15e841
                                          • Instruction ID: 5e28a03933e6c0ae3ef05d2fcd8d83cb721bddcf8ca350a6424195d96d45fb41
                                          • Opcode Fuzzy Hash: 9213571f65233509260fdc1554a3578bde68297fb8d698fc601d00163c15e841
                                          • Instruction Fuzzy Hash: 8EF096B14043849EEB148E15CCC8B62FFD8EB96734F18C45AED095F686C7799C44DAB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE66B8, Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6f6341ad88ef9b815fb5ab75cf06d11f366a235e3e515a359d576317edfcd15d
                                          • Instruction ID: 0ef66849ac459e90e0f966c1470081b560878c7bcafd92e8a3e7d46fb3f513b8
                                          • Opcode Fuzzy Hash: 6f6341ad88ef9b815fb5ab75cf06d11f366a235e3e515a359d576317edfcd15d
                                          • Instruction Fuzzy Hash: 9001FB71814219DFDB14DFAAD4083AEBAF5FF49354F148A25E825AB290D7754A80CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE6758, Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d1286e0b7f6dfd53d779e0632ff32d6cdaf7a2b19dccaf2ac7d7fe2a8c504bd6
                                          • Instruction ID: ebf22cbf0772d3b12510e21f18dd2487d6ca57e2d16435d85feb45aca428bd10
                                          • Opcode Fuzzy Hash: d1286e0b7f6dfd53d779e0632ff32d6cdaf7a2b19dccaf2ac7d7fe2a8c504bd6
                                          • Instruction Fuzzy Hash: 11E06D727041246F9304DB6EEC84C6BBBEEEBCD6B4751813AF50CCB310DA309C0186A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE8620, Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b9457399f24bff61cad9446ff1c872077521bff8205e52458184f78564cb143
                                          • Instruction ID: 11bae5fe67b21ec6a95d9e852d2f55a75596e89409e366e196b81d8a4b281903
                                          • Opcode Fuzzy Hash: 7b9457399f24bff61cad9446ff1c872077521bff8205e52458184f78564cb143
                                          • Instruction Fuzzy Hash: 6CE06830705204FBEF10BBB6B80AEE67FACE742261F004C31F90282042DB329008D961
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE3529, Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b72ab8754c534eb348e10962140db569d948c2dd3bbdb652f144de5e329d0d05
                                          • Instruction ID: 8546e11a95939527ee9bc8a4fbeb73189808235f55622d0f9ffda4995feaafa0
                                          • Opcode Fuzzy Hash: b72ab8754c534eb348e10962140db569d948c2dd3bbdb652f144de5e329d0d05
                                          • Instruction Fuzzy Hash: 37F06234A10309CFD714DB64D959A9DBBB2FF4A315F2488A5A40EA7291DB346E81CF10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE1D3A, Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3cbd50f9e39c373869410d5931711f0dc021e1c54d67f5b87701fa4cc3a991bb
                                          • Instruction ID: 1506a7a6f09a1ee695e1cbe26f3a8f2d6de34f36033d7fd7dc7310d8c03af4e2
                                          • Opcode Fuzzy Hash: 3cbd50f9e39c373869410d5931711f0dc021e1c54d67f5b87701fa4cc3a991bb
                                          • Instruction Fuzzy Hash: 3A01AFB5D4022CDFCB29CF64C9866D8BBB1BF48301F0485EAD609A2250DB744A80CF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE3353, Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc8e7fac99e27e854a5e55dfd83ee2c385012a2579300b4bb6d9801af30996ce
                                          • Instruction ID: 87db28e83294d74dcd52dc7618e88b17083867bb37de5a23950c5df1575e56d6
                                          • Opcode Fuzzy Hash: cc8e7fac99e27e854a5e55dfd83ee2c385012a2579300b4bb6d9801af30996ce
                                          • Instruction Fuzzy Hash: 86F05831928609CFC700EFE8D5494AEBFB0FF4A200F045E69E0967B194EB78A254CF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE471F, Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e7bf004f9abad637951a3590327bcc28cb98e1cefa4a99fe10d730359dff73a7
                                          • Instruction ID: 80521510d9279def645883dc0af8ce86bf8db1829b9e9440d26d9552664ad295
                                          • Opcode Fuzzy Hash: e7bf004f9abad637951a3590327bcc28cb98e1cefa4a99fe10d730359dff73a7
                                          • Instruction Fuzzy Hash: 07F0A030924348EFCB49EFB8F455B987FB5F746201F0046A8D80593369DB301652CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE4C80, Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 46bc306dc85ac55729d7fb3ea5e3cac467db2f3dea96937bcc549a4ab568ffa5
                                          • Instruction ID: 0c826dbd0418d39434e74d254f023aad70dac25c14afe4b75e64958f9019fb29
                                          • Opcode Fuzzy Hash: 46bc306dc85ac55729d7fb3ea5e3cac467db2f3dea96937bcc549a4ab568ffa5
                                          • Instruction Fuzzy Hash: 01F01570D442189BCB44EFA8E9403AEBBB0BB49300F4086AAC918A3700D37456418B81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE5C68, Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 157b35c8813a03448810961bf72ddb60aef3d2f82f247231e9a34daf6f4a5ca7
                                          • Instruction ID: 645028eba41dac96659362507ba1f1cf8a27da06daa5c7570f0ac8460fe891bc
                                          • Opcode Fuzzy Hash: 157b35c8813a03448810961bf72ddb60aef3d2f82f247231e9a34daf6f4a5ca7
                                          • Instruction Fuzzy Hash: 91F0A7709083999BCB15CFA4D8407DDBFB0BB05329F54839DDC6466792C3355552DB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE0E49, Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4622ba3f5c2fd8678df1ee388abaf78091ba89dbe6f613d5af4c4bae15734af3
                                          • Instruction ID: b3cc25fa4ed5c996dced6e64d08cc604c63f89dd6bc1a0462359f0f4da5f3672
                                          • Opcode Fuzzy Hash: 4622ba3f5c2fd8678df1ee388abaf78091ba89dbe6f613d5af4c4bae15734af3
                                          • Instruction Fuzzy Hash: 50F01D30A445598BCB64EB95CC986CDB376BF84344F108AE5810DAB224DB349F82CF88
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE048E, Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 774679ac059af31d0b9200c5acbaca15bde75623306db9ce275e6da84fbafeee
                                          • Instruction ID: add78f716a7f87ac1004d69df4237b4617a856c177b80fd641076a2616cec7f3
                                          • Opcode Fuzzy Hash: 774679ac059af31d0b9200c5acbaca15bde75623306db9ce275e6da84fbafeee
                                          • Instruction Fuzzy Hash: 21F0B734D0525A8FCB24DF61CD9869DB7B2FF84340F1189E68509B7254DB749E81CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE4781, Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d1fb6ce04c9f9f677e5243ac254464db2abee3be57bc673e3aa9879b1337b437
                                          • Instruction ID: 76cf2da4896e6afd1cbc4af2fb5ab6fd3ec1c8811371a8cc65cc6e666058e445
                                          • Opcode Fuzzy Hash: d1fb6ce04c9f9f677e5243ac254464db2abee3be57bc673e3aa9879b1337b437
                                          • Instruction Fuzzy Hash: C8F03970D04218AFDB48EFA8E840BAEBFF0FB49300F0086AAE815A3741D7701650DF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CEEB20, Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2c3dc170538dc2f25a3a33f81f840257328bb44d37e27154548fd088297d78ac
                                          • Instruction ID: fe5b432524c0d44d18d47cd3b3ab5c41f225353c08264ea3baabf7fd69d3c53b
                                          • Opcode Fuzzy Hash: 2c3dc170538dc2f25a3a33f81f840257328bb44d37e27154548fd088297d78ac
                                          • Instruction Fuzzy Hash: 90F03970D00208DFCB48DFA8D941AAEBFB5FB48301F1085AAE818A3310D7719A50DF80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE5C78, Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b7bde9cfa36dd6ccecda8a47d1f3da3a24effec97c118740c0f458bded2c5b55
                                          • Instruction ID: dfaf4a08a6cf26e131793542f7a8a3fde82c0b1cc124972445fff4496b881e8c
                                          • Opcode Fuzzy Hash: b7bde9cfa36dd6ccecda8a47d1f3da3a24effec97c118740c0f458bded2c5b55
                                          • Instruction Fuzzy Hash: F0E0ED74D0521CDFCB54DFA8D8406ADBBF4FB48304F1086A9D814A3300D7715651DF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE5390, Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e43a668b3bfc1e5139c359ab76db7b1ea1773b2da85d6fdf28329774ef5f359
                                          • Instruction ID: c577230e6de41e7fb020ba09c9b92d44c463ac21b1a7aca294ef4ee03ca174cd
                                          • Opcode Fuzzy Hash: 7e43a668b3bfc1e5139c359ab76db7b1ea1773b2da85d6fdf28329774ef5f359
                                          • Instruction Fuzzy Hash: AAE0C274D04218DFCB44EFA8D8456ADBBF4FB48304F0086AAE819A7321D7706A41DF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE4730, Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1d3477343cf14b1a4e53cac51a748f587e099e46b84cc7aa9e0c5923d1a6cd76
                                          • Instruction ID: bf54f78e64b30c062a3c0ef161673261fd3ffb181abb452324be3bda6942ff9a
                                          • Opcode Fuzzy Hash: 1d3477343cf14b1a4e53cac51a748f587e099e46b84cc7aa9e0c5923d1a6cd76
                                          • Instruction Fuzzy Hash: 55E09A30810308EFCB48EFB8E895A887FB5F748305F004664D80493328EB302A52CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE4C38, Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 968c3aa105ae315c232e22e42ba349995fa151a61648f779a52a061cb20a433c
                                          • Instruction ID: 627eee982b3f9c8750deef7fa88e930db1af732092e81afdf9df431e504c0e57
                                          • Opcode Fuzzy Hash: 968c3aa105ae315c232e22e42ba349995fa151a61648f779a52a061cb20a433c
                                          • Instruction Fuzzy Hash: 42E09230C493859FCB29CBB4D444288BFB0EB02315F1442EFCC244B692D7361556CB41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE4790, Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cd600d2e1d7344c3a7382a7cd748fefc21548f9d725fa808fe367f1c18d2bf17
                                          • Instruction ID: 2e2f82419e8b0a7d52515074aeacf7cec2056fde7d6dfd2d83f6151fa07dbb77
                                          • Opcode Fuzzy Hash: cd600d2e1d7344c3a7382a7cd748fefc21548f9d725fa808fe367f1c18d2bf17
                                          • Instruction Fuzzy Hash: 35E01A74D0421CAFCB48EFE8D8406AEBBF4FB48300F0086AAD918A3700D7706A50DF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE4C90, Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3fa913b6d1bd16b3e0751e187bc1250bf39a6c78f6af89cf0d056b745f46debd
                                          • Instruction ID: c0dc3972ab3ebb0e95bf5465c6a13ed93e6cfda45d5a0228a337206cb42c70ab
                                          • Opcode Fuzzy Hash: 3fa913b6d1bd16b3e0751e187bc1250bf39a6c78f6af89cf0d056b745f46debd
                                          • Instruction Fuzzy Hash: 01E09A70D0421C9FCB44EFA8E9556AEBBF4FB48304F1086AAD918A3741D7705A51DF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE4330, Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 18f01e81ee05b522197f9e5e0e71a10e277bb3bc6dae7181ea5ccea6eba861a7
                                          • Instruction ID: e9bc1e2ce92fbd95f9275282945e49c331ea74c3f7f8a7fd0838ecd9bd9fe4de
                                          • Opcode Fuzzy Hash: 18f01e81ee05b522197f9e5e0e71a10e277bb3bc6dae7181ea5ccea6eba861a7
                                          • Instruction Fuzzy Hash: CDE09234A05208DFCB48DFA8E989A9DBBB4FB49305F1082A9D80897361D731AA10DF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE3928, Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f94302a104daa054cfd2ff0fd9cceb9a5c95bdd8a2d73725b0df19143fe5709
                                          • Instruction ID: 50386fbbe81fd112dba4f088040bc277a32d3d810e81c44d4c1e9ee5c787f274
                                          • Opcode Fuzzy Hash: 7f94302a104daa054cfd2ff0fd9cceb9a5c95bdd8a2d73725b0df19143fe5709
                                          • Instruction Fuzzy Hash: 51E0C230D0424C9FCB44EFF8E89939DBBF0EB44700F1042A9C908D3240EB702A80CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE4C48, Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc2c5292aa7ff99aac7f84a2958e157bffd13c2d04d7a52cd663a5f167273d9e
                                          • Instruction ID: 53f82c1488f222f53df59074638f9f7c17ee4031be03da454e0462b79c207226
                                          • Opcode Fuzzy Hash: cc2c5292aa7ff99aac7f84a2958e157bffd13c2d04d7a52cd663a5f167273d9e
                                          • Instruction Fuzzy Hash: FDE0B670D05208AFCB98EFF8D44529CBBF4EB44205F0086AAC818A7740E7355A95CF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CEF478, Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e36f451507566d9aa017abe063ec180935578b297c11355816a69abb9f411f7c
                                          • Instruction ID: 839ed358e0ce996beee4ef19c384e2482c98c74a786dbffdbc23beb93ef92390
                                          • Opcode Fuzzy Hash: e36f451507566d9aa017abe063ec180935578b297c11355816a69abb9f411f7c
                                          • Instruction Fuzzy Hash: 2BE0B6B1D40209DFD740EFB9C905A5EBBF1FF08600F11C9A9D019E7211E77496058F91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE2A58, Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a9b73f919cd6be9bb684e3eb568c90994d9079fd895cd6f73f70e5d4ed5134a
                                          • Instruction ID: 81850cd3b8d135c7d3d1fee65987d11704dc30d34bf642c43df8d0c4f9d15a07
                                          • Opcode Fuzzy Hash: 5a9b73f919cd6be9bb684e3eb568c90994d9079fd895cd6f73f70e5d4ed5134a
                                          • Instruction Fuzzy Hash: 6CE01234D1524C9FCB58EFF8E85539DBBF4EB48305F5042ADC94997640EB701A51CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE32A5, Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f1d884eb23cc149d60825afb2e1cc8146b7e67261f0abd497af9a7b07e50882
                                          • Instruction ID: b9479e4681e23ce2c22a6bf47afc7793dda8472c79172d123c23c7f1282acc1e
                                          • Opcode Fuzzy Hash: 0f1d884eb23cc149d60825afb2e1cc8146b7e67261f0abd497af9a7b07e50882
                                          • Instruction Fuzzy Hash: 62E0EC34D0521A8FCB04CFA5CA8469DBFF6FF49240F00C455D545E3340DB388A408F41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE0B7F, Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 575fb5ecc368ccfdc7dd4c0cb8dce588f0e801a6dd7b23bacbc0245671b82e59
                                          • Instruction ID: 0f86369e65511966ef32041dfe782735f9631f9574e087a75e482e49395cfe95
                                          • Opcode Fuzzy Hash: 575fb5ecc368ccfdc7dd4c0cb8dce588f0e801a6dd7b23bacbc0245671b82e59
                                          • Instruction Fuzzy Hash: 86D0A978904205DFEB00CE91C02625EFA72EB81201F00D4298006E2298DB3886028B00
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE6030, Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b42cdd427498c7ecff99d1fa0d6e882e4b81ec43f28a5ec600154e7f47ed4166
                                          • Instruction ID: ab943b728763e048da2a28a21c91791e7ac8485553b8913c06c635d27e690a3c
                                          • Opcode Fuzzy Hash: b42cdd427498c7ecff99d1fa0d6e882e4b81ec43f28a5ec600154e7f47ed4166
                                          • Instruction Fuzzy Hash: 8DC08C3E4004009BEA82E724C844FCA7EB5BF56210F88C6A99254432B5D7258419EF82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 05CE6C18, Relevance: .3, Instructions: 281COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f3002cbaa2be99b74fd16c98e7ef18c0de45cad25600f30cd01f986104322fc
                                          • Instruction ID: 2316f76f47bc1b7cc20da4f060c48abf175d45e7f6d210b6fc86e5a471477230
                                          • Opcode Fuzzy Hash: 7f3002cbaa2be99b74fd16c98e7ef18c0de45cad25600f30cd01f986104322fc
                                          • Instruction Fuzzy Hash: C0E1F431D20A4A9BCB04EB64D990ADDB7B1EFD9300F50C79AE40977214EB70AAC5CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0112D424, Relevance: .3, Instructions: 265COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.752754013.0000000001120000.00000040.00000001.sdmp, Offset: 01120000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d5bcc5d9da041c766d709d8e6b695a6c3eb9d6b36c81606cc73b1fbf526ef6eb
                                          • Instruction ID: 432d7785edeb24a9949191fbf3ef9dd76d83d997b7f7ccd8012ef6dbd2631159
                                          • Opcode Fuzzy Hash: d5bcc5d9da041c766d709d8e6b695a6c3eb9d6b36c81606cc73b1fbf526ef6eb
                                          • Instruction Fuzzy Hash: F5A16F36E0022A8FCF19DFA5C9445DEBBF2FF84304F15856AE905AB221DB75E916CB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CE6C28, Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 71b505b8cd28a2d3dec59d24afbe58de21097db94cc38a2295825d412eed7451
                                          • Instruction ID: 99ec10d66a7e67545c0a431c95f375bf052b9a8fd59589f4ea2ed571e46df584
                                          • Opcode Fuzzy Hash: 71b505b8cd28a2d3dec59d24afbe58de21097db94cc38a2295825d412eed7451
                                          • Instruction Fuzzy Hash: ADD1E331D20A5A9BCB04EB64D990ADDB7B1EFD9300F50C79AE50937214EB706AC5CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05CED458, Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.764640873.0000000005CE0000.00000040.00000001.sdmp, Offset: 05CE0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d7105e701c72e127a0f83b2275ace0d99af07c379036279178b67a1bc8695f5b
                                          • Instruction ID: 0860877a91ef60f13aadeea6216a557b3e66d55ba70ec94d4efc853e3090d9a2
                                          • Opcode Fuzzy Hash: d7105e701c72e127a0f83b2275ace0d99af07c379036279178b67a1bc8695f5b
                                          • Instruction Fuzzy Hash: AC210CB1E006188BEB58CFABCC40A9EFBF3AFC8200F04C1A9D908AB254DB3059458F51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: gcsEBQO3BV.exe PID: 6100 Parent PID: 6300 gcsEBQO3BV.exeCOMMON

                                          Executed Functions

                                          Function 07962DD8, Relevance: 1.6, APIs: 1, Instructions: 148COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.923385476.0000000007960000.00000040.00000001.sdmp, Offset: 07960000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 54af16eb65fcdc8776f394ef87faec2d6b73056d2d93e59f8da0e81cbe97881a
                                          • Instruction ID: 580e533c19e8123cd5445843e5407cd946fc0487ab9e8551bcbe8c04df011107
                                          • Opcode Fuzzy Hash: 54af16eb65fcdc8776f394ef87faec2d6b73056d2d93e59f8da0e81cbe97881a
                                          • Instruction Fuzzy Hash: 2651CCB1D05219DFCB10DFA8D988AEEBFF5FF48314F10816AE918A7240D7749904CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06E5BC00, Relevance: .1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.921975807.0000000006E50000.00000040.00000001.sdmp, Offset: 06E50000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 113adbb0c42bc4a7442c85d30c500cf8b5f3e61618555781f14b14d70b754a9a
                                          • Instruction ID: 7d0ff34f7248a2a85d9f8f4a62027f6221c77848e281b7c3a8b2a4a9e9d56536
                                          • Opcode Fuzzy Hash: 113adbb0c42bc4a7442c85d30c500cf8b5f3e61618555781f14b14d70b754a9a
                                          • Instruction Fuzzy Hash: 7651E078D01208DFDB54DFA4D895AAEBBB2FF8D301F109069E805A7350DB386941CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07963650, Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.923385476.0000000007960000.00000040.00000001.sdmp, Offset: 07960000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d0a46622aed2f4151c481aaf24a8222bd242457eaaee0c49e2efc3cadccf04b8
                                          • Instruction ID: b5a492b57f95c2b9a23652bc9f266ff681dfbfac640829a7477d50f7c2f2c533
