Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Proof of payment.jpg.scr

Overview

General Information

Sample Name:Proof of payment.jpg.scr (renamed file extension from scr to exe)
Analysis ID:501103
MD5:f16a886b0c04454901ac6d0923297c0e
SHA1:47ed9cbe0c0430444ffd842a231c06a258fe6a5d
SHA256:9f4c690fdf0c329b419eb7cbf02c874dd7be5ec7bb3585a0c94a0aba266604d4
Tags:exenanocore
Infos:

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Multi AV Scanner detection for domain / URL
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Proof of payment.jpg.exe (PID: 2940 cmdline: 'C:\Users\user\Desktop\Proof of payment.jpg.exe' MD5: F16A886B0C04454901AC6D0923297C0E)
    • schtasks.exe (PID: 5080 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 2600 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ed2d5ce0-ca4d-4264-be01-91a018d5", "Domain1": "harold.accesscam.org", "Domain2": "harold.2waky.com", "Port": 6051, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.260632599.00000000028A1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf3595:$x1: NanoCore.ClientPluginHost
      • 0x125db5:$x1: NanoCore.ClientPluginHost
      • 0xf35d2:$x2: IClientNetworkHost
      • 0x125df2:$x2: IClientNetworkHost
      • 0xf7105:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x129925:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xf32fd:$a: NanoCore
        • 0xf330d:$a: NanoCore
        • 0xf3541:$a: NanoCore
        • 0xf3555:$a: NanoCore
        • 0xf3595:$a: NanoCore
        • 0x125b1d:$a: NanoCore
        • 0x125b2d:$a: NanoCore
        • 0x125d61:$a: NanoCore
        • 0x125d75:$a: NanoCore
        • 0x125db5:$a: NanoCore
        • 0xf335c:$b: ClientPlugin
        • 0xf355e:$b: ClientPlugin
        • 0xf359e:$b: ClientPlugin
        • 0x125b7c:$b: ClientPlugin
        • 0x125d7e:$b: ClientPlugin
        • 0x125dbe:$b: ClientPlugin
        • 0xf3483:$c: ProjectData
        • 0x125ca3:$c: ProjectData
        • 0x202a9e:$c: ProjectData
        • 0x27d2be:$c: ProjectData
        • 0xf3e8a:$d: DESCrypto
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Proof of payment.jpg.exe.3984408.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.Proof of payment.jpg.exe.3984408.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        0.2.Proof of payment.jpg.exe.3984408.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.Proof of payment.jpg.exe.3984408.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xe0f5:$a: NanoCore
          • 0xe105:$a: NanoCore
          • 0xe339:$a: NanoCore
          • 0xe34d:$a: NanoCore
          • 0xe38d:$a: NanoCore
          • 0xe154:$b: ClientPlugin
          • 0xe356:$b: ClientPlugin
          • 0xe396:$b: ClientPlugin
          • 0xe27b:$c: ProjectData
          • 0xec82:$d: DESCrypto
          • 0x1664e:$e: KeepAlive
          • 0x1463c:$g: LogClientMessage
          • 0x10837:$i: get_Connected
          • 0xefb8:$j: #=q
          • 0xefe8:$j: #=q
          • 0xf004:$j: #=q
          • 0xf034:$j: #=q
          • 0xf050:$j: #=q
          • 0xf06c:$j: #=q
          • 0xf09c:$j: #=q
          • 0xf0b8:$j: #=q
          0.2.Proof of payment.jpg.exe.28a9640.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 3 entries

            Sigma Overview

            AV Detection:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            System Summary:

            barindex
            Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
            Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Proof of payment.jpg.exe' , ParentImage: C:\Users\user\Desktop\Proof of payment.jpg.exe, ParentProcessId: 2940, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Proof of payment.jpg.exe' , ParentImage: C:\Users\user\Desktop\Proof of payment.jpg.exe, ParentProcessId: 2940, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600