                                          • Opcode Fuzzy Hash: d0a46622aed2f4151c481aaf24a8222bd242457eaaee0c49e2efc3cadccf04b8
                                          • Instruction Fuzzy Hash: 65019E70E012188BCB04CEBAD4497EDFBF9EF8A315F11602AD145B3290DB355545CB24
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07963660, Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.923385476.0000000007960000.00000040.00000001.sdmp, Offset: 07960000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 152d7178057d0e5597bcedf49bdb30471ac9d999f69ac50e79df8a4c9b8228f4
                                          • Instruction ID: 3203b506e4a45bed30d7c96ce1ac5c81c64310526b3c370e03d1c62570c5d40b
                                          • Opcode Fuzzy Hash: 152d7178057d0e5597bcedf49bdb30471ac9d999f69ac50e79df8a4c9b8228f4
                                          • Instruction Fuzzy Hash: 8AF08170E022148BCB088FBAD4497EDFBF9EB8E316F056129D105B3280DB754944CB68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07962EE5, Relevance: 1.7, APIs: 1, Instructions: 222timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTimes.KERNEL32(?,?,?), ref: 07963224
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.923385476.0000000007960000.00000040.00000001.sdmp, Offset: 07960000, based on PE: false
                                          Similarity
                                          • API ID: SystemTimes
                                          • String ID:
                                          • API String ID: 375623090-0
                                          • Opcode ID: 3c2e9276a3c7dcd69cb72dcde0f5314527876c8c3d53c95d7b8216dd102208b1
                                          • Instruction ID: 96980e015bebc1f6642154846bafae604f0c04f6c3099b97931c965d2596f653
                                          • Opcode Fuzzy Hash: 3c2e9276a3c7dcd69cb72dcde0f5314527876c8c3d53c95d7b8216dd102208b1
                                          • Instruction Fuzzy Hash: 4FB1B2B5D0021ACFDB11CF69C880AD9FBB5FF49310F15C69AD958AB201E770AA85CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06E51901, Relevance: 1.6, APIs: 1, Instructions: 145networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06E53738
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.921975807.0000000006E50000.00000040.00000001.sdmp, Offset: 06E50000, based on PE: false
                                          Similarity
                                          • API ID: Query_
                                          • String ID:
                                          • API String ID: 428220571-0
                                          • Opcode ID: 2adb7e4b457b9dece00f2368c589779db111345355f191d3de594a18153a3218
                                          • Instruction ID: a26415955d2278b16d9eae78a3c0ce997818916d569645c1e2b888c4f0e5c675
                                          • Opcode Fuzzy Hash: 2adb7e4b457b9dece00f2368c589779db111345355f191d3de594a18153a3218
                                          • Instruction Fuzzy Hash: 515125B1D04319DFDB54CFA9C8846DEBBB1FF48308F25852AE814A7250DBB4A846CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06E5190C, Relevance: 1.6, APIs: 1, Instructions: 140networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06E53738
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.921975807.0000000006E50000.00000040.00000001.sdmp, Offset: 06E50000, based on PE: false
                                          Similarity
                                          • API ID: Query_
                                          • String ID:
                                          • API String ID: 428220571-0
                                          • Opcode ID: 9629d43bea7c75f6f9f4bcc396910a2d18d7f6f8021331e6b4c75a1e029d6d47
                                          • Instruction ID: fa57ad05c3976319b4837439b67adde85a1b89cc360686bdb278305e3cd9a0f1
                                          • Opcode Fuzzy Hash: 9629d43bea7c75f6f9f4bcc396910a2d18d7f6f8021331e6b4c75a1e029d6d47
                                          • Instruction Fuzzy Hash: 085105B1D00319DFDB54CFA9C8846DEBBB1FF48308F258529E815A7250DBB4A946CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06E53607, Relevance: 1.6, APIs: 1, Instructions: 138networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06E53738
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.921975807.0000000006E50000.00000040.00000001.sdmp, Offset: 06E50000, based on PE: false
                                          Similarity
                                          • API ID: Query_
                                          • String ID:
                                          • API String ID: 428220571-0
                                          • Opcode ID: 5453e41f55cab942b387b54e247d4d59af9c48536e4228daf70d582e7e7891f4
                                          • Instruction ID: 84f9079d6df547353eb9070558e530cfed44fa3a751908f66fb0e1d4953ff14a
                                          • Opcode Fuzzy Hash: 5453e41f55cab942b387b54e247d4d59af9c48536e4228daf70d582e7e7891f4
                                          • Instruction Fuzzy Hash: 8951F3B1D00319DFDB54CFA9C8846DEBBB1FF48308F25852AE815A7250DBB4A946CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07968DB5, Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.923385476.0000000007960000.00000040.00000001.sdmp, Offset: 07960000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 93edebadf5722261a6bafc1570311a4cd22c90da859b93fcc4c07190e4f300a5
                                          • Instruction ID: 127d11b8cf51f355c72331d1f1f00f3077e6cf4128ce220d1b01bb6bfffd3539
                                          • Opcode Fuzzy Hash: 93edebadf5722261a6bafc1570311a4cd22c90da859b93fcc4c07190e4f300a5
                                          • Instruction Fuzzy Hash: 7B3168B4D002499FDB14DFA9D888BDEBBF5BB08318F14862AE815A7380D7789445CF92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06E512D0, Relevance: 1.6, APIs: 1, Instructions: 91threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 06E513A9
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.921975807.0000000006E50000.00000040.00000001.sdmp, Offset: 06E50000, based on PE: false
                                          Similarity
                                          • API ID: CurrentThread
                                          • String ID:
                                          • API String ID: 2882836952-0
                                          • Opcode ID: 28282f66cccb1222d6b7d25a5e59fa661f2156a131c5a2abce026d8eae44608c
                                          • Instruction ID: ec98c388aca4e96680d30094347d5ac0b1f2ed6895c02e9644fc4abd825df4da
                                          • Opcode Fuzzy Hash: 28282f66cccb1222d6b7d25a5e59fa661f2156a131c5a2abce026d8eae44608c
                                          • Instruction Fuzzy Hash: E0316870E003189FDB64DFA9C498BEDBBF5AF48714F16902DE806A7390CB749845CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07966E7C, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.923385476.0000000007960000.00000040.00000001.sdmp, Offset: 07960000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: ace5e2e8ef7a1277622d8003ac481bb96ca3c960146ace12e79cb688967348f4
                                          • Instruction ID: 65c2ac8ebd85ecba7e14915e7c2e9bffb0bee39f60605bd4785e77db0cc09123
                                          • Opcode Fuzzy Hash: ace5e2e8ef7a1277622d8003ac481bb96ca3c960146ace12e79cb688967348f4
                                          • Instruction Fuzzy Hash: 893148B4D002599FCB14DF98C888B9EBBF5BB08318F14862AE815A7340D7789845CF92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07962EAB, Relevance: 1.6, APIs: 1, Instructions: 77timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTimes.KERNEL32(?,?,?), ref: 07963224
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.923385476.0000000007960000.00000040.00000001.sdmp, Offset: 07960000, based on PE: false
                                          Similarity
                                          • API ID: SystemTimes
                                          • String ID:
                                          • API String ID: 375623090-0
                                          • Opcode ID: 39c5f6669c5fd6198b5c9a9a5567e3fb2ca2406f69d00f9bcab0df2a1645d7d9
                                          • Instruction ID: b76746ca1145d856ced70019296e94f97a9c658158c10e9d3e73812a99dd35cb
                                          • Opcode Fuzzy Hash: 39c5f6669c5fd6198b5c9a9a5567e3fb2ca2406f69d00f9bcab0df2a1645d7d9
                                          • Instruction Fuzzy Hash: C83130B1D052499FCB00CFA9D484ADEBFF5BF49310F14816AE918EB211D3789944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07962EC8, Relevance: 1.6, APIs: 1, Instructions: 77timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTimes.KERNEL32(?,?,?), ref: 07963224
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.923385476.0000000007960000.00000040.00000001.sdmp, Offset: 07960000, based on PE: false
                                          Similarity
                                          • API ID: SystemTimes
                                          • String ID:
                                          • API String ID: 375623090-0
                                          • Opcode ID: a97c0f1b6de8631fc2bbbd4b8054031ac85f0ddfb90edf8cdb70e6448e31cebb
                                          • Instruction ID: b1bb1ac833a5a9c7040eb6d2c92a9c4dd2301556a312bcc417ba138180447b17
                                          • Opcode Fuzzy Hash: a97c0f1b6de8631fc2bbbd4b8054031ac85f0ddfb90edf8cdb70e6448e31cebb
                                          • Instruction Fuzzy Hash: 073130B1D052488FCB00CFA9C984ADEBBF5BF49310F24816AE848EB201D3749945CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06E512CB, Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 06E513A9
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.921975807.0000000006E50000.00000040.00000001.sdmp, Offset: 06E50000, based on PE: false
                                          Similarity
                                          • API ID: CurrentThread
                                          • String ID:
                                          • API String ID: 2882836952-0
                                          • Opcode ID: e9b646de5513ac1dbe112f8594c44db829129e7703036e8086c5976c0477523b
                                          • Instruction ID: ce16b5b891fe169e733326567ea8007dfa1b11f26c4563ffbe1bb05b504a4f11
                                          • Opcode Fuzzy Hash: e9b646de5513ac1dbe112f8594c44db829129e7703036e8086c5976c0477523b
                                          • Instruction Fuzzy Hash: 66316575D003189FCB64DFA9D498BEDBBF9AB48314F16802AE806B7790CB749845CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 079631A8, Relevance: 1.6, APIs: 1, Instructions: 58timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemTimes.KERNEL32(?,?,?), ref: 07963224
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.923385476.0000000007960000.00000040.00000001.sdmp, Offset: 07960000, based on PE: false
                                          Similarity
                                          • API ID: SystemTimes
                                          • String ID:
                                          • API String ID: 375623090-0
                                          • Opcode ID: c3f99c579a844f385ed0629193f39ede40b5af1d34d048b399fa627400a8fb11
                                          • Instruction ID: 30d31a85fce163ab440f541b2f4e9554fd3e61ba07e3efc032b66b125d0b9067
                                          • Opcode Fuzzy Hash: c3f99c579a844f385ed0629193f39ede40b5af1d34d048b399fa627400a8fb11
                                          • Instruction Fuzzy Hash: 5921E5B1D012199FCB40CF99D584BDEFBF4FF48324F14816AE908A7241D3749944CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 079636C6, Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.923385476.0000000007960000.00000040.00000001.sdmp, Offset: 07960000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ffa803d2c0eebbf63530b794af1b11f611a7bd1939ca1c45efe4a8c2c9ddcd85
                                          • Instruction ID: 1d00842336421194d128a4dcba6b3b4aa46575951a3eb80dd7e237a1c4f267f0
                                          • Opcode Fuzzy Hash: ffa803d2c0eebbf63530b794af1b11f611a7bd1939ca1c45efe4a8c2c9ddcd85
                                          • Instruction Fuzzy Hash: 8FE04638E165089B8B00EFA8F8858ECB7B1EF8A221F00606AE505B3240CB306800CB19
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: gcsEBQO3BV.exe PID: 6664 Parent PID: 968 gcsEBQO3BV.exeCOMMON

                                          Executed Functions

                                          Function 0109CEE0, Relevance: 6.1, APIs: 4, Instructions: 127threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 0109CF50
                                          • GetCurrentThread.KERNEL32 ref: 0109CF8D
                                          • GetCurrentProcess.KERNEL32 ref: 0109CFCA
                                          • GetCurrentThreadId.KERNEL32 ref: 0109D023
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.864059041.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 499bc4701d314ee4ef36d653d76506b2307ca04b02684a60b50776f437885b75
                                          • Instruction ID: 60a182a799d771739506fb3ae184e82b6016585daf1dba01884128549360ad2b
                                          • Opcode Fuzzy Hash: 499bc4701d314ee4ef36d653d76506b2307ca04b02684a60b50776f437885b75
                                          • Instruction Fuzzy Hash: 165165B0D002498FEB14CFA9D698BEEBBF1FF89314F20846AE459A7350D7745884CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0109CEF0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 0109CF50
                                          • GetCurrentThread.KERNEL32 ref: 0109CF8D
                                          • GetCurrentProcess.KERNEL32 ref: 0109CFCA
                                          • GetCurrentThreadId.KERNEL32 ref: 0109D023
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.864059041.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 00f1e5604f2c1d108172c97670e7a9a14fbee1059cab33f8ae3c6efe33bddb77
                                          • Instruction ID: c754159be0e345ce56677f7994b09dbc8319ebdde1eced79cc0794772bb69065
                                          • Opcode Fuzzy Hash: 00f1e5604f2c1d108172c97670e7a9a14fbee1059cab33f8ae3c6efe33bddb77
                                          • Instruction Fuzzy Hash: 9A5153B0D002498FEB14CFAAD698BDEBBF1FF88314F208469E459A7350C7745884CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0109AC08, Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0109AE4E
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.864059041.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 62d989cebadd1cec97bc377fae4095f2d20c7b35e4fc332312d66eeea6284687
                                          • Instruction ID: 62e3ffab2470efe85327d6c955f394afe3cc936500a58d6b9270f8fb8c5417ba
                                          • Opcode Fuzzy Hash: 62d989cebadd1cec97bc377fae4095f2d20c7b35e4fc332312d66eeea6284687
                                          • Instruction Fuzzy Hash: 7C7116B0A00B098FDB64DF29C46475ABBF5FF88204F00896DE58ADBB50DB75E845CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 054917AD, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 054918CA
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.877824401.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: ba4baebccea817212169224fc9b79d4b9f8d8c75b0926f2952ee35e91212cf65
                                          • Instruction ID: 97d3439bd5975f0480a3ddd50474bba213e2d28c7259d2a1c7a1f171d19838ed
                                          • Opcode Fuzzy Hash: ba4baebccea817212169224fc9b79d4b9f8d8c75b0926f2952ee35e91212cf65
                                          • Instruction Fuzzy Hash: 4C51BDB1D003099FDF14CF99C884ADEBBB5FF48314F24962AE819AB210D7749885CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 054917B8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 054918CA
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.877824401.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: 4ebaa53180bc9501567a863accf594021e66a79faf8065fb3ffbbe00b5c325b5
                                          • Instruction ID: 0ca46e9d603e29690608af1a76bf996bb5aa14eb0bc2eb229e2e96d7eb7aaa1f
                                          • Opcode Fuzzy Hash: 4ebaa53180bc9501567a863accf594021e66a79faf8065fb3ffbbe00b5c325b5
                                          • Instruction Fuzzy Hash: 1A41ACB1D003099FDF14CF99C884ADEBBB5FF48314F24962AE819AB210D7759985CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01095685, Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01095741
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.864059041.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 2f12d48ce93aa639c1f79d1e1348693457ecb5de02ca8bded826cf335786f3bc
                                          • Instruction ID: ff051815b276560ce0fdc4d918267c02e8a237e24a2deb267977cae86e82eb9b
                                          • Opcode Fuzzy Hash: 2f12d48ce93aa639c1f79d1e1348693457ecb5de02ca8bded826cf335786f3bc
                                          • Instruction Fuzzy Hash: E741F170C04219CEDF25CFAAC894BDEBBF5BF48304F20806AD549AB251DBB55A46CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0109423C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01095741
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.864059041.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: c3d0756e56e8d39eb61a60e7786535f9adf55242155f8797fac07ebfd685a257
                                          • Instruction ID: 671afd8faccc80f2b14153b352a1f7f8d55a3159821ef57aec64c98eb4bdc9a3
                                          • Opcode Fuzzy Hash: c3d0756e56e8d39eb61a60e7786535f9adf55242155f8797fac07ebfd685a257
                                          • Instruction Fuzzy Hash: 6F41D1B1C04619CBDB25CFAAC884B9EBBF5BF48304F10806AD549AB251DBB56946CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05493D70, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                          Download Yara Rule
                                          APIs
                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 05493E31
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.877824401.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false
                                          Similarity
                                          • API ID: CallProcWindow
                                          • String ID:
                                          • API String ID: 2714655100-0
                                          • Opcode ID: 3646f005b9177ca1bcfac7c48da4d6e8d600c4d78a1601f17743b4ef860967f1
                                          • Instruction ID: 0951da38698ae8c1e6f7880fad2e97bf9c027db3eab8d387dd43b1113e98590d
                                          • Opcode Fuzzy Hash: 3646f005b9177ca1bcfac7c48da4d6e8d600c4d78a1601f17743b4ef860967f1
                                          • Instruction Fuzzy Hash: EE412BB4A003498FCB14CF99C489AAABBF5FB89314F14C89DE519A7361D374A841CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0109D518, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0109D5A7
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.864059041.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 03cd7028328186ec7bb52818e2bd3c456dead05204ebfdaa4babc6bfd0775f82
                                          • Instruction ID: 02dab5b7a8c9ecf5612a5843dd446b054c1022f95ae0c9e151394dadf54d4273
                                          • Opcode Fuzzy Hash: 03cd7028328186ec7bb52818e2bd3c456dead05204ebfdaa4babc6bfd0775f82
                                          • Instruction Fuzzy Hash: FD2103B5D002089FDB10CF99D884AEEFBF8FB48324F14842AE955A3310D374A955CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0109D520, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0109D5A7
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.864059041.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 7924cb9a7c29c260b0dc754a71df83da51413d2f738c4cba4430b1e7ca06836d
                                          • Instruction ID: 3745760a06c1d8a4dc61a695122175d093b86c8e9ca4d3d0363e2dfcfea3de41
                                          • Opcode Fuzzy Hash: 7924cb9a7c29c260b0dc754a71df83da51413d2f738c4cba4430b1e7ca06836d
                                          • Instruction Fuzzy Hash: 8921C2B59002599FDB10CFAAD984ADEBBF8FB48324F14841AE955A3310D378A954CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0109B068, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0109AEC9,00000800,00000000,00000000), ref: 0109B0DA
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.864059041.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 3244c76a496fd8522c96998aebfdf2221d558b5abf47e7d68741fea2e45fd28d
                                          • Instruction ID: ee6e171c128f9b40c7756930e1f3f3083e12fd4c3b5a061e2b62deb3611f25f9
                                          • Opcode Fuzzy Hash: 3244c76a496fd8522c96998aebfdf2221d558b5abf47e7d68741fea2e45fd28d
                                          • Instruction Fuzzy Hash: 812127B68002098FCB10CF9AD444BDEFBF4AB88320F04842EE565A7600C375A545CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 01099FB8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0109AEC9,00000800,00000000,00000000), ref: 0109B0DA
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.864059041.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 36f1ad3cfd8a86447af18b81ddfe97944756456b7004c105abcd97dfd40edf30
                                          • Instruction ID: 43c7c143f742241da5e66ac931b835bb46ba88ba8ff318c8e36b85efd90dbe0f
                                          • Opcode Fuzzy Hash: 36f1ad3cfd8a86447af18b81ddfe97944756456b7004c105abcd97dfd40edf30
                                          • Instruction Fuzzy Hash: C21103B29003098FDB20CF9AD884B9EFBF4EB88320F04842EE565B7200C775A545CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0109B113, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0109AEC9,00000800,00000000,00000000), ref: 0109B0DA
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.864059041.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 8c0bd17e34a6ff0ca3fb5c38bad3b5e724bde495d7f501bc00b6f7f2718f79ce
                                          • Instruction ID: 4b4630f46245ae198cfa6d5bd7573d59b6bb3c619aff7bfceb78fdd21719bc2d
                                          • Opcode Fuzzy Hash: 8c0bd17e34a6ff0ca3fb5c38bad3b5e724bde495d7f501bc00b6f7f2718f79ce
                                          • Instruction Fuzzy Hash: 211104B69043088FDF208B98E418BEEFBF4EF85324F14449EE689A7251C3759805CF64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0109ADE8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0109AE4E
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.864059041.0000000001090000.00000040.00000001.sdmp, Offset: 01090000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 97f4df5480867cce85a1f757cd78b4b42afc520ecfbc5c48bb68d14023480fe7
                                          • Instruction ID: 9c4161435b282a7ae53713a7572e87ef686387b0c6a8da9738dd6f4cfe513ea2
                                          • Opcode Fuzzy Hash: 97f4df5480867cce85a1f757cd78b4b42afc520ecfbc5c48bb68d14023480fe7
                                          • Instruction Fuzzy Hash: 4711D2B5D006498FDB10CF9AD444BDEFBF4EB89324F14845AD469A7600C375A545CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 054919F9, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowLongW.USER32(?,?,?), ref: 05491A5D
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.877824401.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false
                                          Similarity
                                          • API ID: LongWindow
                                          • String ID:
                                          • API String ID: 1378638983-0
                                          • Opcode ID: d3301ac60f5691dbafc9d149b0f9549ff3de3a0b235df037cbb64da00e652e88
                                          • Instruction ID: 2d1594b0a17d4662ab0299cc84c60bcc34b9cc197b2f73a459d26f5d04e17f7c
                                          • Opcode Fuzzy Hash: d3301ac60f5691dbafc9d149b0f9549ff3de3a0b235df037cbb64da00e652e88
                                          • Instruction Fuzzy Hash: D211F2B59003499FDB10CF99D889BDEBBF8EB88324F10841AE855A3700C3B5A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 05491A00, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowLongW.USER32(?,?,?), ref: 05491A5D
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.877824401.0000000005490000.00000040.00000001.sdmp, Offset: 05490000, based on PE: false
                                          Similarity
                                          • API ID: LongWindow
                                          • String ID:
                                          • API String ID: 1378638983-0
                                          • Opcode ID: 706f0207180ce437cbe015c3394c593d0b26b3efb853a6d1f31cb3d82cd2a7d5
                                          • Instruction ID: af60e05a607ba8c547e6447ce58295afd813474e2b71cd2fc203a10436dc1a5b
                                          • Opcode Fuzzy Hash: 706f0207180ce437cbe015c3394c593d0b26b3efb853a6d1f31cb3d82cd2a7d5
                                          • Instruction Fuzzy Hash: 5B11D3B59003499FDB10CF99D589BDEBBF8FB48324F10841AE955A7700C3B4A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709C670, Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: x l
                                          • API String ID: 0-2770355295
                                          • Opcode ID: 5f7f3b436605ce5c2df12a9721853d9cb5505a41f7d921d96a4139770338795d
                                          • Instruction ID: 380b0e327e778acb3ce4bc60e330d11237ad1ab44ae82c06eed004d5b9e7c303
                                          • Opcode Fuzzy Hash: 5f7f3b436605ce5c2df12a9721853d9cb5505a41f7d921d96a4139770338795d
                                          • Instruction Fuzzy Hash: 33E0E571300254478B14A66A80506EFF1DB9FC1258B14853EC08A8FB90EFA4DC4D83E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709D464, Relevance: .3, Instructions: 271COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aba4b6100b26569fb569a1bcdde275b917f7c4529588bd5e7c8868ae02445697
                                          • Instruction ID: 3765ff8bdfcaedfac8f72b8f0f9db806bf77d64d27fa739237b7ebd45171f9d7
                                          • Opcode Fuzzy Hash: aba4b6100b26569fb569a1bcdde275b917f7c4529588bd5e7c8868ae02445697
                                          • Instruction Fuzzy Hash: 63B15DB1B01205DFCB54CF68D498A9EB7F2BF89310F1486A9E5129B3A5DB30EC81CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709F0A0, Relevance: .1, Instructions: 143COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b865b666a33c51011a5852ef5026a6d1405cf6cc003037cfa9237610e347a525
                                          • Instruction ID: e0f24e7f19c0baec0624515ba5fda6691556d249f87002c7f99484c999334933
                                          • Opcode Fuzzy Hash: b865b666a33c51011a5852ef5026a6d1405cf6cc003037cfa9237610e347a525
                                          • Instruction Fuzzy Hash: E2512770A00206DFCB55DFA8D584A9DBBF2FF89315F14846AE416EB360DB36A846DF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709E738, Relevance: .1, Instructions: 132COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50c064b5e21f8b0cf001ba630f173ae66e652a40730305952fa1d86e9b0fa1cd
                                          • Instruction ID: dcbe18cc02c848bb9234a219b32dabd172e31ba9f26f950d1a86c2398d055a88
                                          • Opcode Fuzzy Hash: 50c064b5e21f8b0cf001ba630f173ae66e652a40730305952fa1d86e9b0fa1cd
                                          • Instruction Fuzzy Hash: 52419E76A002019FDB14DBA8C4986AAF7E3FFC4224F248579D5199B7A0CF31EC46CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709D728, Relevance: .1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 96d1208b18b1520e0f585794290ca369091f397b5c03c18c5441868b7b634697
                                          • Instruction ID: e7b2aa4cb17f39f125cf3acf13d54b9abaacb96ce81b8de8665b2aac966cdaf3
                                          • Opcode Fuzzy Hash: 96d1208b18b1520e0f585794290ca369091f397b5c03c18c5441868b7b634697
                                          • Instruction Fuzzy Hash: 90315FB07046019BCB14EB39E09066FF7E2AFC5214750CF3991598F769EF70E9069BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709C1A8, Relevance: .1, Instructions: 97COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8816b8c7f588cfab3bb59d27598b0295e27972110f287f033538d230b947659c
                                          • Instruction ID: b4923515e478950a0df2c1e9cce9e08cab709a74eef7e91cac11a0ce432ce662
                                          • Opcode Fuzzy Hash: 8816b8c7f588cfab3bb59d27598b0295e27972110f287f033538d230b947659c
                                          • Instruction Fuzzy Hash: 4331CFB0F002448FDB14DBB8D494BEE77E6EB89214F148568E506EB3A5DF74AC058BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709CB90, Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d7c59d4b533682453e3152be8e6e4c47bfd0776ffa1a205a94524ca7ed493749
                                          • Instruction ID: e7785647de7f104f1fbeb977a8a9919add2bdc2019cccc5ddb5aa770872f8597
                                          • Opcode Fuzzy Hash: d7c59d4b533682453e3152be8e6e4c47bfd0776ffa1a205a94524ca7ed493749
                                          • Instruction Fuzzy Hash: A521BFF1E006068BDF55DA68C8846AFBBF6FBC4250F149239E506D7344DF3499428BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709C084, Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5eea0e6f5e4c9eebbd83b4ae57063b0f4e399b8b0d578ff368d5f62b76ecabcf
                                          • Instruction ID: a674a56377be2bce0dc5a6cfb706dd9da86887e570104dbb7c52472e4f906ce0
                                          • Opcode Fuzzy Hash: 5eea0e6f5e4c9eebbd83b4ae57063b0f4e399b8b0d578ff368d5f62b76ecabcf
                                          • Instruction Fuzzy Hash: 0A218972340605DF8B54EF39D48496AB3E7EFC62157118A6AE606CB3B4DB70EC46CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709CDA8, Relevance: .1, Instructions: 77COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d356072d5f9f09d775951e4c9197d355d3769514d37523612a3cd6138e551a2d
                                          • Instruction ID: f27395e088de0d849b8898424627231d14bac3b26e150c298aa9dba087bf918a
                                          • Opcode Fuzzy Hash: d356072d5f9f09d775951e4c9197d355d3769514d37523612a3cd6138e551a2d
                                          • Instruction Fuzzy Hash: 4531D1B1D002589FDB14CFA9C894ADEBBF5BF48314F14852AE819AB250C774A945DFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709C108, Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 869ad14adbc9d7a0fddd80fac64912a01bdf6d46561542c9043ffc00c515bf74
                                          • Instruction ID: 1b311d4086e1e7f746e7cadd0added9e4877fd205009d7fa36e25b4962769aab
                                          • Opcode Fuzzy Hash: 869ad14adbc9d7a0fddd80fac64912a01bdf6d46561542c9043ffc00c515bf74
                                          • Instruction Fuzzy Hash: CFE0D831B00506A7C710156EA4E475FB7DAEBC552AF004139E10DC7354CF719C0643D9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709CB40, Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0ab4d32b67269033204d0d2dabaef372dafa5c7b8e8cf9eec44943d777e808b2
                                          • Instruction ID: 83bbe67808ff4798371f4c7dca790ccd3202486f78a1146f43eded30cffb0174
                                          • Opcode Fuzzy Hash: 0ab4d32b67269033204d0d2dabaef372dafa5c7b8e8cf9eec44943d777e808b2
                                          • Instruction Fuzzy Hash: ACE02C32B4021727CB14263AE48872B77D9BBC0A237004A3AA40EC3324CBA0EC0087E8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709D0A8, Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 568bd8c82dfcad185928349a2864377f6ecc4c920002452903ff99e73d6dc9f1
                                          • Instruction ID: b304832c57a29e9d6dda9e9e8418b5d72fe60ea43288bcd1c30157de08136422
                                          • Opcode Fuzzy Hash: 568bd8c82dfcad185928349a2864377f6ecc4c920002452903ff99e73d6dc9f1
                                          • Instruction Fuzzy Hash: 05E0C9B0D042199FCB44EFE8D8416AEBBB0FB84300F0086AAD918A3354DB711951DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709C160, Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ca5d683693719976bd33036fbe355b4ce1e22445e1bede821d7ea7d3684941a3
                                          • Instruction ID: dc4c02c65e69ef511fd3e6225ffe960a4e0a0c10d0028cb85580d7b6e085cf67
                                          • Opcode Fuzzy Hash: ca5d683693719976bd33036fbe355b4ce1e22445e1bede821d7ea7d3684941a3
                                          • Instruction Fuzzy Hash: 85D05E26F4005817071872BE645875BB7DBCBC96667054536EA0ED33A4ED608D0243E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709CF50, Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: afaf3217c8a47fdb7c3262bbc6fe076352f0a12e70b34944431212c25e10e17b
                                          • Instruction ID: c2d0a01a76cef15fd6e5c3b3b84ab0e0099e6bfe4a2a9c55903b1b222dfcf884
                                          • Opcode Fuzzy Hash: afaf3217c8a47fdb7c3262bbc6fe076352f0a12e70b34944431212c25e10e17b
                                          • Instruction Fuzzy Hash: FCE01A70D1120CAFCB44EFE8E09529DFBF4EB48201F5081AAD818E7744EA305A45CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709CFA0, Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9be71e96d615b7dfc7d3b37067abfe313170815c7ec1cbefb9a579760a93ee8d
                                          • Instruction ID: 5b10185a2e7a61aec2cb70235d5a0f1e842cb30c0904c0786e2a45569f7ce54b
                                          • Opcode Fuzzy Hash: 9be71e96d615b7dfc7d3b37067abfe313170815c7ec1cbefb9a579760a93ee8d
                                          • Instruction Fuzzy Hash: 88E0E2363505208F8304DB1EE444C8677FEEFCEA2132141AAE209CB331CAA1EC02CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709E6E8, Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a990b545b435558b39f87913386531ec281d53c09a10d864772b50ccca3c0c32
                                          • Instruction ID: 1e226cfca3e82159910b34c95d94ddbf3f18c87ca13f4189ff59b93da8951152
                                          • Opcode Fuzzy Hash: a990b545b435558b39f87913386531ec281d53c09a10d864772b50ccca3c0c32
                                          • Instruction Fuzzy Hash: 20E09AB4D042099F8B44DFA8D54196DBBF4EB48210F1085A9D919D7311E731AA42CFD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709DAF8, Relevance: .0, Instructions: 17COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc4a2499dd7a2c55ab6a4bef03b59ebe929b4a29b855e1c446d8207ca138e0a1
                                          • Instruction ID: 96c173244b6dab50e98c1205251e45f634d56c9c0352340ea725b2decb0799ab
                                          • Opcode Fuzzy Hash: cc4a2499dd7a2c55ab6a4bef03b59ebe929b4a29b855e1c446d8207ca138e0a1
                                          • Instruction Fuzzy Hash: CDE0ECB0E5420CEFCF44EFE8D44529CBBF4EB44200F0081BA8808D3340E6745A54DF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709E6B8, Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd2174e241d5638adc91e53437d5a8ee69c859d913b6fb3c6a8a6fbfec95dcf2
                                          • Instruction ID: 6db75403a60be05726b2a2b898becc255751fa47626e0b32d239dc342927af0f
                                          • Opcode Fuzzy Hash: dd2174e241d5638adc91e53437d5a8ee69c859d913b6fb3c6a8a6fbfec95dcf2
                                          • Instruction Fuzzy Hash: FBD02231105314478335E678D40044177AB9E8323835043AED07947BD0CF73AC40C398
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0709C014, Relevance: .0, Instructions: 8COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 78193822e44106d03955be2c1d8d8e5dcc6531e3c037c3f821e3bc403e086248
                                          • Instruction ID: 57ea9a1ac313516a8cd576e2475222058dd6d7a68720a9493ea36dfc8dbbbed0
                                          • Opcode Fuzzy Hash: 78193822e44106d03955be2c1d8d8e5dcc6531e3c037c3f821e3bc403e086248
                                          • Instruction Fuzzy Hash: CAB012B729D101F5D84072B04D50B1F6092FFD5700F808E217344C025089615451737B
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 0709158A, Relevance: 6.4, Strings: 5, Instructions: 141COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: #uQ$#uQ$6(Q/$6(Q/$Q@.a
                                          • API String ID: 0-1563241251
                                          • Opcode ID: 6b7c92aaac10514e2caf71f8046affb4cca683c1ff606d79074e9bb4c1622158
                                          • Instruction ID: ed4d23bfc96332e4fd53233112fe934b9fa975ef6c06df3d44a5ad8be20283cf
                                          • Opcode Fuzzy Hash: 6b7c92aaac10514e2caf71f8046affb4cca683c1ff606d79074e9bb4c1622158
                                          • Instruction Fuzzy Hash: 0F512AB4E1520ADFCB44CFA9C5809AEFBF2FF89310F1586AAD415AB250D3349A41DF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07092C48, Relevance: 5.1, Strings: 4, Instructions: 147COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.882940016.0000000007090000.00000040.00000001.sdmp, Offset: 07090000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: )z;$)z;$k1T$k1T
                                          • API String ID: 0-2644562797
                                          • Opcode ID: 3a26a1cf7a076a7bbea700b8005e57f895816c495b1c485661a54fa6c88b9fef
                                          • Instruction ID: 6540c93f183f2770e667f064254d326ebbe4ce0b090f26eba263cab9f927e3d3
                                          • Opcode Fuzzy Hash: 3a26a1cf7a076a7bbea700b8005e57f895816c495b1c485661a54fa6c88b9fef
                                          • Instruction Fuzzy Hash: 9E5114B0E1420AABCF04CF9AD5815AEFBF2FF49340F24866AD425B7340D7349A429F95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: dhcpmon.exe PID: 2456 Parent PID: 968 dhcpmon.exeCOMMON

                                          Executed Functions

                                          Function 085CC5B0, Relevance: 2.9, Strings: 2, Instructions: 441COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: Xc%l$Xc%l
                                          • API String ID: 0-1338683366
                                          • Opcode ID: 3b437880594d887573b6acdcb1dedd725488485c4c14d49434df7501ad6772f2
                                          • Instruction ID: 11be7a7127d2709c4113bec10e31e4366402131876eed0bc4862056ae0942c33
                                          • Opcode Fuzzy Hash: 3b437880594d887573b6acdcb1dedd725488485c4c14d49434df7501ad6772f2
                                          • Instruction Fuzzy Hash: 2BF1AF35A04215CFCB18CFA9C494A6EBBB2BF85301F19846DD849AB761DB35EC42CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A0FC8, Relevance: 2.8, Strings: 2, Instructions: 290COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: FD0/$`jQ?
                                          • API String ID: 0-3878601116
                                          • Opcode ID: de4d178b5cc4228fe806a876fb40e63a1c7f58360bee780fe05ecf340e3b8231
                                          • Instruction ID: 10e29305df7b98413b35254a1e14e2de7c48be85bdb0584b5a3dec94d1aeb6f2
                                          • Opcode Fuzzy Hash: de4d178b5cc4228fe806a876fb40e63a1c7f58360bee780fe05ecf340e3b8231
                                          • Instruction Fuzzy Hash: 98D15974E0520ACFDB08CF95D4818AEFBB2FF89301F54D659D516AB258D734A982CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A0FB8, Relevance: 2.8, Strings: 2, Instructions: 288COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: FD0/$`jQ?