            Stealing of Sensitive Information:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 2600, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ed2d5ce0-ca4d-4264-be01-91a018d5", "Domain1": "harold.accesscam.org", "Domain2": "harold.2waky.com", "Port": 6051, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: harold.2waky.comVirustotal: Detection: 14%Perma Link
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORY
            Source: Proof of payment.jpg.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Proof of payment.jpg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: harold.accesscam.org
            Source: Malware configuration extractorURLs: harold.2waky.com
            Source: Joe Sandbox ViewASN Name: DATAWIRE-ASCH DATAWIRE-ASCH
            Source: Joe Sandbox ViewIP Address: 185.19.85.137 185.19.85.137
            Source: global trafficTCP traffic: 192.168.2.5:49749 -> 185.19.85.137:6051
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Proof of payment.jpg.exe, 00000000.00000002.264668051.0000000006A00000.00000004.00020000.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
            Source: Proof of payment.jpg.exe, 00000000.00000002.263123119.0000000004D00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Proof of payment.jpg.exe, 00000000.00000003.248777304.0000000004D09000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
            Source: Proof of payment.jpg.exe, 00000000.00000002.263123119.0000000004D00000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTFK
            Source: Proof of payment.jpg.exe, 00000000.00000003.241428385.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Proof of payment.jpg.exe, 00000000.00000003.241428385.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.commN
            Source: Proof of payment.jpg.exe, 00000000.00000003.243088979.0000000004D3D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Proof of payment.jpg.exe, 00000000.00000003.243543510.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: Proof of payment.jpg.exe, 00000000.00000003.243543510.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/-tR
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Proof of payment.jpg.exe, 00000000.00000003.243088979.0000000004D3D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnX
            Source: Proof of payment.jpg.exe, 00000000.00000003.243112899.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cne
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0eb
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ana
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
            Source: Proof of payment.jpg.exe, 00000000.00000003.241291311.0000000004D23000.00000004.00000001.sdmp, Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Proof of payment.jpg.exe, 00000000.00000003.241291311.0000000004D23000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com-d
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Proof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Proof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr2011
            Source: Proof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krlearn
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp, Proof of payment.jpg.exe, 00000000.00000003.241616923.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Proof of payment.jpg.exe, 00000000.00000003.241635617.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc
            Source: Proof of payment.jpg.exe, 00000000.00000003.241594978.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comj
            Source: Proof of payment.jpg.exe, 00000000.00000003.241635617.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.commN
            Source: Proof of payment.jpg.exe, 00000000.00000003.242010011.0000000004D1B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comymP
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: unknownDNS traffic detected: queries for: harold.accesscam.org
            Source: Proof of payment.jpg.exe, 00000000.00000002.259975282.0000000000828000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: Proof of payment.jpg.exe
            Source: Proof of payment.jpg.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_001443510_2_00144351
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_001466F90_2_001466F9
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_0252897A0_2_0252897A
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_025201100_2_02520110
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02522E750_2_02522E75
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02522E780_2_02522E78
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_025230C00_2_025230C0
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_025201020_2_02520102
            Source: Proof of payment.jpg.exe, 00000000.00000002.259975282.0000000000828000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Proof of payment.jpg.exe
            Source: Proof of payment.jpg.exe, 00000000.00000002.265029079.0000000006BA0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs Proof of payment.jpg.exe
            Source: Proof of payment.jpg.exe, 00000000.00000002.259658160.00000000001EA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIdenti.exe4 vs Proof of payment.jpg.exe
            Source: Proof of payment.jpg.exeBinary or memory string: OriginalFilenameIdenti.exe4 vs Proof of payment.jpg.exe
            Source: Proof of payment.jpg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: eoPqnTxJGg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Proof of payment.jpg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: eoPqnTxJGg.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile read: C:\Users\user\Desktop\Proof of payment.jpg.exeJump to behavior
            Source: Proof of payment.jpg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Proof of payment.jpg.exe 'C:\Users\user\Desktop\Proof of payment.jpg.exe'
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp'
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile created: C:\Users\user\AppData\Roaming\eoPqnTxJGg.exeJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB6E9.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/8@25/2
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ed2d5ce0-ca4d-4264-be01-91a018d59d09}
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4924:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Proof of payment.jpg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Proof of payment.jpg.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Proof of payment.jpg.exe, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: eoPqnTxJGg.exe.0.dr, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Proof of payment.jpg.exe.140000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.Proof of payment.jpg.exe.140000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_022529E3 push cs; ret 0_2_022529E6
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02252477 push esi; ret 0_2_022524DE
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02252C95 push es; ret 0_2_02252C96
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeCode function: 0_2_02267C5B push ecx; ret 0_2_02267C69
            Source: initial sampleStatic PE information: section name: .text entropy: 7.85777209159
            Source: initial sampleStatic PE information: section name: .text entropy: 7.85777209159
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeFile created: C:\Users\user\AppData\Roaming\eoPqnTxJGg.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
            Uses an obfuscated file name to hide its real file extension (double extension)Show sources
            Source: Possible double extension: jpg.exeStatic PE information: Proof of payment.jpg.exe
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.28a9640.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.260632599.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Proof of payment.jpg.exe PID: 2940, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exe TID: 4036Thread sleep time: -39648s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exe TID: 5040Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 716Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 638Jump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeThread delayed: delay time: 39648Jump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: Proof of payment.jpg.exe, 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000Jump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000Jump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000Jump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: FFF008Jump to behavior
            Allocates memory in foreign processesShow sources
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeJump to behavior
            Source: RegSvcs.exe, 00000006.00000003.366721485.000000000659E000.00000004.00000001.sdmpBinary or memory string: Program Manager
            Source: RegSvcs.exe, 00000006.00000003.399886156.0000000006596000.00000004.00000001.sdmpBinary or memory string: Program ManagerbR
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Proof of payment.jpg.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

            Stealing of Sensitive Information:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Proof of payment.jpg.exe.3984408.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection312Masquerading11Input Capture1Security Software Discovery111Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection312NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information12Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            harold.2waky.com15%VirustotalBrowse
            harold.accesscam.org5%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.fontbureau.comB.TTFK0%Avira URL Cloudsafe
            http://www.tiro.comymP0%Avira URL Cloudsafe
            http://www.fonts.commN0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.sandoll.co.kr20110%Avira URL Cloudsafe
            http://www.founder.com.cn/cnX0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.founder.com.cn/cn/-tR0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/E0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.sajatypeworks.com-d0%Avira URL Cloudsafe
            http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.tiro.commN0%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/v0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0eb0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/ana0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.tiro.comj0%Avira URL Cloudsafe
            harold.accesscam.org0%Avira URL Cloudsafe
            harold.2waky.com0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sandoll.co.krlearn0%Avira URL Cloudsafe
            http://www.tiro.comc0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.founder.com.cn/cne0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            harold.2waky.com
            		185.19.85.137
            		truetrueunknown
            harold.accesscam.org
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            harold.accesscam.orgtrue
            • Avira URL Cloud: safe
            		unknown
            harold.2waky.comtrue
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.comProof of payment.jpg.exe, 00000000.00000002.263123119.0000000004D00000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.com/designersGProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.comB.TTFKProof of payment.jpg.exe, 00000000.00000002.263123119.0000000004D00000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comymPProof of payment.jpg.exe, 00000000.00000003.242010011.0000000004D1B000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fonts.commNProof of payment.jpg.exe, 00000000.00000003.241428385.0000000004D1B000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designers/?Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTheProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sandoll.co.kr2011Proof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designers?Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cnXProof of payment.jpg.exe, 00000000.00000003.243088979.0000000004D3D000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.comProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmp, Proof of payment.jpg.exe, 00000000.00000003.241616923.0000000004D1B000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/-tRProof of payment.jpg.exe, 00000000.00000003.243543510.0000000004D04000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/EProof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                        		high
                        http://www.goodfont.co.krProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/jp/Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.com-dProof of payment.jpg.exe, 00000000.00000003.241291311.0000000004D23000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.collada.org/2005/11/COLLADASchema9DoneProof of payment.jpg.exe, 00000000.00000002.264668051.0000000006A00000.00000004.00020000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comlProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.tiro.commNProof of payment.jpg.exe, 00000000.00000003.241635617.0000000004D1B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sajatypeworks.comProof of payment.jpg.exe, 00000000.00000003.241291311.0000000004D23000.00000004.00000001.sdmp, Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/Proof of payment.jpg.exe, 00000000.00000003.243543510.0000000004D04000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cTheProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cnProof of payment.jpg.exe, 00000000.00000003.243088979.0000000004D3D000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmlProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/vProof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/Y0ebProof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/Proof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/anaProof of payment.jpg.exe, 00000000.00000003.245639707.0000000004D04000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8Proof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                              		high
                              http://www.tiro.comjProof of payment.jpg.exe, 00000000.00000003.241594978.0000000004D1B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fonts.comProof of payment.jpg.exe, 00000000.00000003.241428385.0000000004D1B000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krProof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sandoll.co.krlearnProof of payment.jpg.exe, 00000000.00000003.242260150.0000000004D09000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.comcProof of payment.jpg.exe, 00000000.00000003.241635617.0000000004D1B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sakkal.comProof of payment.jpg.exe, 00000000.00000002.263636679.0000000005F12000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designerstProof of payment.jpg.exe, 00000000.00000003.248777304.0000000004D09000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cneProof of payment.jpg.exe, 00000000.00000003.243112899.0000000004D04000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.19.85.137
                                  		harold.2waky.comSwitzerland
                                  		48971DATAWIRE-ASCHtrue