                                          • API String ID: 0-3878601116
                                          • Opcode ID: 56b97db41ae229296092d310498207cde8f91d2d4c117b4fd385824ccd29b7a6
                                          • Instruction ID: c2dba33827bdb7683b66000454012063a6f43710607e079a69673c479913c70a
                                          • Opcode Fuzzy Hash: 56b97db41ae229296092d310498207cde8f91d2d4c117b4fd385824ccd29b7a6
                                          • Instruction Fuzzy Hash: 41C16C74E0520ACFDB08CFA5C4818AEFBB2FF89301F54D655D516AB259D7349982CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C4A42, Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: EuR$L-uI
                                          • API String ID: 0-3189475397
                                          • Opcode ID: 3400111bb6f568267ec1c5d0197aced4930cae75ee317b13979ccab7278f64fd
                                          • Instruction ID: 35318623e3b7c3e1f20fc8ea8ccea94c9a49c7f7ba0f315afce68a77702c60cc
                                          • Opcode Fuzzy Hash: 3400111bb6f568267ec1c5d0197aced4930cae75ee317b13979ccab7278f64fd
                                          • Instruction Fuzzy Hash: 4D510574D0521A9FCB04CFE9D881AAEBBF2FB89301F14942ED515B7214D7349A41CF99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085CE6F8, Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: Yy@$Yy@+e=
                                          • API String ID: 0-3438994167
                                          • Opcode ID: b1fd64ed39481998e198b9d3807354e21bd406f32b3eafbb6f60d425123e0fdc
                                          • Instruction ID: da6d1cfb9c986a2392b28d00bae3d12d7ad1ac35cc2ebdf313d126b8c46162ae
                                          • Opcode Fuzzy Hash: b1fd64ed39481998e198b9d3807354e21bd406f32b3eafbb6f60d425123e0fdc
                                          • Instruction Fuzzy Hash: E95103B0E05219CFDB08CFAAD8456AEFBF2BF88301F14D52AD419B7254D73499418FA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086E90D8, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserNameA.ADVAPI32(00000000), ref: 086E9224
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: NameUser
                                          • String ID:
                                          • API String ID: 2645101109-0
                                          • Opcode ID: 711a7a3d353a98321f5f38b4ba73ba37da41cfe5a660bb3a652e3d88dbcb7096
                                          • Instruction ID: aa2af0b88ce64301d22ac1b8c18bc04b35b34b27867c328e9bb5f27725e10009
                                          • Opcode Fuzzy Hash: 711a7a3d353a98321f5f38b4ba73ba37da41cfe5a660bb3a652e3d88dbcb7096
                                          • Instruction Fuzzy Hash: 87511370D012088FDB18CFA9C885BDEFBF1AF48304F258029E816AB391DB749949CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C5CB8, Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: d-%l
                                          • API String ID: 0-157456239
                                          • Opcode ID: 1ee83f2a54e0395ef0a8a6bb8adb06886605888a5bf1f07aa991a5bce47689c0
                                          • Instruction ID: 0a215a0eb398c6fc6d3a06c72f26799378d7735b9b65bfcec06c9cba8d773e41
                                          • Opcode Fuzzy Hash: 1ee83f2a54e0395ef0a8a6bb8adb06886605888a5bf1f07aa991a5bce47689c0
                                          • Instruction Fuzzy Hash: C391E274E012188FDB54DFA9C885B9EBBB2FF88304F1085AAE509AB365DB306D45CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C5CC8, Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: d-%l
                                          • API String ID: 0-157456239
                                          • Opcode ID: e1141039f0bea8a6553144a074446fd3753b893c6b5945e272441055953c79b0
                                          • Instruction ID: b295f6c2c21afa8f7bad5062e05f216d9c9967a31081b86948db90af660c81f6
                                          • Opcode Fuzzy Hash: e1141039f0bea8a6553144a074446fd3753b893c6b5945e272441055953c79b0
                                          • Instruction Fuzzy Hash: 6C81E274E002188FDB58DFA9D885B9EBBB2FF88314F10816AE509AB354EB306D41CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A88A0, Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: 7<]
                                          • API String ID: 0-1817355989
                                          • Opcode ID: c61c5821873def6908e33dce5e461e211e6ead25b9dcec7662ca9af20206b5e3
                                          • Instruction ID: 81f313412476d63ee621db79b8d13e093d90f5bbc168b178b17c914ff062d4ff
                                          • Opcode Fuzzy Hash: c61c5821873def6908e33dce5e461e211e6ead25b9dcec7662ca9af20206b5e3
                                          • Instruction Fuzzy Hash: 5C614674E04229CFDB54CF69C9847ADFBB6BBC9305F1092AAC00DA7258EB305985CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C8990, Relevance: .7, Instructions: 723COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d7290022042d1348ef5ec86db66849dcc257b9737f5bd0ae150c8f8e72bdb8e
                                          • Instruction ID: 6d7b561a0ffe0c6bd015341bff9afebd2ebc58e01e55f013feaf3efd0235e2bb
                                          • Opcode Fuzzy Hash: 2d7290022042d1348ef5ec86db66849dcc257b9737f5bd0ae150c8f8e72bdb8e
                                          • Instruction Fuzzy Hash: 45526E35A00119DFCB18DFA9C884AADBBB2BF88355F15856DE9059B364DB31EC02CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A5658, Relevance: .3, Instructions: 278COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6339a4bf6f0254e74642809d83bccb71e3b32a858596df4001539f9f4770d6c4
                                          • Instruction ID: d965f03f2e1631908ae79ade9993b5b3061dc3239d718de86728ab217b2f3e81
                                          • Opcode Fuzzy Hash: 6339a4bf6f0254e74642809d83bccb71e3b32a858596df4001539f9f4770d6c4
                                          • Instruction Fuzzy Hash: 50B10570E05219CFDB04CFE9C98159EFBF2AFC9311F25D629D405AB328E73499428B65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A5648, Relevance: .3, Instructions: 274COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1a5cf6c8815138847a0887a2415f8db5c8d70577c85365b8a0092e17c35683a0
                                          • Instruction ID: 21343ab3cece014beb0052b35920a8dc4a4a85d7d2216da820fff033b940da2a
                                          • Opcode Fuzzy Hash: 1a5cf6c8815138847a0887a2415f8db5c8d70577c85365b8a0092e17c35683a0
                                          • Instruction Fuzzy Hash: 5DB12570E06219CFCB04CFE9C68159EFBF2AFC9311F15D62AC405AB328E73499428B64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085CDF70, Relevance: .2, Instructions: 195COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8b705604f4ddc702384f12072df40cd9d9f47f33020e4247a9e819745fc54e90
                                          • Instruction ID: 5d31d63dce5da39be959f8603df480e9ed1dbdf52cdd6899e83c64bab1b9509b
                                          • Opcode Fuzzy Hash: 8b705604f4ddc702384f12072df40cd9d9f47f33020e4247a9e819745fc54e90
                                          • Instruction Fuzzy Hash: 0681AE74E012598FDB08CFE9C8846AEFBF2BF89301F14952AD915AB354D7349906CF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C4781, Relevance: .2, Instructions: 158COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8adff311ff012cf0c17fd998a0223667208c2ce8561e87e2fb0e9f4a6dd9bfbf
                                          • Instruction ID: e8737137e0b60b3bde9bb91a0ba36e5fe56eb1e2baf3c84ee81a394c246f1d3b
                                          • Opcode Fuzzy Hash: 8adff311ff012cf0c17fd998a0223667208c2ce8561e87e2fb0e9f4a6dd9bfbf
                                          • Instruction Fuzzy Hash: 95618874D0624ACFCB18CFE6D9909AEFBB2FF89311F10A42AD505A7254D7305A42CF99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C7EB0, Relevance: .2, Instructions: 156COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 95937d08a03bc319b9999536d5a424acc5bfa2c775ae8bec79c9c518aad88c04
                                          • Instruction ID: 3bcf6bb02d53edb37a12f852878405881729b56c891f269ec5a64b72bfdb3ec1
                                          • Opcode Fuzzy Hash: 95937d08a03bc319b9999536d5a424acc5bfa2c775ae8bec79c9c518aad88c04
                                          • Instruction Fuzzy Hash: BC51D274E052199FDB04DFAAC880AAEFBB2FF89301F14D56AD414AB255DB349942CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C47E0, Relevance: .2, Instructions: 154COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d05f988f96465953aa0f35c95b0317c3e972db9def2e316b971723c341667b05
                                          • Instruction ID: b358fcd7fcfc6d5be52f639cb1adddc9ede2f5931b8d60f46e4f2a08c56bc866
                                          • Opcode Fuzzy Hash: d05f988f96465953aa0f35c95b0317c3e972db9def2e316b971723c341667b05
                                          • Instruction Fuzzy Hash: 29612470E05219CFCB08CFE6D5909AEFBB2FB88301F20A42AD505B7254D7309A42CF99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C47D0, Relevance: .2, Instructions: 150COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33caa9685586914f55d7d9344cacf855cf37dfcef49bfb163b90c8e9387bc33b
                                          • Instruction ID: d0e382d14c79671b9bae4e0620dd96f7dcb2d17d5e826f2933166d37a15955cc
                                          • Opcode Fuzzy Hash: 33caa9685586914f55d7d9344cacf855cf37dfcef49bfb163b90c8e9387bc33b
                                          • Instruction Fuzzy Hash: 25512474D0525ACFCB18CFE6D9919AEBBB2FB88301F10A42AD505A7254D7309A42CF99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C4D67, Relevance: .1, Instructions: 147COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 97b427aa10b534f0dd02b0162137b9480f3e5148b353d7c77f32e12d53f7f3f3
                                          • Instruction ID: 2083fd174ab20262dfb911f176e0fe1551b13427115ba3393501e54efd95df86
                                          • Opcode Fuzzy Hash: 97b427aa10b534f0dd02b0162137b9480f3e5148b353d7c77f32e12d53f7f3f3
                                          • Instruction Fuzzy Hash: DD51F174E052199FCB04CFEAD9849AEFBB2FF89301F14942AD815AB354D730AA418F55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C58F8, Relevance: .1, Instructions: 128COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b0394e84cb3a9efce5342b163c03ad85b0e2dc5bc6945381f8b44b71e80a7a37
                                          • Instruction ID: 3b658f4f00c83c3945d1ee7c753a01c4f0e2a51f6ac11377a48c7ade8a1839aa
                                          • Opcode Fuzzy Hash: b0394e84cb3a9efce5342b163c03ad85b0e2dc5bc6945381f8b44b71e80a7a37
                                          • Instruction Fuzzy Hash: 90510374E052199FCB08CFE9D9815AEBBF2FF8A310F14956AE405B7354E734AA028F51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C5908, Relevance: .1, Instructions: 124COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1f56184b8740eeec1a91bfa35184c38545c75a728c89c88fc974c2b1ddd62a8b
                                          • Instruction ID: 59fa1575d4cf8935eabe5bf7943f2b7ee504922de48ef62d717130e56a5c8fa8
                                          • Opcode Fuzzy Hash: 1f56184b8740eeec1a91bfa35184c38545c75a728c89c88fc974c2b1ddd62a8b
                                          • Instruction Fuzzy Hash: D551E374E052199FCB04CFE6D9805AEBBF2FF89311F10956AE805B7354E774AA028F51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C5130, Relevance: .1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 987496ae423be64c3c1a5b85acc66620310481059612b71c19f0584994b9a7a5
                                          • Instruction ID: 663ff7bbe6664cf58826db24c85c14c86a00e6d46aec8bc6f60a39b0c7395953
                                          • Opcode Fuzzy Hash: 987496ae423be64c3c1a5b85acc66620310481059612b71c19f0584994b9a7a5
                                          • Instruction Fuzzy Hash: BE410374E05219AFCB08CFEAD8845EEFBB2FF89311F15D42AD415A7264EB3469018F64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C3851, Relevance: .1, Instructions: 104COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3628d934b01b4bb293d76edce77fa5defdcfdd02d4518c23ab13bd02f4b8e58d
                                          • Instruction ID: 13f81ddcb3a7f20dba5f3e22ad363795c91a6b31b87f9ad61f29eea7cf7dfc80
                                          • Opcode Fuzzy Hash: 3628d934b01b4bb293d76edce77fa5defdcfdd02d4518c23ab13bd02f4b8e58d
                                          • Instruction Fuzzy Hash: 3A319E2A48E3C45EC7529BBCF4969E6BF705E0227673A11EFC4859ED23C51184C9CB93
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A0012, Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d676c1c2340a22d98bd66ea6a6e398101ce8f01124756441fddc24ac644d1bf
                                          • Instruction ID: c5a22764d788f6e3864d4971606dba355c4f2fc18b9f9bfdc885ccd16df8bf6b
                                          • Opcode Fuzzy Hash: 2d676c1c2340a22d98bd66ea6a6e398101ce8f01124756441fddc24ac644d1bf
                                          • Instruction Fuzzy Hash: 1F315C70D056488FDB19CFA6C8443CEBFB2AFC9310F18C6AAD504AB269DB75094ACF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A0040, Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 87137c8d0e00d7338026a86ae9f5519a0c0cc8feaf2f96144c6f39c1be67d3dd
                                          • Instruction ID: 990d743fad20cfe240e8f6c1c481b26aa01683cdc1a7d4929819138802a9a590
                                          • Opcode Fuzzy Hash: 87137c8d0e00d7338026a86ae9f5519a0c0cc8feaf2f96144c6f39c1be67d3dd
                                          • Instruction Fuzzy Hash: CF21E5B1E046188BEB18CF9AD8443DEFBF3AFC8311F14C16AD509A6258DB751946CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C8208, Relevance: 5.2, Strings: 4, Instructions: 177COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: Xc%l$Xc%l$Xc%l$Xc%l
                                          • API String ID: 0-1413160688
                                          • Opcode ID: 315469eb3d4327137f5f2a8e54b316891e6a2f62785f202055f9686f13cead8a
                                          • Instruction ID: 5524a28fcc89579301f7ac417581988d4a15b923d15c22cb5a2fb2d3b6208a1a
                                          • Opcode Fuzzy Hash: 315469eb3d4327137f5f2a8e54b316891e6a2f62785f202055f9686f13cead8a
                                          • Instruction Fuzzy Hash: DB614C31B00219DFCB149FA8C859AADBBB2BF88712F15546DE902AB350CB70DC41CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A1590, Relevance: 3.8, Strings: 3, Instructions: 78COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: 6(Q/$6(Q/$Q@.a
                                          • API String ID: 0-2649129471
                                          • Opcode ID: 04169a1b99aca2e082714bd8af997c86684122d11890d2c86c58673c2028a111
                                          • Instruction ID: 44e7106ef7586510142058ffc67a75ff2b8b7e66835419da31372d381732c8be
                                          • Opcode Fuzzy Hash: 04169a1b99aca2e082714bd8af997c86684122d11890d2c86c58673c2028a111
                                          • Instruction Fuzzy Hash: 30317170E05209DFDB48CFA9C5815AEFBF6EFC9211F64C6AAC016EB214D7309A41DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A1598, Relevance: 3.8, Strings: 3, Instructions: 75COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: 6(Q/$6(Q/$Q@.a
                                          • API String ID: 0-2649129471
                                          • Opcode ID: b79fa5b0c273185ea04f8b801aac61b18a4ab8a9e1213836baf2f3704c8ff514
                                          • Instruction ID: 9d8d7d0c124df143a5ba36dd3befde61b862ae79f029fa63b6ac891d9dc6f237
                                          • Opcode Fuzzy Hash: b79fa5b0c273185ea04f8b801aac61b18a4ab8a9e1213836baf2f3704c8ff514
                                          • Instruction Fuzzy Hash: DD312B70D05209EFDB48CFAAC5805AEFBF5EFC8201F64D6AAD416E7214E7309A518B64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086EBA14, Relevance: 1.6, APIs: 1, Instructions: 147processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNEL32(?,?,00000009,?,?,?,?,?,?,?), ref: 086EBB73
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: cdba7b292c16e3cddf9d32a8b27669195824f9dc15c46ccc515481e54682d041
                                          • Instruction ID: 344a9be71e20aa49bdd016fc6145df2834b53c672836c837e2c25c56fa412a78
                                          • Opcode Fuzzy Hash: cdba7b292c16e3cddf9d32a8b27669195824f9dc15c46ccc515481e54682d041
                                          • Instruction Fuzzy Hash: 95511671901319DFDB24CF99C880BDDBBB2BF48314F15849AE908B7250DB755A89CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086EBA20, Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNEL32(?,?,00000009,?,?,?,?,?,?,?), ref: 086EBB73
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 8636cf206cd6751295c7cfb064280c4f922cd4e0c7fee29e850e0f9a633e0c90
                                          • Instruction ID: 37403a99757976b410f5d35e74156f6c205d2d90d28cc362f9990c34e04368b8
                                          • Opcode Fuzzy Hash: 8636cf206cd6751295c7cfb064280c4f922cd4e0c7fee29e850e0f9a633e0c90
                                          • Instruction Fuzzy Hash: 70510571901329DFDB24CF99C880BDDBBB6BF48314F15809AE908B7250DB719A89CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086E90CC, Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserNameA.ADVAPI32(00000000), ref: 086E9224
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: NameUser
                                          • String ID:
                                          • API String ID: 2645101109-0
                                          • Opcode ID: 2382822a76af32f4640aecc20c05109b7a6f751c5cdbc3bc2e065cb978ef0577
                                          • Instruction ID: a66c33a2dd68f5c1dcbd69e977e7286a10373a9dbdd045d961189d82766a2044
                                          • Opcode Fuzzy Hash: 2382822a76af32f4640aecc20c05109b7a6f751c5cdbc3bc2e065cb978ef0577
                                          • Instruction Fuzzy Hash: 1E5112B0D012089FDB18CFA9C885BDEFBF1AF49304F258029E816AB391C7749949CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085CCD18, Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: <%l
                                          • API String ID: 0-1285486688
                                          • Opcode ID: 4f27351b646ac377674dc488c83c6cac0403fe256061676c704ec639c8eccd67
                                          • Instruction ID: e594459e6b28807a88e25d64347421879cac0280a8ad9c31854e01081d6f7227
                                          • Opcode Fuzzy Hash: 4f27351b646ac377674dc488c83c6cac0403fe256061676c704ec639c8eccd67
                                          • Instruction Fuzzy Hash: AAE18E30A10118DFCB15DFA8D854AAEBBB6BF89315F15846DE905DB3A1DB34DC02CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086E92E4, Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: FindWindow
                                          • String ID:
                                          • API String ID: 134000473-0
                                          • Opcode ID: ec10bfe3806942f304e5af97c6afdf088352d6e023604afd8ed24f2045b50bd2
                                          • Instruction ID: 04a5a0d4fda75552f801cac7e2697552deab1278c0e734c78dc6136c37c7f387
                                          • Opcode Fuzzy Hash: ec10bfe3806942f304e5af97c6afdf088352d6e023604afd8ed24f2045b50bd2
                                          • Instruction Fuzzy Hash: EC4132B1D11218DFCB24CFA9C8857DEBBB1BF49315F15812AE815AB380CB749846CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086E92F0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: FindWindow
                                          • String ID:
                                          • API String ID: 134000473-0
                                          • Opcode ID: f0ec1d18942a43c9918f4633d2839830c659e857e3a4c4a5e2df4a9c4a15a4a9
                                          • Instruction ID: 2663adb72e8d014c0d15136c86f979db8a8a9c445dabcc023dc1cb5ee55b946a
                                          • Opcode Fuzzy Hash: f0ec1d18942a43c9918f4633d2839830c659e857e3a4c4a5e2df4a9c4a15a4a9
                                          • Instruction Fuzzy Hash: 0D3103B1D112189FCB14CFA9C88579EBFF1BF49314F158529E815A7380D7749846CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086E1B55, Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 7a885fb5522b85d0ffdc7cd376c688229ae109c4e08ff31d8851b7d698ca60d1
                                          • Instruction ID: 0f1fd1b7b4c56851f3d41a03eabede702db93b71b930834fd2e2921b3defecd5
                                          • Opcode Fuzzy Hash: 7a885fb5522b85d0ffdc7cd376c688229ae109c4e08ff31d8851b7d698ca60d1
                                          • Instruction Fuzzy Hash: 6B3132B4D012598FCB14CFA8C8847DDBBB2BB0A316F15812EE815EB380D7789482CF85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086E1B60, Relevance: 1.6, APIs: 1, Instructions: 86libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: c64e73116129f6863999bf215a6f0acacdbc0698b43797590ee5d4364a375de3
                                          • Instruction ID: f84cb95e297d4ebf6a76c2c8e1296a24b4d631bfeadc35d9c9e1ef6a8d28c903
                                          • Opcode Fuzzy Hash: c64e73116129f6863999bf215a6f0acacdbc0698b43797590ee5d4364a375de3
                                          • Instruction Fuzzy Hash: 213132B0D012488FCB14CFA8C8847DEBBF5AB0A316F158129E815A7380D7789442CF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086EBFC8, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 086EC055