                                  Private

                                  IP
                                  192.168.2.1

                                  General Information

                                  Joe Sandbox Version:33.0.0 White Diamond
                                  Analysis ID:501103
                                  Start date:12.10.2021
                                  Start time:15:08:19
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 7m 49s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Sample file name:Proof of payment.jpg.scr (renamed file extension from scr to exe)
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:26
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@6/8@25/2
                                  EGA Information:Failed
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 147
                                  • Number of non-executed functions: 5
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  Warnings:
                                  Show All
                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 23.203.141.148, 95.100.216.89, 20.82.210.154, 40.112.88.60, 20.82.209.104, 2.20.178.24, 2.20.178.33
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  15:09:23API Interceptor1x Sleep call for process: Proof of payment.jpg.exe modified
                                  15:09:27API Interceptor933x Sleep call for process: RegSvcs.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  185.19.85.137Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                    Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                      PROFORMA INVOICE 20210823.pdf.exeGet hashmaliciousBrowse
                                        New Proforma Invoice20210630.xlxs.exeGet hashmaliciousBrowse
                                          Proforma Invoice20210625.pdf.exeGet hashmaliciousBrowse
                                            PcdEZG6zDS.exeGet hashmaliciousBrowse
                                              sfTZCyMKuC.exeGet hashmaliciousBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                harold.2waky.comProof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                • 185.19.85.137
                                                Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                • 185.19.85.137
                                                HxXHmM0T9f.exeGet hashmaliciousBrowse
                                                • 23.146.242.147
                                                Request For Quotation.jarGet hashmaliciousBrowse
                                                • 23.146.242.147
                                                QUOTE.exeGet hashmaliciousBrowse
                                                • 194.5.98.5
                                                Payment proof.jpg.exeGet hashmaliciousBrowse
                                                • 194.5.98.5
                                                Proof Of Payment.jpg.exeGet hashmaliciousBrowse
                                                • 194.5.98.5
                                                Proof of payment.pdf.exeGet hashmaliciousBrowse
                                                • 194.5.98.5
                                                Payment.pdf.exeGet hashmaliciousBrowse
                                                • 91.193.75.29
                                                Payment Confirmation.exeGet hashmaliciousBrowse
                                                • 185.165.153.213