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 85855566a118c6a705bee95532fb49dc3922c1c3df0277f4606b2ba377fdcaae
                                          • Instruction ID: a80568d10021419b5fae84a80976b97bdc297fc7e94f060ad4a2b59f057c65d0
                                          • Opcode Fuzzy Hash: 85855566a118c6a705bee95532fb49dc3922c1c3df0277f4606b2ba377fdcaae
                                          • Instruction Fuzzy Hash: 282112B19103499FCB10CF9AC884BDEBBF4FB48320F00842AE918A3340D779A944CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086EBFC0, Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 086EC055
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 907d30f3b3fcc0134f7040e87de6a1e6cb957b810326864bd65c9d389116e933
                                          • Instruction ID: c884763be3961abf956e2e33a54a9c81a5d80f6b1988880871df9ba45eb22760
                                          • Opcode Fuzzy Hash: 907d30f3b3fcc0134f7040e87de6a1e6cb957b810326864bd65c9d389116e933
                                          • Instruction Fuzzy Hash: F721FEB5A102099FCB14CF99D884BDEBBF4FB48324F10842AE918A7250D778A954CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086EBE4F, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 086EBECF
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 90ec0b7e0d7f19c192b5faa98d11706ba88cc96a58f29862564ce83c3d31920b
                                          • Instruction ID: 52f32cf87a96856cbbea225225e866cd07b0220d9d0f2602137273a9e8712cf2
                                          • Opcode Fuzzy Hash: 90ec0b7e0d7f19c192b5faa98d11706ba88cc96a58f29862564ce83c3d31920b
                                          • Instruction Fuzzy Hash: D521E2B59013599FCB10CF9AD884BDEBBF4FB48320F10842AE918A7250D378A555CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086EBE50, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 086EBECF
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: f1705e0b15961ad2f79938a603b1b097b44a16cc75e4072b107d5af0877a1f67
                                          • Instruction ID: 39fda17783d2eb2f671cbe3dc79c0ac769e03430ea0594f0e25ea4e64c9aeb3d
                                          • Opcode Fuzzy Hash: f1705e0b15961ad2f79938a603b1b097b44a16cc75e4072b107d5af0877a1f67
                                          • Instruction Fuzzy Hash: B621E2B59013599FCB10CF9AD884BDEBBF4FB48320F10842AE918A7250D378A554CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086EBD90, Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetThreadContext.KERNEL32(?,00000000), ref: 086EBE07
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: d31cb8dbd02a14f7430a56f5d956010a571b874b9dc202f977fe639d447dd65c
                                          • Instruction ID: 0d218b76547aba24c885958f66f61aaa0787de75847aa06d87726d40310c6f4d
                                          • Opcode Fuzzy Hash: d31cb8dbd02a14f7430a56f5d956010a571b874b9dc202f977fe639d447dd65c
                                          • Instruction Fuzzy Hash: A42106B1D002199FCB00CF9AD8857DEFBF4BB49224F55812AE418B3740D778A954CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086EBD8C, Relevance: 1.6, APIs: 1, Instructions: 56threadinjectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetThreadContext.KERNEL32(?,00000000), ref: 086EBE07
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: 599bf0045ee5f806d3db2f4d4a7e1d1fdb8043ee25f1f70c5e005642d573cdbc
                                          • Instruction ID: 0954bc24949c7a94f1339bd367a9175a81fe697ca475887147961cd731799725
                                          • Opcode Fuzzy Hash: 599bf0045ee5f806d3db2f4d4a7e1d1fdb8043ee25f1f70c5e005642d573cdbc
                                          • Instruction Fuzzy Hash: 092122B1E0021A8FCB00CF9AD4847AEFBF4BB08220F55812AE518B3640D778A955CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086EBF20, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 086EBF8B
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: fdbcd9ed0bf78bca1fdf6fb808ad418786420f2ee5d34809ae045179800e7db9
                                          • Instruction ID: 5e9906c95170e06755d69a8916bd85311c0692c6a1990b6c87c484107ebe08b6
                                          • Opcode Fuzzy Hash: fdbcd9ed0bf78bca1fdf6fb808ad418786420f2ee5d34809ae045179800e7db9
                                          • Instruction Fuzzy Hash: 5611F2B69003499FCB10CF9AC888BDEBBF8FB49324F148419E569A7210C375A954CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086EBF18, Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 086EBF8B
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: d88b80ba879a2be6d16a7b56fa1d4332e4a12ae21cb4ef6777f7756b671c0892
                                          • Instruction ID: 8d1d0fabe3bcd626b410040e17cff50c44673adb2121b618f38074cfc565900b
                                          • Opcode Fuzzy Hash: d88b80ba879a2be6d16a7b56fa1d4332e4a12ae21cb4ef6777f7756b671c0892
                                          • Instruction Fuzzy Hash: 741110B6900309CFCB10CF99D884BDEBBF5FB49324F218429E668A7250C375A954CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086E6BF8, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 086EC4FD
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 0955e27238bd71c4a020167d426bfa548f6fb257a0b71b416cdefc337d967c63
                                          • Instruction ID: 3aa614a9179039bfac12825fc5c56d798397fd51747e2242b0ea7d676ca032e8
                                          • Opcode Fuzzy Hash: 0955e27238bd71c4a020167d426bfa548f6fb257a0b71b416cdefc337d967c63
                                          • Instruction Fuzzy Hash: 4911F2B58003489FDB20CF99C888BEEBBF8FB48324F108419E915A7700C3B5A954CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086EC498, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 086EC4FD
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: ac33cfdabc1a8643263c6e4718d0e2c4ebd26d486dd69d146c7acb3b40e0dc3f
                                          • Instruction ID: 41133e6e433dee22bfdc572a03cd186f46d6560e7af806a01d94eb29edb9d275
                                          • Opcode Fuzzy Hash: ac33cfdabc1a8643263c6e4718d0e2c4ebd26d486dd69d146c7acb3b40e0dc3f
                                          • Instruction Fuzzy Hash: 9111FEB68003498FDB10CF99D588BDEBBF8FB48324F10841AE954A7640C374A659CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086EC178, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: d8f8734258d8d3c6a015e03854db80d915802c6e095368c45893a69389912187
                                          • Instruction ID: 6173df157179aab8ea890c92058c5d227d9698053d42970846168ebdbca6c860
                                          • Opcode Fuzzy Hash: d8f8734258d8d3c6a015e03854db80d915802c6e095368c45893a69389912187
                                          • Instruction Fuzzy Hash: 571100B59002098FCB10CF99D4887DEBBF4FB48324F25841AE559A7650C778A944CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 086EC180, Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886089194.00000000086E0000.00000040.00000001.sdmp, Offset: 086E0000, based on PE: false
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: a8cd87141c3178c9bd864bdca75301e1429829e047e5fa923266a70773181f6c
                                          • Instruction ID: f1eae6c89a8583b25fe0ab63350e207cd57dffda35cb7b7e03534486d7d867dc
                                          • Opcode Fuzzy Hash: a8cd87141c3178c9bd864bdca75301e1429829e047e5fa923266a70773181f6c
                                          • Instruction Fuzzy Hash: 9411E2B59003498FCB10CF9AD488BDEBBF8FB49324F24841AE519A7740C775A944CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C71D8, Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: `$l
                                          • API String ID: 0-784925101
                                          • Opcode ID: 6e513c060f1378187d5894e59a4545c7e2f909031018f28ed208862e04951356
                                          • Instruction ID: 3b414b068d43e75c41e8e799c40d694c2413db8d7c330d33f6c51579bdad4dc5
                                          • Opcode Fuzzy Hash: 6e513c060f1378187d5894e59a4545c7e2f909031018f28ed208862e04951356
                                          • Instruction Fuzzy Hash: 42810334D00219CFDB14CFA9C885BDDBBB2BF89305F14C4A9E508AB251DB305A85CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A414D, Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: N?D
                                          • API String ID: 0-2414610059
                                          • Opcode ID: f9181a4adcf571c687e5d94a800ee98225701a9770892dff8707be21c19a6d5e
                                          • Instruction ID: 5631efcaaea1b8a1739439bf6d3500c4313ea82985bcb413ca0ed2c209a766cc
                                          • Opcode Fuzzy Hash: f9181a4adcf571c687e5d94a800ee98225701a9770892dff8707be21c19a6d5e
                                          • Instruction Fuzzy Hash: A151CD71E01208DFDB04DFA8D58599CBBB2FB89312F148A69D005DB228EB719942CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A4190, Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: N?D
                                          • API String ID: 0-2414610059
                                          • Opcode ID: 2aeebedc7d825f01ef94f857771ef66b4661ef95642bc855847a35808921bfde
                                          • Instruction ID: 5ae63ca096ab4321c0bac46754091b8b87861da797566741630f4f4897af981f
                                          • Opcode Fuzzy Hash: 2aeebedc7d825f01ef94f857771ef66b4661ef95642bc855847a35808921bfde
                                          • Instruction Fuzzy Hash: 09515B70E11208DFDB44DFA5D98599DBBF2FB88322F109A69E4099B368EB709941CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A423B, Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: N?D
                                          • API String ID: 0-2414610059
                                          • Opcode ID: a2e9685b5b8cf83c8920ffe3673f21a89db11cf80154310e1b3563b561515c04
                                          • Instruction ID: 49adda2b539b3830b2586f88b4712beeffab3e6a1c32595fc4b474ca7acccb82
                                          • Opcode Fuzzy Hash: a2e9685b5b8cf83c8920ffe3673f21a89db11cf80154310e1b3563b561515c04
                                          • Instruction Fuzzy Hash: 7F514770E01209DFDB44DFA5D58989DBBF2FB88322F149A69E4059B328EB709941CF20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A4209, Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: N?D
                                          • API String ID: 0-2414610059
                                          • Opcode ID: aeda875a79a150d4dcfa9bac17aa175694c1f1e4785868f0a8adb141e455e714
                                          • Instruction ID: 562dcd0a0ae1ea3d16dba9500271f8c6a15569e3cef3a054138b82148508415f
                                          • Opcode Fuzzy Hash: aeda875a79a150d4dcfa9bac17aa175694c1f1e4785868f0a8adb141e455e714
                                          • Instruction Fuzzy Hash: F0516970E05209DFDB44DFA5D58599CBBF2FB84322F14D969E4059B368EB709942CF10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C71CA, Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: `$l
                                          • API String ID: 0-784925101
                                          • Opcode ID: 336d84e52aa5d694b03ce7523e57c2b4af29bcd2b4eb7243375bfc8ab2bec888
                                          • Instruction ID: 46d1ae7bc0a2b355b5ee558ec2e7e6b2898311401a19728c90f5c7e1e541a797
                                          • Opcode Fuzzy Hash: 336d84e52aa5d694b03ce7523e57c2b4af29bcd2b4eb7243375bfc8ab2bec888
                                          • Instruction Fuzzy Hash: E2313871E052588FDB19CFB9C84179DBBB2BF8A201F14C4AAD50CAB651DB300A89CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A6D80, Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: D0%l
                                          • API String ID: 0-3182299250
                                          • Opcode ID: 75c002d339edcf60c21dc95a6d99c8701233aa6e99e952e63fb9f78e63226622
                                          • Instruction ID: aabf2c616249fea0804295d55dc667e2d42f969df115acb5cfcd9c8946efd321
                                          • Opcode Fuzzy Hash: 75c002d339edcf60c21dc95a6d99c8701233aa6e99e952e63fb9f78e63226622
                                          • Instruction Fuzzy Hash: E5217E30E18118DBDF14EBB4D8546EEBAB2EFC8355F549529E502A7388DF349901CB72
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AC670, Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: x l
                                          • API String ID: 0-2770355295
                                          • Opcode ID: b6fa7dd4445c2cd42758c036cd2bfdc12b21cfa5e45b7eafdec63ba5b9481295
                                          • Instruction ID: 633efb1c19b36e2afdb3947bcada4ee719ed80e1bb3bd1366888b00d5b225efc
                                          • Opcode Fuzzy Hash: b6fa7dd4445c2cd42758c036cd2bfdc12b21cfa5e45b7eafdec63ba5b9481295
                                          • Instruction Fuzzy Hash: 33E0E531300254478B14A66E40116EFB5DB8FC1258B04853ED08A8BB94DFA4DC4D47E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F4D766, Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.864951330.0000000000F4D000.00000040.00000001.sdmp, Offset: 00F4D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: _
                                          • API String ID: 0-701932520
                                          • Opcode ID: 9259156c9416274ab31365c7f6200f526d5b4d906dec61c8f4e6395eaaeacdc2
                                          • Instruction ID: 81368e601087cd6ec496accf2991701370db0d39eca93f0d3ad14017a58266b0
                                          • Opcode Fuzzy Hash: 9259156c9416274ab31365c7f6200f526d5b4d906dec61c8f4e6395eaaeacdc2
                                          • Instruction Fuzzy Hash: EBF0A7728083508AEB144F25D888355FFD4EF51338F18C19BDD184F28AC3B9D445DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A9039, Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: AfAc
                                          • API String ID: 0-1936660848
                                          • Opcode ID: 4dadc49a93e895b380736e1144e8c5a4277d6b8914260280e9c11caa81fc871b
                                          • Instruction ID: 8b4c79b2db8edfb5fbef72b31137fedc2b7a93f6a80883615b2da8a6700eafba
                                          • Opcode Fuzzy Hash: 4dadc49a93e895b380736e1144e8c5a4277d6b8914260280e9c11caa81fc871b
                                          • Instruction Fuzzy Hash: E6011A74D022688FCBA6DF20D8582ADBBB9AB48202F1451D9D809A7314CA305F81CF11
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A89B1, Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: )2sF
                                          • API String ID: 0-1077723334
                                          • Opcode ID: 2d15a32b066608d57ef2c1d4e0c666962c2f2e46e6bea71f9f683e46355d6114
                                          • Instruction ID: 511a7583bcdae443993d515fb1b022dfd89a1f7d037c3af40f27007dcc05edca
                                          • Opcode Fuzzy Hash: 2d15a32b066608d57ef2c1d4e0c666962c2f2e46e6bea71f9f683e46355d6114
                                          • Instruction Fuzzy Hash: 2F014B74E1122C8FCB65EF20E98469DBBBAAF8C211F5056D9D409A7344DB305F81CF65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A8E6C, Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: )2sF
                                          • API String ID: 0-1077723334
                                          • Opcode ID: 4b287f86fcb31d40687711168675702535735e6ef3881b3b86344b382f803fcc
                                          • Instruction ID: cfff41a6cddcdf6a3fb9a90f74abeaa19f4084380a89824742350e24cb8faa40
                                          • Opcode Fuzzy Hash: 4b287f86fcb31d40687711168675702535735e6ef3881b3b86344b382f803fcc
                                          • Instruction Fuzzy Hash: 5D01E874E053288FCBA5DF20E9842ADBBB5AB89311F1095DAD40AA7344CB301E80CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F4D7B5, Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.864951330.0000000000F4D000.00000040.00000001.sdmp, Offset: 00F4D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: _
                                          • API String ID: 0-701932520
                                          • Opcode ID: dad179f7ec0e51f8cfa4f49caae55b860b062783c07ca0bff5dd590221a93f70
                                          • Instruction ID: 8492f3ea9efce59e3be0b35b4bccab0531a1742e4c915cc0a253c47ce127428a
                                          • Opcode Fuzzy Hash: dad179f7ec0e51f8cfa4f49caae55b860b062783c07ca0bff5dd590221a93f70
                                          • Instruction Fuzzy Hash: 8FF0A0319082408AEB148F25D8C8356FFD0EF56338F18C15BDD080E28AD3B89444DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AD464, Relevance: .3, Instructions: 271COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 73d4d92eaec377eba60bf8b5a3a194a2f59bf959091f5bad912ea2539cbfbced
                                          • Instruction ID: ffff45f000c3dadf16570a174ca0bb8e63815934ff86d06a1df410b46ce7e887
                                          • Opcode Fuzzy Hash: 73d4d92eaec377eba60bf8b5a3a194a2f59bf959091f5bad912ea2539cbfbced
                                          • Instruction Fuzzy Hash: 3BB13D71A00604DFDB68DF68D494A5ABBF2FF88315B148AA9E412DB359DB30EC41CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C8630, Relevance: .2, Instructions: 185COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1f89c6429e3b1d459653f81ebde12633357d5b03bb2701f7041e64a349862244
                                          • Instruction ID: e0f4a0d776121d11d2150737960f219f0aeda780b433921966437a8d03819ca2
                                          • Opcode Fuzzy Hash: 1f89c6429e3b1d459653f81ebde12633357d5b03bb2701f7041e64a349862244
                                          • Instruction Fuzzy Hash: 8251E135A042068FCB14DFB8C88456EBBF1BFC1316B15847ED505DB361EB31E8458BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C55CC, Relevance: .2, Instructions: 156COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d496ca55d7541cb6303830ca17c6859e9f1de060a243f0a61f707bea0ba42c3f
                                          • Instruction ID: 4c56e6363f0b8e8279dbd5009df6b411af09fddd480ad564ace77f21bead80dd
                                          • Opcode Fuzzy Hash: d496ca55d7541cb6303830ca17c6859e9f1de060a243f0a61f707bea0ba42c3f
                                          • Instruction Fuzzy Hash: 7351B135B002098FCB05DBB9D8484AEBBF6FFC4265715852DE529DB391EF309D068BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A0DFF, Relevance: .1, Instructions: 145COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1c80d999d2c00c6909c51b717f3db57b870ab94e5b4dc000653bcbdd5f391ccb
                                          • Instruction ID: 305d818c11017e347b515c82a727cc47fe31f6adb83aa0398f54407de3494a0e
                                          • Opcode Fuzzy Hash: 1c80d999d2c00c6909c51b717f3db57b870ab94e5b4dc000653bcbdd5f391ccb
                                          • Instruction Fuzzy Hash: 8B41147550CAC2DFC706AB34D4462A6FFF1AAC2212B184FD9D280DA13ED2359846E7B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AF0A0, Relevance: .1, Instructions: 143COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f1ee5de1738852d0000f4df6fa59c741ec2f14c25cda7e452d97f2aa34b079c5
                                          • Instruction ID: 85eaa7dea609ddc174f2fd35730a9c369b4cb123f70a7bc29cfdf1a8d0bba922
                                          • Opcode Fuzzy Hash: f1ee5de1738852d0000f4df6fa59c741ec2f14c25cda7e452d97f2aa34b079c5
                                          • Instruction Fuzzy Hash: B3511A30A01209DFCB15DF68D584AADFBB2FF88315F54896DE406A7364DB36A842CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AE738, Relevance: .1, Instructions: 132COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45c52ea2d507f837ebc65c1daad0826a286a3d09f82715e7370566d97eb9248e
                                          • Instruction ID: 24cff3f1be46591b679ae8f9ba27eccfbe09b468238d32fefc136670fb4e3640
                                          • Opcode Fuzzy Hash: 45c52ea2d507f837ebc65c1daad0826a286a3d09f82715e7370566d97eb9248e
                                          • Instruction Fuzzy Hash: 7A41BD36A002019FDB14DB68C4986AEB7E3EFC8225F18C569D51A97394CF35EC42CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A16C0, Relevance: .1, Instructions: 123COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6bf3a5ddcbe5a412bcd4dd3d3fb8facb972cec12af9b1106f7708b3c079ff9a6
                                          • Instruction ID: a3761774db21f4f7d14976cb313f048eab969a7cf3bcf80a3530b805b0a9fe36
                                          • Opcode Fuzzy Hash: 6bf3a5ddcbe5a412bcd4dd3d3fb8facb972cec12af9b1106f7708b3c079ff9a6
                                          • Instruction Fuzzy Hash: BB510578E002188FDB04CFA9C98499DBBF2FF88321F19C5A9D815AB325D735A941CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C8ACF, Relevance: .1, Instructions: 117COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e7d9fa03fef9dae44fb70810abfbe0f51071ee462e32033509aa796842cbae25
                                          • Instruction ID: 3f6e21092c644f7033e9d0bcfc526880b2e87fc00cd78e1af9d69954406130ae
                                          • Opcode Fuzzy Hash: e7d9fa03fef9dae44fb70810abfbe0f51071ee462e32033509aa796842cbae25