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                DATAWIRE-ASCHMT103 10.11.pdf.exeGet hashmaliciousBrowse
                                                • 185.19.85.136
                                                dAkJsQr7A9.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                GIV PO 00254.xls.exeGet hashmaliciousBrowse
                                                • 185.19.85.136
                                                dUzAkYsvl8.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                BL & INVOICE.exeGet hashmaliciousBrowse
                                                • 185.19.85.171
                                                Routing Details.vbsGet hashmaliciousBrowse
                                                • 185.19.85.170
                                                Nueva orden #7624.xls.exeGet hashmaliciousBrowse
                                                • 185.19.85.136
                                                voo7b2BBq6.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                xmsGPH324z.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                dVWsghK4Aj.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                • 185.19.85.137
                                                ShippingDocs.exeGet hashmaliciousBrowse
                                                • 185.19.85.171
                                                2E9xpfvD2O.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                • 185.19.85.137
                                                uF74GlbXPc.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                jFjTeUfek3.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                Q7DYDgQhKp.exeGet hashmaliciousBrowse
                                                • 185.19.85.175
                                                USD31000.exeGet hashmaliciousBrowse
                                                • 185.19.85.171
                                                32000USD_Swift.exeGet hashmaliciousBrowse
                                                • 185.19.85.171
                                                dlDGpRFSEo.exeGet hashmaliciousBrowse
                                                • 185.19.85.175

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Proof of payment.jpg.exe.log
                                                Process:C:\Users\user\Desktop\Proof of payment.jpg.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):525
                                                Entropy (8bit):5.2874233355119316
                                                Encrypted:false
                                                SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp
                                                Process:C:\Users\user\Desktop\Proof of payment.jpg.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1647
                                                Entropy (8bit):5.171887955431004
                                                Encrypted:false
                                                SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBetn:cbhC7ZlNQF/rydbz9I3YODOLNdq3C
                                                MD5:1358393D4D1CFCCE7BD6823A860F20B2
                                                SHA1:E513A17C19EB5C677435DC73C2533D2A7C52B59F
                                                SHA-256:66F6CF12179F5F9B8305C4A927D4084B553D9E90166D0D1B1056925D34A9B982
                                                SHA-512:DA7612128A91DA3B7EA8FB4571F99ACF2BC3BEC2ACD99A2EB73EC563DE9BD2349B8C7CF4A93A8389A6778D0C1537D8ECED2FF8DD6580AA8D506ADDDB69B7AE04
                                                Malicious:true
                                                Reputation:low
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1392
                                                Entropy (8bit):7.089541637477408
                                                Encrypted:false
                                                SSDEEP:24:IQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4l:IknjhUknjhUknjhUknjhUknjhUknjhL
                                                MD5:5E3C10DCF7AAB1A5E4671C3AD52D9BD2
                                                SHA1:7DE7F5ACAED711BC35E62756D1440E80262D85D1
                                                SHA-256:B9EB9E732F6204735FFB2C9A6EC8F077E4B4F31E57E336199D22278EAD8412F9
                                                SHA-512:00252F19A1D0098FEBC78231182FAD57A66390077C0C462C94950D7CA02D53A7B7D692B4D7E718DF2708C1F7919CCB29837A2309E3BEFD2D585FF0C049E5FEB3
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8
                                                Entropy (8bit):3.0
                                                Encrypted:false
                                                SSDEEP:3:98:y
                                                MD5:108FC92C1878B6BB04738FB9430AD1A0
                                                SHA1:030EF679702BA4AC7629B9D6D3980231F35CE18C
                                                SHA-256:FB9CF8B94C82519C911F1EE89763BF9EDFE05EAC3FDBF7A09229E6BE9AD2DCE2
                                                SHA-512:1C39811250792C91A1418A424081A627D5032F33F90B3B37EC24824E4BD040EC36C197C628C13B700F6435164339DE77CFB8497476A9E16B4760AF9ECC85A823
                                                Malicious:true
                                                Reputation:low
                                                Preview: ......H
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):40
                                                Entropy (8bit):5.153055907333276
                                                Encrypted:false
                                                SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                MD5:4E5E92E2369688041CC82EF9650EDED2
                                                SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                Malicious:false
                                                Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):426832
                                                Entropy (8bit):7.999527918131335
                                                Encrypted:true
                                                SSDEEP:6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
                                                MD5:653DDDCB6C89F6EC51F3DDC0053C5914
                                                SHA1:4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
                                                SHA-256:83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
                                                SHA-512:27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
                                                Malicious:false
                                                Preview: ..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..
                                                C:\Users\user\AppData\Roaming\eoPqnTxJGg.exe
                                                Process:C:\Users\user\Desktop\Proof of payment.jpg.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):686080
                                                Entropy (8bit):7.645401121666266
                                                Encrypted:false
                                                SSDEEP:12288:6MbSB2Fio+a+k09R8Yrt2JX6RaaALVlQ9UfHRkkPG0r5PSsPa23rEG0r5FbnVe:6JBcio+a+ki3VRaaALPhfHRtPG0rpSsQ
                                                MD5:F16A886B0C04454901AC6D0923297C0E
                                                SHA1:47ED9CBE0C0430444FFD842A231C06A258FE6A5D
                                                SHA-256:9F4C690FDF0C329B419EB7CBF02C874DD7BE5EC7BB3585A0C94A0ABA266604D4
                                                SHA-512:E60A04F86083603CAC82F970552C0031FD52A9CBC7293BA873427D45FBEDFEB13284126BF28EB01692B9C4DA81B26D9146DB7C9F6630A2455E9F32D15183CAEB
                                                Malicious:false
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....iea..............0.................. ... ....@.. ....................................@.....................................O.... .. ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... .... ......................@..@.reloc...............v..............@..B........................H........_...P......}.......U...........................................0..4..........K......r...p...r...p.......,.......+.........+..*.0..F..........+6...........................o.........,.r!..ps....z..X....i....-.*...0..d..........+N..+8.....(.......(...............o.........,.r!..ps....z..X....o........-...X....o..........-.*.0.............+j..+R..+:......(........(...............o.........,.r!..ps....z..X....o..........-...X....o..........-...X....o..........-.*".(.....
                                                C:\Users\user\AppData\Roaming\eoPqnTxJGg.exe:Zone.Identifier
                                                Process:C:\Users\user\Desktop\Proof of payment.jpg.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:false
                                                Preview: [ZoneTransfer]....ZoneId=0

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.645401121666266
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:Proof of payment.jpg.exe
                                                File size:686080
                                                MD5:f16a886b0c04454901ac6d0923297c0e
                                                SHA1:47ed9cbe0c0430444ffd842a231c06a258fe6a5d
                                                SHA256:9f4c690fdf0c329b419eb7cbf02c874dd7be5ec7bb3585a0c94a0aba266604d4
                                                SHA512:e60a04f86083603cac82f970552c0031fd52a9cbc7293ba873427d45fbedfeb13284126bf28eb01692b9c4da81b26d9146db7c9f6630a2455e9f32d15183caeb
                                                SSDEEP:12288:6MbSB2Fio+a+k09R8Yrt2JX6RaaALVlQ9UfHRkkPG0r5PSsPa23rEG0r5FbnVe:6JBcio+a+ki3VRaaALPhfHRtPG0rpSsQ
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....iea..............0.................. ... ....@.. ....................................@................................