                                          • Instruction Fuzzy Hash: 26415A30A0011D9FCF15DFA4D885AAE7BA7FF84356F048429F8029B394DB349D62CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A5348, Relevance: .1, Instructions: 113COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 237cd929ef5b54098d4a6aa02613e613bc59c08dc33a3df3bb7e08370cbf0acf
                                          • Instruction ID: 2e58fdaec6919f748d7f43e5bc4610a8be84eb05b3c5f635bbc0a5f646e87e49
                                          • Opcode Fuzzy Hash: 237cd929ef5b54098d4a6aa02613e613bc59c08dc33a3df3bb7e08370cbf0acf
                                          • Instruction Fuzzy Hash: 4641FF79D052498FCB04CFE5C84159EBBB2AFC9215F14D66AD518EB359D7B08900CFB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C7EA0, Relevance: .1, Instructions: 110COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eb58065c6d9a74d5d03159382449e3231f573087000ff1ec8098ba5c6139ba08
                                          • Instruction ID: 78647ac247429aa92a39837b41e7d032c4ac40bc8a75a0883760ab196b39fc07
                                          • Opcode Fuzzy Hash: eb58065c6d9a74d5d03159382449e3231f573087000ff1ec8098ba5c6139ba08
                                          • Instruction Fuzzy Hash: F7410675E012089FDB04DFAAC8416AEBBF2BF89301F14C56AD414AB354DB749942CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AC1A8, Relevance: .1, Instructions: 97COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a1d8d38155e6cbd2125aa3b89d5002b2d4bc3150f45ee8a51dd1574b8f2c7229
                                          • Instruction ID: 939daab76fdb693a3ccbe7f7cb5e33e292863430c257fb6a7d8c495e983cea4d
                                          • Opcode Fuzzy Hash: a1d8d38155e6cbd2125aa3b89d5002b2d4bc3150f45ee8a51dd1574b8f2c7229
                                          • Instruction Fuzzy Hash: C531C370B001048FEB14EBB8D454AAE7BF6EBC8215F148568D902EB395DF759C05CBB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A5369, Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 29be960c0a47a95da7e5b6f96813fd328b3ba88187ab2db89836cab90eed059e
                                          • Instruction ID: 6959dda86381b97562da0be71a6027814720b5181c6465bfa89f1a4cf47608b4
                                          • Opcode Fuzzy Hash: 29be960c0a47a95da7e5b6f96813fd328b3ba88187ab2db89836cab90eed059e
                                          • Instruction Fuzzy Hash: FB317979E052498FCB04CFE5C84149EBBB2AFC9215F14D96AC405EB358E7744A05CF71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C2B20, Relevance: .1, Instructions: 84COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e95ac07b5dc03cc869e65269c0a78767aaf4ad1aa9cd555eddf036c147f4a41
                                          • Instruction ID: 55c8cd73b07b520a903e674031327e76b9899bf706e5e78ee4600536745b5029
                                          • Opcode Fuzzy Hash: 0e95ac07b5dc03cc869e65269c0a78767aaf4ad1aa9cd555eddf036c147f4a41
                                          • Instruction Fuzzy Hash: F8315E30E16209EFCB48CFA9D98159DFBB2FF89205F14D9AAD409E7254D7309A01CF04
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A92E5, Relevance: .1, Instructions: 80COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fcb56153d3e756000eafa576366ae247001714125fb743374a95ab61910d514d
                                          • Instruction ID: d4939a58bac8b10c013eb7ca3c89408c983ad862495db1627b21868d33d41edb
                                          • Opcode Fuzzy Hash: fcb56153d3e756000eafa576366ae247001714125fb743374a95ab61910d514d
                                          • Instruction Fuzzy Hash: 70311674E11229CFCB64DF68D9887ADBBB5FB85301F2485AAD40DA7248DB359E84CF10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AC084, Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6cc423ef9a27ef75123177fbe1384b33f2d209eb7b8feec9c65fcdb6930979e0
                                          • Instruction ID: 6ea94b47e9bd4eac3b6bba924f555324d4598d200794a168bc255a3495609401
                                          • Opcode Fuzzy Hash: 6cc423ef9a27ef75123177fbe1384b33f2d209eb7b8feec9c65fcdb6930979e0
                                          • Instruction Fuzzy Hash: 292192313006048FD764EF29D484859B7F7EFC52167128A69E606CB778DB70ED46C761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A5390, Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4d97505abf74000ac68bb9042d68fe48f46c9d6e4990996c1a4d2b5f883a540f
                                          • Instruction ID: 0c25962cc85052fbdfec4ae985ece356e3281f843a6e3b86fe6dc2da4b1ed155
                                          • Opcode Fuzzy Hash: 4d97505abf74000ac68bb9042d68fe48f46c9d6e4990996c1a4d2b5f883a540f
                                          • Instruction Fuzzy Hash: 83312975E152198BCB04CFA9C8415AEBBF6EFC8351F10D92AD815B7314E7745A01CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C2B30, Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a087d7a22bfe451371f1e7715361abfdad90d69e03be1f9b7dc62417f7ef1ab0
                                          • Instruction ID: 0a68c7328e8a7655916ff7b2631ec35d16105a633f94fdcdecd9028b1875201c
                                          • Opcode Fuzzy Hash: a087d7a22bfe451371f1e7715361abfdad90d69e03be1f9b7dc62417f7ef1ab0
                                          • Instruction Fuzzy Hash: 26316F30E16109EFCB48CFA5D94159DFBB2FF89205F20D9A9D409E7254EB309A01CF04
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085CE8D8, Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e63b729506de189277297ae1ef5b50a84dcaa50ae511a5bfe358900b2af47510
                                          • Instruction ID: bda03328edc0b679d7a9774d3965d66821ea6a658e08ec9b0e057169932a649a
                                          • Opcode Fuzzy Hash: e63b729506de189277297ae1ef5b50a84dcaa50ae511a5bfe358900b2af47510
                                          • Instruction Fuzzy Hash: 3631B4B4E002199FCB84CFA9C5816AEBBF2BF89301F10996AD819A7714D734AA41CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085CE9F8, Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 14dae850494a2ba9acb584c68f4c3f39110a60f137d847e22b40f1c63feefc4b
                                          • Instruction ID: 2aea6a0cc408e07bd4ba71ca3c65c0335305d1865c600c2f6dd2bbded2d5ec96
                                          • Opcode Fuzzy Hash: 14dae850494a2ba9acb584c68f4c3f39110a60f137d847e22b40f1c63feefc4b
                                          • Instruction Fuzzy Hash: 0E310974E04209DFCB48CFA9C9855AEFBF2BF89301F50D9A9C418A7254E7349A418F50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AAEC0, Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1b4807ffbb00c861fadedff41fcdbdeea0980e82c4835fb60b994914123c1a6
                                          • Instruction ID: 6e0afa180121496a6ad6ebc9a411d8ccbda5c90678f5bd627779418424936872
                                          • Opcode Fuzzy Hash: c1b4807ffbb00c861fadedff41fcdbdeea0980e82c4835fb60b994914123c1a6
                                          • Instruction Fuzzy Hash: D4314FB0D052598FDB59CFAAD84129EFFF2AFC9311F18C1AAD418A7266D7344A01CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A0E81, Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 556c9a240e391150160cdc47e6ef629b6f97235675a8ef0082a5cbd2918af032
                                          • Instruction ID: 6358aaa6541c49b7413746e73892daaf27a46fec3fd0c4d625213b62a776cb9b
                                          • Opcode Fuzzy Hash: 556c9a240e391150160cdc47e6ef629b6f97235675a8ef0082a5cbd2918af032
                                          • Instruction Fuzzy Hash: 6F21F5B590CBC5CFC706DB74C4066AABFB19BC7222B194F85D140DB23AC2319945D7B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AB520, Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7dcf925ced26feba3ff13913f715b5329073ef1d0d33f1be23ed01afaa140390
                                          • Instruction ID: 96bf83db4138f2d5be061961dfffd89d85987aeef12157381bb32f2cbe8816f1
                                          • Opcode Fuzzy Hash: 7dcf925ced26feba3ff13913f715b5329073ef1d0d33f1be23ed01afaa140390
                                          • Instruction Fuzzy Hash: 4D21F1719093C89FCB06CF78885829CBFB0AF5A225F2846DEC5A48F356D2364904DB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C62EC, Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 99683a0517c6e9e77944fa78b89118392353b5f59c3e61bd945d5daec877ce15
                                          • Instruction ID: ea946b18b93f60b0c121ce95878f7267b238dd6ae670b30e706d5be94c6f5bd3
                                          • Opcode Fuzzy Hash: 99683a0517c6e9e77944fa78b89118392353b5f59c3e61bd945d5daec877ce15
                                          • Instruction Fuzzy Hash: D831ADB0D012189FDB20CF99C988B9EBBF4BB08714F24841EE405BB690C7B59945CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C576C, Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed9d2c1682f2a3183f4967d1c1ee885f81400b86521b150d9913ad52d396f152
                                          • Instruction ID: e2efa5874a0817aa4c461df9f851f2e74bca69560488f40a4611070a73ebfc9c
                                          • Opcode Fuzzy Hash: ed9d2c1682f2a3183f4967d1c1ee885f81400b86521b150d9913ad52d396f152
                                          • Instruction Fuzzy Hash: 7B31BDB0D012189FDB20CF99C588B8EBBF4BB58714F24802EE405BB280C7B59985CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F4D4D8, Relevance: .1, Instructions: 66COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.864951330.0000000000F4D000.00000040.00000001.sdmp, Offset: 00F4D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 234af61c90107e0fa7e0c8293a1cfc8fae4799186cb2efc4618b94654737aa1f
                                          • Instruction ID: 93a812e2d107bf01116a2873d89d93adcdf197950ef44141ee0887a09e38052d
                                          • Opcode Fuzzy Hash: 234af61c90107e0fa7e0c8293a1cfc8fae4799186cb2efc4618b94654737aa1f
                                          • Instruction Fuzzy Hash: 7221D8B6904240DFDB15CF10D8C0B26BF61FB84328F28C599ED454B21AC736D956EBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087ACED0, Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b67451eaac01a044273c34514a179cf53e51880f32d74c7b997ef161db3ab83a
                                          • Instruction ID: d8a6839d685eabe8c8f2d48fa08c185967969f8d5d223f3a5b46a57bfa06471f
                                          • Opcode Fuzzy Hash: b67451eaac01a044273c34514a179cf53e51880f32d74c7b997ef161db3ab83a
                                          • Instruction Fuzzy Hash: DA113B31A14349AFC7258B74D800799FBB1EFC2315F1487AEE5248B3D6DB358942C791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C6138, Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ac11afedd0d0e77520e2a2cdd3e0fb3b5c5865967efddfed2ec8f0ad483ed467
                                          • Instruction ID: 4988095b3e717aaf1b2a65688774830fc24493dcd354c7a14b49eedec1d05468
                                          • Opcode Fuzzy Hash: ac11afedd0d0e77520e2a2cdd3e0fb3b5c5865967efddfed2ec8f0ad483ed467
                                          • Instruction Fuzzy Hash: 8711A379A002168F8B15DBB99C444FFBBF7FFC42A1714492DD419D7341EE3099068B60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C8200, Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5708d55a0a832c91c8b65f4b440783b8f367e5d087e15b6e08f1730e8dbce023
                                          • Instruction ID: c2360f596afebeccf4bbc7ab13dadcc36d1113e3b0c18f9ca0d4309426b3d74d
                                          • Opcode Fuzzy Hash: 5708d55a0a832c91c8b65f4b440783b8f367e5d087e15b6e08f1730e8dbce023
                                          • Instruction Fuzzy Hash: 6D21E431A002089FCF14DFA8D949AEDBBB2FF88322F145469E905BB260C7719D55CF64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C53D0, Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0b59d324734dc3e925b6523969bd9afb25217560541ae10fe03a559675cfae46
                                          • Instruction ID: a01a6c1386b4bc361364b3f46e7f77e4fe5ac0ee558ae7ae1488bc15b87b8d8c
                                          • Opcode Fuzzy Hash: 0b59d324734dc3e925b6523969bd9afb25217560541ae10fe03a559675cfae46
                                          • Instruction Fuzzy Hash: 6D214DB8E09219DFCB44CFE8D94059EBBB2FB89302F2495AAC509E7254E7345A01CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C55BE, Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 31d2411e18829475309344004da65d67d22296f69e2b2c7ebb40b44797cadf11
                                          • Instruction ID: fd70fa00f1ba4c607e8ed4688500cf4918d309e7b9e0c5f3505b8a7a638466ac
                                          • Opcode Fuzzy Hash: 31d2411e18829475309344004da65d67d22296f69e2b2c7ebb40b44797cadf11
                                          • Instruction Fuzzy Hash: 4111BF75A002169F8B15DBF988544BFBBFBFFC52A2714492DE419D7340EE309A068BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F5D034, Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.865166914.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dffbd72532ab5756a1f7fca8be56371eec4da25bb35c9592db947bd2bf5e6bd8
                                          • Instruction ID: 6d8d2e3128b8a035e5d2f944726950612dc21d67f5d28f7f15dabf7c98edb2be
                                          • Opcode Fuzzy Hash: dffbd72532ab5756a1f7fca8be56371eec4da25bb35c9592db947bd2bf5e6bd8
                                          • Instruction Fuzzy Hash: 371196B5904240DFDB24CF10D5C4B16BBA1FB84329F24C5ADED494B29AC376D84BDB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F5D1EC, Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.865166914.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9db053bfc2000d307ef1c370d7bf9e7025977136b7f82bec40ff9b4616966ddd
                                          • Instruction ID: 5735f18f66dae826e356d8d7302718b0ecf59e034b380100cb0e442db412978b
                                          • Opcode Fuzzy Hash: 9db053bfc2000d307ef1c370d7bf9e7025977136b7f82bec40ff9b4616966ddd
                                          • Instruction Fuzzy Hash: 4111D3B5905200DFDB15CF10D9C4B26BBA1FB84329F24C6ADEE494B246C376D84ADB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C6068, Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 64fea3ba9b439b7fd15a593fc0fd6583a646fb5c02f3967f9a0df39738ff8d22
                                          • Instruction ID: eb242c08e11ac3c42b5d03a7fe0f93cbd2e17f7a8917bd91abfd04f5f5ab4558
                                          • Opcode Fuzzy Hash: 64fea3ba9b439b7fd15a593fc0fd6583a646fb5c02f3967f9a0df39738ff8d22
                                          • Instruction Fuzzy Hash: 40115131B002198F8B14EBF898116EEB7F6AFC5296B10403ED504E7340EB369D068B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A9EEC, Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f0429ab85cb218f858ffa1926cdec69acc8752bcda27fae9c98abda9d57cf6c5
                                          • Instruction ID: 9f1825b34ca60ccdf2c0e2b13d16dea3befaff91b3d1fed8472e3c529366b5e0
                                          • Opcode Fuzzy Hash: f0429ab85cb218f858ffa1926cdec69acc8752bcda27fae9c98abda9d57cf6c5
                                          • Instruction Fuzzy Hash: A831C678D11268CFDBA4DF64C8887ADBBB5BB44201F008ADAD51EB7244DB305E85CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F4D56A, Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.864951330.0000000000F4D000.00000040.00000001.sdmp, Offset: 00F4D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5cbc68b74b48d0ba1e993ade371fc4f49b26c0772ad542f24b4632ef1088e1b6
                                          • Instruction ID: daa40ba6e612c9265c474a34d1ca0efb338436ecb2238cf084e2f998336284ff
                                          • Opcode Fuzzy Hash: 5cbc68b74b48d0ba1e993ade371fc4f49b26c0772ad542f24b4632ef1088e1b6
                                          • Instruction Fuzzy Hash: CB1173B5904240DFCF15CF10D5C4B16BF61FB98328F28C6A9DC450B616C336D956DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AA7CB, Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b5ee2eb9a861ab118c425b33e5f4b3cece69aafe854f15ac52eb44bb49d2b42
                                          • Instruction ID: 1585ff9907ceae0df8c296e61e8ada58d63422cc1c343211e6231c60f544e889
                                          • Opcode Fuzzy Hash: 2b5ee2eb9a861ab118c425b33e5f4b3cece69aafe854f15ac52eb44bb49d2b42
                                          • Instruction Fuzzy Hash: 23217374D05228CFEBA5CFA4D984B9DBBB1BB58211F1491DAE50DB3344EA305E85CF24
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F5D275, Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.865166914.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff0633ddd6f8495c63a1a94cf04af6b0fc2dfc73eec81337a52de29f112f4e85
                                          • Instruction ID: f62ab345cb8e9759752ea28350a4074edf38a3320f771718b50f9efa3400bbeb
                                          • Opcode Fuzzy Hash: ff0633ddd6f8495c63a1a94cf04af6b0fc2dfc73eec81337a52de29f112f4e85
                                          • Instruction Fuzzy Hash: 7711ACB5900240DFCB15CF10C5C4B15BBA1FB84324F24C6ADDD494B356C376D84ADB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00F5D0BD, Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.865166914.0000000000F5D000.00000040.00000001.sdmp, Offset: 00F5D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 65064cc871aaa3ae8110b9700710359729d0b4e449a2a190a0219482d86ebc6d
                                          • Instruction ID: a66f5636e95615bbbc8e3c1573d60c84338432a6e8036cdf517868df3a5c9a86
                                          • Opcode Fuzzy Hash: 65064cc871aaa3ae8110b9700710359729d0b4e449a2a190a0219482d86ebc6d
                                          • Instruction Fuzzy Hash: A0117CB5904240DFCB25CF10D5C4B16BBA2FB88324F24C6AADD494B29AC336D85BDB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C8078, Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 82215d64b8f984c7cc6b7413566f453c9d5925c160cd326fb434ef91d6e07c67
                                          • Instruction ID: b0e614dfae12933e8e7f069371306e854bd852228aa0bbed3599ce5d98d1a997
                                          • Opcode Fuzzy Hash: 82215d64b8f984c7cc6b7413566f453c9d5925c160cd326fb434ef91d6e07c67
                                          • Instruction Fuzzy Hash: DDF0CDB69080588FCB00DBE8C8501EDBBB0FBAA252F1049AAC005BB640D2259B06CF21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A0733, Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 07cace8271933ae93311a0c1d0751f1851497813a9d1fb03e816cedb95c1751b
                                          • Instruction ID: 121baa049d6a83c6d89a6e1d80a2d632faf3f0659ce86969161d0e924abbb1e5
                                          • Opcode Fuzzy Hash: 07cace8271933ae93311a0c1d0751f1851497813a9d1fb03e816cedb95c1751b
                                          • Instruction Fuzzy Hash: D511AE74E023188FDB54DFA4C980ADDBBF1BB48321F2015A9E805AB355DA32AE80CF10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C81F8, Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 162ddf9e02cfa222f33240f3601972435555f72610d1c059f5bcfef7e73ce4aa
                                          • Instruction ID: c6a8fc4dba69769893293134037cad9f4ace9b20b61149c0d054507f6194fb45
                                          • Opcode Fuzzy Hash: 162ddf9e02cfa222f33240f3601972435555f72610d1c059f5bcfef7e73ce4aa
                                          • Instruction Fuzzy Hash: E9F08C32A00008EFCF049F94DC498ED7B72FF88362B014829FA06AB260C7329961DF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A8F22, Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: df3eb7f643ff32e0ba6fbaf321fd509fef742b7dcf861c125ae55c2b927a8292
                                          • Instruction ID: 0838c1bf94170437a914c1c06e1be97758065754cab22e17b7d33b49c2bbf1b2
                                          • Opcode Fuzzy Hash: df3eb7f643ff32e0ba6fbaf321fd509fef742b7dcf861c125ae55c2b927a8292
                                          • Instruction Fuzzy Hash: A411E374D022688FDBA1DF20C9587DDBBB1AB49301F1046DAD80ABB344DB319E81CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085CD3C0, Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b90eafab66bae7b946baeb46ca5212475472a509b98ef6ef3ed33566e474a42b
                                          • Instruction ID: fd1fab39f92f11ee6ff43c71fbf9064b8785ea2cecd58793aacdfb108bdf83af
                                          • Opcode Fuzzy Hash: b90eafab66bae7b946baeb46ca5212475472a509b98ef6ef3ed33566e474a42b
                                          • Instruction Fuzzy Hash: 8EF08C74E1920CDFD744DFA8D98925DFAB6BB89212F24D8B9C909D3244DB709A408E60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C66AC, Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 64f34785cdc90f224cbfa4a121dd2ae4f81c9785c27a62bb2b27dd080d14577a
                                          • Instruction ID: a80a69966e5a199dbd14c9ba7573671422995e6d5f6c0d25fda811d544eb4296
                                          • Opcode Fuzzy Hash: 64f34785cdc90f224cbfa4a121dd2ae4f81c9785c27a62bb2b27dd080d14577a
                                          • Instruction Fuzzy Hash: 2601DA71800219DEDB25CFA9C5447AEBBF1BF44315F24CA6DE429AB290D7754A84CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C6748, Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7a739453f9a6d7e7375ce6071c40004fc7a88bab5c16ed21f1069cd2bced4620
                                          • Instruction ID: 3b0dc9f48d4f75d01380950e6b644c014677ba3ac124df97870991fe583af0ea
                                          • Opcode Fuzzy Hash: 7a739453f9a6d7e7375ce6071c40004fc7a88bab5c16ed21f1069cd2bced4620
                                          • Instruction Fuzzy Hash: C4F054767052645FD304CB69EC8586BBBBAEF89265315817AE548DB311D9304C05C760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A7E2B, Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b342fbbfaffebf8facf511467c045046f24eb2de32622b14746dcb8ceb8e5628
                                          • Instruction ID: d2e17b7f261e3acc2417c3a3a5e0335249edcd409d239075e85b1e6ef981f3b8
                                          • Opcode Fuzzy Hash: b342fbbfaffebf8facf511467c045046f24eb2de32622b14746dcb8ceb8e5628
                                          • Instruction Fuzzy Hash: B4119374D012288FEBA4DF64D994B99BBB2FB98201F1095EAD50DA7344DB305E81CF21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A16C8, Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f87ca0dc32645a159fe978c15c65244e173b7efef68c3b8631b39abb9fbaac86
                                          • Instruction ID: a7ff89d12b87389d101a3baf91eed8d2ced23210a380b6f7e8539fe12845c831
                                          • Opcode Fuzzy Hash: f87ca0dc32645a159fe978c15c65244e173b7efef68c3b8631b39abb9fbaac86
                                          • Instruction Fuzzy Hash: F701B634E00208AFDB04DFA9D585A9DBFF1AF88310F05C1A5E9089B365EA359A41CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C66B8, Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8f80700754df96eba6acb2e28c1c8a7a0783575d9e48dfd6ae5f779a77eba973
                                          • Instruction ID: 9d1b07d3ac0874801268d12b03262eaa92cad7991541e895512b943afe4595be
                                          • Opcode Fuzzy Hash: 8f80700754df96eba6acb2e28c1c8a7a0783575d9e48dfd6ae5f779a77eba973
                                          • Instruction Fuzzy Hash: BE01BF70800219DFDB14DF99C5047AE7AF5FF44355F14852DE415AB190D7754A84CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A0728, Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fab849e076821df8834b50a089a174e4b7b2a790348dc5221503c6aceeb291c7
                                          • Instruction ID: 8bb4c1f382aeef80041efc4dfa6bd4e7e96bb912861490f04a99a3eac7a15997
                                          • Opcode Fuzzy Hash: fab849e076821df8834b50a089a174e4b7b2a790348dc5221503c6aceeb291c7
                                          • Instruction Fuzzy Hash: 8D01E874E05308CFCB54CFA4C5806DDBBF2AB88325F245569E805AB344C6359D81CF10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C6758, Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8c85ca80994cc134e4ad7e97af698c6db9e026ca388a6be833721fc85e43fe36
                                          • Instruction ID: 86adb96904b93feb8a39f60a01ec3deda5d06d29460100cb3239784118291ff4
                                          • Opcode Fuzzy Hash: 8c85ca80994cc134e4ad7e97af698c6db9e026ca388a6be833721fc85e43fe36
                                          • Instruction Fuzzy Hash: 16E06D727041246F5304DB6EEC84C6BBBEEEBCD6B4751813AFA0CCB310DA309C0186A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A981A, Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6265dcdac20612cae66677534fc58885492e452ac9badb0757be2cb98eff06a9
                                          • Instruction ID: f8c666aec1a8c53b1c4bf569f5d61f8b5ef7963d9d0e8e501be26477369dfc74
                                          • Opcode Fuzzy Hash: 6265dcdac20612cae66677534fc58885492e452ac9badb0757be2cb98eff06a9
                                          • Instruction Fuzzy Hash: B901E978D1222C8FCB64EF60E89869DBBB2EB98311F1042D9D409A7354CB344E81CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A0708, Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a2156c332d5577ff57ae820452bd073a307e6a4ad8e298e82b275f7f9f096a66
                                          • Instruction ID: f869f5db149d6f76083e0efeb40a221fdab0329e5aa6a3c706d7712334626e0b
                                          • Opcode Fuzzy Hash: a2156c332d5577ff57ae820452bd073a307e6a4ad8e298e82b275f7f9f096a66
                                          • Instruction Fuzzy Hash: 8101F675E15248CFCB04CFA4C5849DDBFF2AB88311F645569E802AB309D6309981CF24
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A8B03, Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf4d3b372f8d67ac25b745052968a1bd6c6361e511a12282b920a95b1861f66b
                                          • Instruction ID: d46b3abc14c13d4b5278e8724bdcff788387afc82472addc2547db068ab92644
                                          • Opcode Fuzzy Hash: cf4d3b372f8d67ac25b745052968a1bd6c6361e511a12282b920a95b1861f66b
                                          • Instruction Fuzzy Hash: B001CC74D0126A8FCB54DF24DD546EDBBB6ABC8305F1046E6D40AA7344DB314E818F65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A0EF0, Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba2c06dfc08c33add0df8e605db527685455f6110cde5a5443a73edb702c1077
                                          • Instruction ID: 4b11553010ceba8df69ceb7d3f0db1c2b7f08f88bfacf757847b827b22471271
                                          • Opcode Fuzzy Hash: ba2c06dfc08c33add0df8e605db527685455f6110cde5a5443a73edb702c1077
                                          • Instruction Fuzzy Hash: 5EF0DAB0D0420ADFDB44DFA9D845AAEBBF4AB48301F104AA9E518E7340D77496448FE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A8BF0, Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea826839dc174ffc41f177dffd8f3ed35bf397ed348572af566071ff7c537ce9
                                          • Instruction ID: 4a6f23c067338f4defdfc2d497973076747a259acbc27055b6acd01c86c5c21e
                                          • Opcode Fuzzy Hash: ea826839dc174ffc41f177dffd8f3ed35bf397ed348572af566071ff7c537ce9
                                          • Instruction Fuzzy Hash: 7C01C874D09268CFCB61EF24D89C6A9BBB1BB89301F2046D9D449A7354DB315D81CF15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A8D40, Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b04819dcb9ae6cf94d1854aab79c89eef0b746c67af2c6721c6ee159d19c3d9
                                          • Instruction ID: 6f0edd2dbc15d99c0569684f5ec47ea7781915f49e01124cbb7bfd75d0a64dd7
                                          • Opcode Fuzzy Hash: 6b04819dcb9ae6cf94d1854aab79c89eef0b746c67af2c6721c6ee159d19c3d9
                                          • Instruction Fuzzy Hash: C101FB74D1222C8FCB66DF24D8642ADBBB9AB89201F1086D9D50AA7345CB745F81CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A913F, Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68a00b745995dd2c036a0a86ab710a9547dad434a4fc6ab4118ff06fd7278acc
                                          • Instruction ID: 20fdc19dc264d7c4f158e5e72aa327e14ea7d5c1c633edc436cdf0dd64666f65
                                          • Opcode Fuzzy Hash: 68a00b745995dd2c036a0a86ab710a9547dad434a4fc6ab4118ff06fd7278acc
                                          • Instruction Fuzzy Hash: 9A016274E002288FCB60EF20D9987ADBBB6FB85201F1086E9D45EA7345DB305E80CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A9910, Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8026736cec3240473fdf142ae41e68032ef093cd22efe934eb463145651acddf
                                          • Instruction ID: 37b1f72111b65e7bea793f28f387a892426d979cd0d1ede897c04d7088e83820
                                          • Opcode Fuzzy Hash: 8026736cec3240473fdf142ae41e68032ef093cd22efe934eb463145651acddf
                                          • Instruction Fuzzy Hash: D401E874D022288FDB60EF20D9987ADBBB5AB98201F1046DAC40EB7364CE305E81CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AC108, Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 358629a0e5d507052570fdcb502b9b993da34d02df8e04dbf24c6ad245ce96e7
                                          • Instruction ID: 28fee21b4c1d902d6526f8c42874e88b46f1d56c02d48071b150cdd9fe3def32
                                          • Opcode Fuzzy Hash: 358629a0e5d507052570fdcb502b9b993da34d02df8e04dbf24c6ad245ce96e7
                                          • Instruction Fuzzy Hash: 0AE0D83170151567D716255EE85471EB6EADBC466DF00413DE10ED3344CF75DC0243E4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A8A67, Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e08ca60ce313048c36f54f45870271cb5cf2185097e2d37268a7001af01d7b9
                                          • Instruction ID: a8091c55b8d4c1247fdc9dd1691f44ba403b7f3725fc7d0881970b684b5b4192
                                          • Opcode Fuzzy Hash: 0e08ca60ce313048c36f54f45870271cb5cf2185097e2d37268a7001af01d7b9
                                          • Instruction Fuzzy Hash: 1701E878D45268CFCBA1DF20E85C29DBBB5BB88201F1056DAD409A7344DB305E82CF15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C33C9, Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f32892f165d0203abe2d6998fad84d0775f040e6946f6254b55ff97a93711dc8
                                          • Instruction ID: c6cfc2bdae1bb527ca4712b009831c9538db8db836ad78beaa1f855efa78cfc4
                                          • Opcode Fuzzy Hash: f32892f165d0203abe2d6998fad84d0775f040e6946f6254b55ff97a93711dc8
                                          • Instruction Fuzzy Hash: 6FF05430D1474ACFCB04DFE5D9444ADBBB1FF8A202B109A5EC055AB114EB745540CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C8620, Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e2402a66e06a2b65456ac4dfd792305d4bca35ceec16137341bc6025c448b320
                                          • Instruction ID: 583fd53eb0aaf97281bdaa31cc798353d0a92f0305e7669654d1b62f0e83b27e
                                          • Opcode Fuzzy Hash: e2402a66e06a2b65456ac4dfd792305d4bca35ceec16137341bc6025c448b320
                                          • Instruction Fuzzy Hash: 38E02235A16249DFCB129AB0ED0959A7F74AF11222B00487BDA14CB153D6308459CA61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A5B40, Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0ccb93dbb7c80fdc14fbec0b5ba527d3e35a3929d4758bf97b7a253c436f4037
                                          • Instruction ID: 40125e09b2101fcc10b029f1da8176b0ae642e54124357fa1c6721059c378b95
                                          • Opcode Fuzzy Hash: 0ccb93dbb7c80fdc14fbec0b5ba527d3e35a3929d4758bf97b7a253c436f4037
                                          • Instruction Fuzzy Hash: 13F0E230D0815C9BCB14CFE8D8052ADBFB0AB8432AF0483C9EC1853741CB310541CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C5381, Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c01a89318c9f1fc2b309c57d4782d8ddd01aff16e98eb30b5d74d0195f4c6c5
                                          • Instruction ID: 8a1dfd0de3225d9ffa6a766b38907c521ae27abb1b45c126d4b606ea9148ded8
                                          • Opcode Fuzzy Hash: 4c01a89318c9f1fc2b309c57d4782d8ddd01aff16e98eb30b5d74d0195f4c6c5
                                          • Instruction Fuzzy Hash: 7DF012349483589FC701EFA8D8056ADBBB0BF0A201F0482EAE8189B222D3716980CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C5C68, Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e4214c562a20eb35ae47b3dabee4414a7f6416d5a9788470de20de95a6b1d1e1
                                          • Instruction ID: f0ee97c3f73896beb44fe71c8b7f1326ba320c2f10f5cdcc90e92b26beaa38fb
                                          • Opcode Fuzzy Hash: e4214c562a20eb35ae47b3dabee4414a7f6416d5a9788470de20de95a6b1d1e1
                                          • Instruction Fuzzy Hash: 8CF03A74809358AFCB05DFA8D80069DBFB0FB05315F0082EED854AB212D3705585CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C2A48, Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1d9704e6d0c781ca6b4fa59cbfa1ac4df043ebe7ab7a7cac8260790e3422e9dd
                                          • Instruction ID: 2dc5996b5679217ac4b312b7769b857ec5fcfa2c908f130fe19e5d13932e2ad7
                                          • Opcode Fuzzy Hash: 1d9704e6d0c781ca6b4fa59cbfa1ac4df043ebe7ab7a7cac8260790e3422e9dd
                                          • Instruction Fuzzy Hash: 16F0A0309093885FC715DBB8D85529DBFB4AF49205F0840EAC589DB252DA705995CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C1D3A, Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6723aa54db5051d13b04a3a69c60f1948f2e6ee10de403699aba248d629429d8
                                          • Instruction ID: f2c31f784567491d152994b7717fa6b199cb9521087eec32ea6c33c2f555f332
                                          • Opcode Fuzzy Hash: 6723aa54db5051d13b04a3a69c60f1948f2e6ee10de403699aba248d629429d8
                                          • Instruction Fuzzy Hash: 5201ABB8D0462C8FCB39CF64CC856DDBBB1BF49301F0485EADA09A2654DB708A908F95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C3529, Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed66f162da36e69d3e37835737652fda57f93c9b4c6edb3369bba3da2997e7d9
                                          • Instruction ID: 813b007758f3716c6dc16461f057a00cb19eb53779795e82d129a564f17204a7
                                          • Opcode Fuzzy Hash: ed66f162da36e69d3e37835737652fda57f93c9b4c6edb3369bba3da2997e7d9
                                          • Instruction Fuzzy Hash: 91F0C434B00309CFC724CFA4D958AADB7B2FB4A311F10A4A5D40EA7A54CB705E81CF00
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087ABB68, Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 52f7cd593e622948df76a717109073f7850ffb2c3a7190cc84d744d4d5fe0e65
                                          • Instruction ID: b53732e94a9d4451515c6ed1168acdb8b624ab1259c338583a3966b146e36e38
                                          • Opcode Fuzzy Hash: 52f7cd593e622948df76a717109073f7850ffb2c3a7190cc84d744d4d5fe0e65
                                          • Instruction Fuzzy Hash: 62F08C70C182489FC725CBA8C48519CBFB0EF86325F2046CAD81987392CB3A1A52CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C3353, Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3bfc4cd21140fad294b95362e56aa28d68193a57dad34fb2f504d603d5c88d7f
                                          • Instruction ID: 47b3f2f842de8ff09836f5b2c99f0466fc29a5832cda4d35d68e016fbab01d22
                                          • Opcode Fuzzy Hash: 3bfc4cd21140fad294b95362e56aa28d68193a57dad34fb2f504d603d5c88d7f
                                          • Instruction Fuzzy Hash: CAF05E31915609CFC710EFE4D5484AEBF70FF49200F005A6CD0967B654EB709154CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C4C80, Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 439ad2c6e49cff7efb063c6b93b952996db45cfe6aaef5969443974e65344eab
                                          • Instruction ID: fa65b9097f27756883c28b4846c4426c08c186c0f44f5abaf6b2583a986e4537
                                          • Opcode Fuzzy Hash: 439ad2c6e49cff7efb063c6b93b952996db45cfe6aaef5969443974e65344eab
                                          • Instruction Fuzzy Hash: B5F01570C053189FCB45EFB8E8552AEBBF0FF49305F0086AAC918A7611E7745A81CB82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C471F, Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 79f35b624202f6bc64dd8a9b763906d0f33053d381f10c1010fb06f5246f8e29
                                          • Instruction ID: 869632afd41d3f83081e387951d473bfc001551b28676a54ad36815ab7f0e34a
                                          • Opcode Fuzzy Hash: 79f35b624202f6bc64dd8a9b763906d0f33053d381f10c1010fb06f5246f8e29
                                          • Instruction Fuzzy Hash: 29F0EC324493998FC727DB74E455A887FB1FB03225B0407D9D954873A6D7311446CB42
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A9492, Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f2dd40dbc281b559c12c55cefe0aff3abac11890a79a6c1aa8550dfea8afab94
                                          • Instruction ID: db7915683bca824bf32d3e3d92ef70384842b41cda1d8789572abe06e207331a
                                          • Opcode Fuzzy Hash: f2dd40dbc281b559c12c55cefe0aff3abac11890a79a6c1aa8550dfea8afab94
                                          • Instruction Fuzzy Hash: 1AF0F439E122288FDB25EF20D8943ADBBB5BB85202F5059D9E409A7348DA305F80CF21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A93A5, Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1f33fde627bd2ebf76be7994d9484876374744dd7d49d98c93efd274ce38f66f
                                          • Instruction ID: 88d2bccee542ae98f13fcebc0c4d993c59c2c0c0524e8db5526634c8eb5ebf7f
                                          • Opcode Fuzzy Hash: 1f33fde627bd2ebf76be7994d9484876374744dd7d49d98c93efd274ce38f66f
                                          • Instruction Fuzzy Hash: 6BF01778D1122ACFDB14EF21D8587A9BBB1EB94341F1086EAE41AA7344DB305E81CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C0DF4, Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6ffcbcead756e3c8426a7e28b70a83174ea5775fa868a7174685d5664e76830a
                                          • Instruction ID: abd1e1d5efd8574f09725989bc6e68e825b62b4fdf1f5b4685a7459e70c3018e
                                          • Opcode Fuzzy Hash: 6ffcbcead756e3c8426a7e28b70a83174ea5775fa868a7174685d5664e76830a
                                          • Instruction Fuzzy Hash: 4BF01230D4555A8BCB64DF94CC946DEB376BF84305F208A94D109AB254DB709F87CF88
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C0E49, Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aa6b4a684fd3531c9bdab968b76204aeec80c9d171828d572b194b52617558a3
                                          • Instruction ID: 20f9c205e3041197fb2078fcdc4da173ce1dca6342dbdafff29bb4fa57c85551
                                          • Opcode Fuzzy Hash: aa6b4a684fd3531c9bdab968b76204aeec80c9d171828d572b194b52617558a3
                                          • Instruction Fuzzy Hash: AFF0BD30A4556A8BCB64DF94CC9469EB376BF84315F108AE4C14DA7264DB715F82CF88
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A6D27, Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6dd337557d0f914a34a74384409a9f6801be5ceb2498fcc0b54e0b60ab18e24a
                                          • Instruction ID: 08607ef9cf120b11aa5c225d0eb2ad5ceb1e2333182a1afad4507395298a958c
                                          • Opcode Fuzzy Hash: 6dd337557d0f914a34a74384409a9f6801be5ceb2498fcc0b54e0b60ab18e24a
                                          • Instruction Fuzzy Hash: A6E06D30C092489FCB41DFB8D00438C7FB0AF49210F1441EAC804EB251D6344A45DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A05D2, Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b1d0662ef52f9b7af25306ae6fdae40f080e6474e429a4f5a0846f3ec19c9c49
                                          • Instruction ID: 75f8b19bf9794bb96e7b8710eb6386ffcc78f56353f1a4efe9c72d68d6f390bf
                                          • Opcode Fuzzy Hash: b1d0662ef52f9b7af25306ae6fdae40f080e6474e429a4f5a0846f3ec19c9c49
                                          • Instruction Fuzzy Hash: ACF07A79D11229CFCB51CFA8CA81A9EBBB1FF48310F108595A409A7315D630AE80CF20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A42F6, Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b879a162756340bc5e357909d4073d77c82926f493dd3db773ac679eeba1766
                                          • Instruction ID: e9648081cf5f571d03595d89c92a071c6d1d800c390149986e12bcbdca924054
                                          • Opcode Fuzzy Hash: 6b879a162756340bc5e357909d4073d77c82926f493dd3db773ac679eeba1766
                                          • Instruction Fuzzy Hash: 55F0AF70E12248CFCB44EFE4D48589CBFB6FB88311B209929A406AB798EB715915CF20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C41F1, Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93224554fa218b7662740f10751b5046a61529a5353d5608161b82dbd0197eaa
                                          • Instruction ID: ec787f24eae51f8d77585b4d047a900b3f82367287a190f4e333582b19363535
                                          • Opcode Fuzzy Hash: 93224554fa218b7662740f10751b5046a61529a5353d5608161b82dbd0197eaa
                                          • Instruction Fuzzy Hash: 8BE039308493989FCB56EBB8E81169DBFF0AF86205F0481EFC55896262D2380A44DF42
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085CEB20, Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 77a1fe7ad248e05763bb6ef80ce402b186f8c1b5f517d0ea8e7297254b5102fb
                                          • Instruction ID: 34fd676241f82a51192f90f9047a8db5e5b11448c764ae6feb61a5e9c3aa22f1
                                          • Opcode Fuzzy Hash: 77a1fe7ad248e05763bb6ef80ce402b186f8c1b5f517d0ea8e7297254b5102fb
                                          • Instruction Fuzzy Hash: FAF0A574D0121CDFCB04EFA8D545AAEBBB5FB49301F1086AAE818A7310D7719A51DF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C048E, Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e68ceef849d1ef017ea5d8f40f2de192453d6bd2d6ab751748bd318738bb9dfb
                                          • Instruction ID: 98dcf5f09df611bfe8a0834803fdd37da805ac4c690ab061ade1ab86c9c54f96
                                          • Opcode Fuzzy Hash: e68ceef849d1ef017ea5d8f40f2de192453d6bd2d6ab751748bd318738bb9dfb
                                          • Instruction Fuzzy Hash: FFF0A434A0566A8FCB24DF60CD9869DB7B2FB84301F1089E6C409B7654DB719E81CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AD0A8, Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 327fd1861c9fe6d5e8d8433b3a27e903fc9589739a7993c44ae8b51fe5d52097
                                          • Instruction ID: 938c76d3eba4b51a82782757eb78a61c59902a3b3f31248c7a0eca0a5b3f6c4a
                                          • Opcode Fuzzy Hash: 327fd1861c9fe6d5e8d8433b3a27e903fc9589739a7993c44ae8b51fe5d52097
                                          • Instruction Fuzzy Hash: 09E0E574D0421D9FCB14EFE4D8416AEFBB0FB84301F004659D92497354D7711951CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AAEE8, Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d57793ea15251240f0e1b152408312b789a0834a16ac22a7ba0db3ce026d6da5
                                          • Instruction ID: 5ffeae0bc8c4a0b20ef4e083a5872de80a824f2a120883127c6752254af36582
                                          • Opcode Fuzzy Hash: d57793ea15251240f0e1b152408312b789a0834a16ac22a7ba0db3ce026d6da5
                                          • Instruction Fuzzy Hash: 29E0EDB0D0521C9FCB54EFB8D8416AEBBF4BB48301F1086AAD518D7340D7719A51CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C4C38, Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5deae83c23842fa5141feab176f0605ef4fddc6f930291deb7449109b9c54784
                                          • Instruction ID: ebc34652dee12f5734f275e28ca77346bf429d5f2a5dec8cba461802c2eae282
                                          • Opcode Fuzzy Hash: 5deae83c23842fa5141feab176f0605ef4fddc6f930291deb7449109b9c54784
                                          • Instruction Fuzzy Hash: A5E03930D49348AFC755EFF8980529CBFB5AB05205F0482EED84897251E3355A94CB82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AB570, Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9f7ffc72e732eb33fa0f455633679d01e5f56ecc4fb119031582f3a48e720f0f
                                          • Instruction ID: 9b3c5bac0d7ef66fdcff7cfa14a7730c8f0409b7f5a10ea2b56cbe5f0de26c63
                                          • Opcode Fuzzy Hash: 9f7ffc72e732eb33fa0f455633679d01e5f56ecc4fb119031582f3a48e720f0f
                                          • Instruction Fuzzy Hash: 31E0C2B4D0121CAFCB54EFE8D8416ADBBB4BB48311F1086AAD818A3340D7719A50CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AC160, Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 31426cb8445b9501f0d449cf4cda0f71a346921f5bb44ee5556579f5d2764c1c
                                          • Instruction ID: e99205a8589d5dab08ce78997b2a5d46ea85e0fbf28ff2a64418652a103408f0
                                          • Opcode Fuzzy Hash: 31426cb8445b9501f0d449cf4cda0f71a346921f5bb44ee5556579f5d2764c1c
                                          • Instruction Fuzzy Hash: 26D0A726700059176B1972BE742C45FB6DFCBC95697054236EB0AE3380DE74DD0243E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C5390, Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 77099a648a6279883a5845291f7c1133519c0045498265a488df0173ad5a2f31
                                          • Instruction ID: adf9c4a756ceba4933422608e1bf2d26db241a922b28f6c7e10fe79de9309d81
                                          • Opcode Fuzzy Hash: 77099a648a6279883a5845291f7c1133519c0045498265a488df0173ad5a2f31
                                          • Instruction Fuzzy Hash: A4E0C274D00218DFCB44EFA8D8456ADBBF4FB48305F0086AAE918A7320E7B06A41CF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C4730, Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 403dcf6bac45afad9d3ae124ffd9f99bde0f31a7b8bc6b5409d6b33336552582
                                          • Instruction ID: ba3e4bae4592e8be71287af8b3344d0f8736f9f55e0f7e33aca862b5e0914a20
                                          • Opcode Fuzzy Hash: 403dcf6bac45afad9d3ae124ffd9f99bde0f31a7b8bc6b5409d6b33336552582
                                          • Instruction Fuzzy Hash: C6E06532801318DFCB10EFA8E855A4C7BB4F708206F004668D80493328E7302A94CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087ABB78, Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 962c9ac8004fc9a8b95c0034471015cb4aed992939d4a259c9592e4e3be9f80f
                                          • Instruction ID: 7c294354c408665c1a9915a22183d831f5e2f8f55640f0f51511d101170cab00
                                          • Opcode Fuzzy Hash: 962c9ac8004fc9a8b95c0034471015cb4aed992939d4a259c9592e4e3be9f80f
                                          • Instruction Fuzzy Hash: 9DE0E574D1120CAFCB54EFA8D48929CFBB0EB88215F1086AAD809A3344EB355A40CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087ACFA0, Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: db0a516d3292b725e30cef90935182203153db8d29d3dda7ba5347ab7ee46789
                                          • Instruction ID: 55e13783b08fc721da471b3a8dd31727a5eb3e6c788ea7c0aea932ac7e8fd705
                                          • Opcode Fuzzy Hash: db0a516d3292b725e30cef90935182203153db8d29d3dda7ba5347ab7ee46789
                                          • Instruction Fuzzy Hash: CBE0E2363505209F8304DB1EE444C8677FEEFCEA2132141AAE209CB331CAB1EC028B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C4790, Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 379d62b03e25b4173ba3c2dbe4d212060f153baeba6f3ed15e7fa47801807447
                                          • Instruction ID: c85bdd31b3b1897094b911a9f7a74b0ddb215d6ecd832d6254b492ec5eca1d34
                                          • Opcode Fuzzy Hash: 379d62b03e25b4173ba3c2dbe4d212060f153baeba6f3ed15e7fa47801807447
                                          • Instruction Fuzzy Hash: 18E0E574D0421CAFCB44EFE8D8006AEBBF4FB48301F0086AAD918A3300D7706A50DF85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AE6E8, Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a990b545b435558b39f87913386531ec281d53c09a10d864772b50ccca3c0c32
                                          • Instruction ID: 85b8e153b5d1214b865c1d8fe0c02a95b5aa9f8b0457d8b08e7ad97babe57404
                                          • Opcode Fuzzy Hash: a990b545b435558b39f87913386531ec281d53c09a10d864772b50ccca3c0c32
                                          • Instruction Fuzzy Hash: 90E0BFB4D042199F8B44DFA8D54196DBBF4FB4C210F1085A9D90DD7311E731AA42CFD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A5B48, Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2434dbdda80b713da47b930e17dabdb3a0862624d69f20583c0618689806c675
                                          • Instruction ID: 77041ca3670572661915492a69d2beb3fbf61a39cb7937db56fd23920b521845
                                          • Opcode Fuzzy Hash: 2434dbdda80b713da47b930e17dabdb3a0862624d69f20583c0618689806c675
                                          • Instruction Fuzzy Hash: 09E01A70D0520CDFCB44EFE8D8452ADBBF0FB48305F1086AAD818A3300D7701A40CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A0339, Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 40e3ae6057c2982b88efd5d4ebea8124624332a588dc304e4ace1471ac96ee2e
                                          • Instruction ID: 1a28a1b1ce672ce1e022949bf7e1a78938facea8c3b8c445b2f649eefb5046eb
                                          • Opcode Fuzzy Hash: 40e3ae6057c2982b88efd5d4ebea8124624332a588dc304e4ace1471ac96ee2e
                                          • Instruction Fuzzy Hash: B7E0E538A15619CFDB54CF59C5809CAFBB1BF99310F15D695E419AB26AC730EE80CE20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C4C90, Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 656c6bc09f7fbb9449e7a4dfaa823dc4becfac2b583750fd47fc0a2678dbefcb
                                          • Instruction ID: 5f1832fae894a1c252ff27f62cd2dcf948deea32d1f3fefd60f7292cf4cf5f97
                                          • Opcode Fuzzy Hash: 656c6bc09f7fbb9449e7a4dfaa823dc4becfac2b583750fd47fc0a2678dbefcb
                                          • Instruction Fuzzy Hash: 3BE09A70D0421C9FCB44EFE8E8556AEBBF4FB48305F1086AAD918A3350D7705A51CF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C3928, Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc32cbcb8acee295910154d6e22b178fcc267ac936205eea3271dedbfac6de79
                                          • Instruction ID: 6a9c6395820b84707e36a455affaee4e08520229cced5c57dfdf100e67c081a4
                                          • Opcode Fuzzy Hash: cc32cbcb8acee295910154d6e22b178fcc267ac936205eea3271dedbfac6de79
                                          • Instruction Fuzzy Hash: C0E0EC30E1421CAFCB84EFF8D85979DBBB5EB44306F5041A9C90897250EB715A91CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C2A58, Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f3686acc3c004e2a114ca6e9a017df715950f430a8ceeada99ec0f0e23b6e05
                                          • Instruction ID: 3879c91d0cce85e6139a4adea4f772dde7f8a94fa84e6bc0d9a7523080c8af09
                                          • Opcode Fuzzy Hash: 0f3686acc3c004e2a114ca6e9a017df715950f430a8ceeada99ec0f0e23b6e05
                                          • Instruction Fuzzy Hash: E2E01230D1521CAFCB58EFF8E85429DBFF5EB88706F5041ADC94997240EBB05A91CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C4C48, Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e5aa904eab06da9d51984e394a0773b31ac68704afbb4c7aca48e0371f9f1c0e
                                          • Instruction ID: bce2527964d8a3220585173f5232bbb218b7b677accfd8d67976f7765545bc8f
                                          • Opcode Fuzzy Hash: e5aa904eab06da9d51984e394a0773b31ac68704afbb4c7aca48e0371f9f1c0e
                                          • Instruction Fuzzy Hash: 14E0B670D01208AFCB94EFF8D44569CBBF4EB44205F0081AEC91897750E7355A95CF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085CF478, Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3bd65ed856a3cf16a5176bc0b02738c36d17e57e98b007e50ed650e056d064d0
                                          • Instruction ID: 223cbfb69cbeb0638fd3eb88e5283a8a2dd1accb8b55805f6997ab6b6ccedc28
                                          • Opcode Fuzzy Hash: 3bd65ed856a3cf16a5176bc0b02738c36d17e57e98b007e50ed650e056d064d0
                                          • Instruction Fuzzy Hash: 3CE0B6B5D4020ADFD740EFB9C945A5EBBF1BF08600F11C9A9D019E7211EBB496058F91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A6D38, Relevance: .0, Instructions: 17COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a9bdb4864aec014a0603fba6c584e89c46724b85d9abeb053b1b95050af27b69
                                          • Instruction ID: 8a01b00e47cb5a247619ff9dd5dc0e5cdfb062629f209d31947e2835ebf06d80
                                          • Opcode Fuzzy Hash: a9bdb4864aec014a0603fba6c584e89c46724b85d9abeb053b1b95050af27b69
                                          • Instruction Fuzzy Hash: 3FE0EC70D1520CAFCB54DFE8E44529CBFF4EB88211F1082AAD808D3354EB705A50DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087ADAF8, Relevance: .0, Instructions: 17COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dc8681bd3606606cded18584b2420e6dba9415430661807dd19e450d9faca64b
                                          • Instruction ID: e388307111ea004b2c3db4f0fb01489c320fade4ce658723e6c39882f206ce4e
                                          • Opcode Fuzzy Hash: dc8681bd3606606cded18584b2420e6dba9415430661807dd19e450d9faca64b
                                          • Instruction Fuzzy Hash: 95E0EC70D1520CEFCB54EFE8D44529CBFF4AB84605F0082AA980893744E6345A54CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A7BCE, Relevance: .0, Instructions: 17COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9a88c52e388d760bf64409314d6f23aec665309499d0849141144f02f28ccf04
                                          • Instruction ID: 91eb08161f38232af75d91a336fe65f85d8a75576ec65f1b9b6139abfd75aeb3
                                          • Opcode Fuzzy Hash: 9a88c52e388d760bf64409314d6f23aec665309499d0849141144f02f28ccf04
                                          • Instruction Fuzzy Hash: BEF0AEB0C00299DFCB25DFA5C5852EDBFB0FF48302F100519D481B6280DB795942CF21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C4200, Relevance: .0, Instructions: 17COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9b67d2bdb15c20657566a2f0af5b5576908827182ff64a3a5e306f4ac500d3cb
                                          • Instruction ID: a4139e7d7c7212c5aa413c9424aa48cbc9b96bc7194af29f00e5253014d26885
                                          • Opcode Fuzzy Hash: 9b67d2bdb15c20657566a2f0af5b5576908827182ff64a3a5e306f4ac500d3cb
                                          • Instruction Fuzzy Hash: EBD0C230D0821CAFCB44EFF4E80129CBBF0AB45301F0081A9D41852240E7340A00DF42
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A7B40, Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 09bb26dcf6c4fa61dd10dfc6a54bdbb8dd0b058dfb276d31aef392412d8f6dc8
                                          • Instruction ID: 81171112b38ada48acc13405c923f5effe988b3ecca592b8b278fbc5f8da7778
                                          • Opcode Fuzzy Hash: 09bb26dcf6c4fa61dd10dfc6a54bdbb8dd0b058dfb276d31aef392412d8f6dc8
                                          • Instruction Fuzzy Hash: 7BF0A5B8D1536CCEDB25CF65C8457AEBEB0BB46345F1015DAE4897A240E7305A80CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A9B30, Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d8f228021287c9ba33bd17a4c39005c94a70bbc51d3a495b6256be4fb2139a8
                                          • Instruction ID: 78e053e91e614367540f86df0b6adcf16abd0297b54726a69db6c6d863ace383
                                          • Opcode Fuzzy Hash: 2d8f228021287c9ba33bd17a4c39005c94a70bbc51d3a495b6256be4fb2139a8
                                          • Instruction Fuzzy Hash: 63F0A5B4C4422C8FCB648F2288463DDBB74BB49342F2046DAC26977209C7340B90CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AE6B8, Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bcc9a96a98998ab977cb85f84ce7f4ac3d19e41ec5db6714b56a81136d7021c0
                                          • Instruction ID: 6db75403a60be05726b2a2b898becc255751fa47626e0b32d239dc342927af0f
                                          • Opcode Fuzzy Hash: bcc9a96a98998ab977cb85f84ce7f4ac3d19e41ec5db6714b56a81136d7021c0
                                          • Instruction Fuzzy Hash: FBD02231105314478335E678D40044177AB9E8323835043AED07947BD0CF73AC40C398
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A0F90, Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e96cf32bc28df37cf9213c887fdbae2160d8e7025675b755f44d6a40cbc43263
                                          • Instruction ID: 27a1e0e76b980b787d8497c5cb70a65bce922720fe0bb704ef871c8f590d1ae1
                                          • Opcode Fuzzy Hash: e96cf32bc28df37cf9213c887fdbae2160d8e7025675b755f44d6a40cbc43263
                                          • Instruction Fuzzy Hash: 08D0123620410CDE4B91EAE5E840C527BDDBB947407408476E544C6525E621E474EB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A4397, Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1097c606d90239aadb68a2caad21eccf22b727c8c4b102279e052296016fe0a5
                                          • Instruction ID: c035192b6e53afba17c232e416b447ab553efd1f789a52ff6bbb457e18cd9b9d
                                          • Opcode Fuzzy Hash: 1097c606d90239aadb68a2caad21eccf22b727c8c4b102279e052296016fe0a5
                                          • Instruction Fuzzy Hash: 27E0C771C0620ADFEB00CFA0C48085EFBB0EB88321B00E479C806A7220DB368842CF20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C32A5, Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ef6258d454938335a2792a8a25ca3d535addfb05c503ee27cd4cb6055873d0e9
                                          • Instruction ID: 83f35f12843ce79a0c30d2b92c2713ce932f67c97b2da4c32ed8424a47053b84
                                          • Opcode Fuzzy Hash: ef6258d454938335a2792a8a25ca3d535addfb05c503ee27cd4cb6055873d0e9
                                          • Instruction Fuzzy Hash: 8CE0EC34D0521A8FCB14CFE5CD4069DBBB2FF49241F00D859D845E3744DB7489408F41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AA9CE, Relevance: .0, Instructions: 13COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f29cc76990d96fd21c6c7b1c205106711115c29cb133f8f9a90e3770d9093140
                                          • Instruction ID: 8093e9de21401815a1bfd7f2b6dfc48d2f48889a264453612460aa25b8aeaf7c
                                          • Opcode Fuzzy Hash: f29cc76990d96fd21c6c7b1c205106711115c29cb133f8f9a90e3770d9093140
                                          • Instruction Fuzzy Hash: 43E0B6349031188BDB50CB25DE51B99BBB1BB48240F1055A9D909EB384D6305E418F10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A37AB, Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0eada72d4d89418c1c003317c20c561bde437930c890fe377d75a9f7ed0b2420
                                          • Instruction ID: b8a8c39443117b608ee24e49d339747df2584e63632e8a2911a7c5467f4b97bf
                                          • Opcode Fuzzy Hash: 0eada72d4d89418c1c003317c20c561bde437930c890fe377d75a9f7ed0b2420
                                          • Instruction Fuzzy Hash: 28D017709025099FCBD0DF64C890AC9B7B6BF84241F00D9A5C008A7228DB705E8ACF14
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C6030, Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a7b7a59a39f576f715dceca4eacb8ddd34089024a6b498f3a95f0693dd54ae4c
                                          • Instruction ID: 5e183e72d26f0f253ad8d5be02c52f764fde40cc3b65ee79b0bfd70896cab52f
                                          • Opcode Fuzzy Hash: a7b7a59a39f576f715dceca4eacb8ddd34089024a6b498f3a95f0693dd54ae4c
                                          • Instruction Fuzzy Hash: 7FC0123E00B6C00FC7037BA8C816E85BF71AE5321630A82CB8084DE473C004981CCBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AA217, Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ca241f0122e2fc647e752f6d3531365512c6fd31950c2d179a21850ca890ba70
                                          • Instruction ID: 77f6927a2e0708a6315b9dea9243e74b4ab1895c8b748ab3579808e8f6cfe01f
                                          • Opcode Fuzzy Hash: ca241f0122e2fc647e752f6d3531365512c6fd31950c2d179a21850ca890ba70
                                          • Instruction Fuzzy Hash: 21D01770E5A2298FCF24CF24C88869DBFB9AF44210F1092E6C509A6218DB305E808F21
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A0383, Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aabaa9b44fef5f15edbd99eaf2350c57694ad487e51b08027c80b42e4eeea054
                                          • Instruction ID: 4a17e44e3b11f6e4a5f91b79f4a3189e7e11e58ff43fde4427b5cec24b6af50c
                                          • Opcode Fuzzy Hash: aabaa9b44fef5f15edbd99eaf2350c57694ad487e51b08027c80b42e4eeea054
                                          • Instruction Fuzzy Hash: EDD06C75902318DFC755DF60D6959A87BB2EB4A322F501A98E40A5B211CB31E985CE14
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C0B7F, Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ec05cce82672e413bd47879b564f4cfb714ced64c6b09e4dea3d24a478245c6d
                                          • Instruction ID: e37a2abbd7fe85ddf13d4ce404ce6534833af92779bbb46966eca1095d208285
                                          • Opcode Fuzzy Hash: ec05cce82672e413bd47879b564f4cfb714ced64c6b09e4dea3d24a478245c6d
                                          • Instruction Fuzzy Hash: 27D0C978909609DFEB148E91D85525EFA75FB86212F50E52D841AE6298D73886028F04
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 085C2F34, Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.885131332.00000000085C0000.00000040.00000001.sdmp, Offset: 085C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 16572847b1f9b0803a7d09fdc862443e7838e7a250996ca704af224d51a67cca
                                          • Instruction ID: 9495119f7dc3f6161f2e63542a80d6d56f6089cdc02348fe76eedeefc97a361c
                                          • Opcode Fuzzy Hash: 16572847b1f9b0803a7d09fdc862443e7838e7a250996ca704af224d51a67cca
                                          • Instruction Fuzzy Hash: 86C08C31B05602DF8308CAE6C90085ABBB4FB8511070998A98012D7722E374D2018FA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087AC014, Relevance: .0, Instructions: 8COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d2e6d10443c3c2f89745f114a2f3928c5148716ad631cfc131ff4e793f40fef
                                          • Instruction ID: 58eefd8cad12e0416e2e9a7f13e44edd3f83395ba48dbb92abceddfe1c44ff46
                                          • Opcode Fuzzy Hash: 9d2e6d10443c3c2f89745f114a2f3928c5148716ad631cfc131ff4e793f40fef
                                          • Instruction Fuzzy Hash: 21B0123914D14071C25176B04D94F1BF4A2FBD4703F918E01B3468118889605411937B
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A7CE0, Relevance: .0, Instructions: 8COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45554f73c6e5562847541beafd400b5c1b129a98d73756b0da037737bc371236
                                          • Instruction ID: c1b09f419b479505476e10478238ebb80f4afa0d047efd2f02fbc3c16bb1ce32
                                          • Opcode Fuzzy Hash: 45554f73c6e5562847541beafd400b5c1b129a98d73756b0da037737bc371236
                                          • Instruction Fuzzy Hash: 37C01230D22108AFC30CCA68E197619BE72FB853A2700B826F0028A064EE204900CE20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 087A7D3A, Relevance: .0, Instructions: 7COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9ec6d7a36a2a66e8ffc1b2a1bf25dbfa04f28770914cc5a1a1d4a43839c59863
                                          • Instruction ID: 0fb04bc21f87cda5f60ca2f9ca020ae59597064f659a03e7c9347776b84476ee
                                          • Opcode Fuzzy Hash: 9ec6d7a36a2a66e8ffc1b2a1bf25dbfa04f28770914cc5a1a1d4a43839c59863
                                          • Instruction Fuzzy Hash: 88C04C34901208DFC748DF14D495569B731E746252F107955D01523218DB305945CF16
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 087A2C48, Relevance: 5.1, Strings: 4, Instructions: 147COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.886407997.00000000087A0000.00000040.00000001.sdmp, Offset: 087A0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: )z;$)z;$k1T$k1T
                                          • API String ID: 0-2644562797
                                          • Opcode ID: 3106d4093a20489aa0d2d3e574052e7f345067dde4587d9c4d083c3f439ebacc
                                          • Instruction ID: a52996daa1b6ad2f5225123c4ae5bf083de4bf1a7dd8d8ee6105e6601fb2681c
                                          • Opcode Fuzzy Hash: 3106d4093a20489aa0d2d3e574052e7f345067dde4587d9c4d083c3f439ebacc
                                          • Instruction Fuzzy Hash: 7D5114B0E1420A9BDB04CF9AD4815AEFBF2FF88301F24C669D415B7259D7349A428FA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%