                                                File Icon

                                                Icon Hash:0089c5cd91810189

                                                Static PE Info

                                                General

                                                Entrypoint:0x49052e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x616569F4 [Tue Oct 12 10:56:52 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v2.0.50727
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                fcom dword ptr [edx+00h]
                                                add bl, ah
                                                movsd
                                                add byte ptr [eax], al
                                                pop esp
                                                stc
                                                add byte ptr [eax], al
                                                pop ecx
                                                dec ebp
                                                add dword ptr [eax], eax
                                                push es
                                                mov byte ptr [F7630001h], al
                                                add dword ptr [eax], eax
                                                mov dword ptr [ebp+02h], ecx
                                                add byte ptr [ebp-5Ch], bl
                                                add al, byte ptr [eax]

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x904dc0x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x920000x18a20.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x8e61c0x8e800False0.924275287829data7.85777209159IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0x920000x18a200x18c00False0.377426609848data5.45184475744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xac0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x921a80x468GLS_BINARY_LSB_FIRST
                                                RT_ICON0x926100x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                RT_ICON0x968380x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                RT_ICON0x978e00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                RT_ICON0x99e880x10828data
                                                RT_GROUP_ICON0xaa6b00x4cdata
                                                RT_VERSION0xaa6fc0x324data

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright 2018 - 2021
                                                Assembly Version4.0.2.0
                                                InternalNameIdenti.exe
                                                FileVersion4.0.2.0
                                                CompanyName
                                                LegalTrademarks
                                                Comments
                                                ProductNameWin Mixer
                                                ProductVersion4.0.2.0
                                                FileDescriptionWin Mixer
                                                OriginalFilenameIdenti.exe

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 12, 2021 15:09:42.797943115 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:42.920711040 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:42.922166109 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:43.290159941 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:43.418488979 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:43.418653011 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:43.599528074 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:43.599596977 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:43.713545084 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:43.713640928 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:43.873142958 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:43.873290062 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.063312054 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.063399076 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.063857079 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.063918114 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.064035892 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.064054012 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.064171076 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.064471960 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.064531088 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.177896976 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.177962065 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.178000927 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.178040028 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.178268909 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.178556919 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.178606033 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.178626060 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.178792953 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.178864002 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.179075956 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.179183960 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.179264069 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.179332018 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.179467916 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.179519892 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.293198109 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.293242931 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.293355942 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.294009924 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.294037104 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.294059992 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.294075012 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.294131041 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.294166088 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.294502974 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.294558048 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.297152042 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.297179937 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.297210932 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.297243118 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.297348022 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.297415018 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.297553062 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.297624111 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.297636032 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.297663927 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.297725916 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.297882080 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.297940016 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.298048019 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.298083067 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.298135996 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.415673018 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.415796041 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.416903019 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.416977882 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.417202950 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.417313099 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.417380095 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.417463064 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.417704105 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.419178009 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.419285059 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.419365883 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.419431925 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.419595003 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.419629097 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.419667006 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.419688940 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.419800997 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.419960022 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.420026064 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.420130968 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.420237064 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.420258045 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.420295954 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.420325994 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.420382023 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.420391083 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.420551062 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.420610905 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.421951056 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.422116995 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.422167063 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.422184944 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.422246933 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.422281027 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.422337055 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.424104929 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.424161911 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.424253941 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.424318075 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.424369097 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.424474001 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.424484968 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.424535990 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.424563885 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.424649954 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.424711943 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.424801111 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.424916029 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.424972057 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.425076962 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.425174952 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.425225973 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.425260067 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.425311089 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.527405024 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.527503967 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.527623892 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.528465986 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.528625965 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.528712988 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.530313969 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.530708075 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.530778885 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.531070948 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.531227112 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.531306028 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.531337976 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.531472921 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.531521082 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.531644106 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.531768084 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.531816006 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.531877041 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.531991959 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.532047987 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.537818909 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.537883997 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.538108110 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.538167953 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.542829990 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.542891026 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.542900085 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.542943954 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.543165922 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.543297052 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.543353081 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.543359995 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.543392897 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.543631077 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.543677092 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.543690920 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.543720961 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.543744087 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.543777943 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.543788910 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.543894053 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.543947935 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.544090986 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.544186115 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.544238091 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.544327974 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.544497013 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.544550896 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.544573069 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.544603109 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.544683933 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.544739962 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.544785976 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.544828892 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.544891119 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.545093060 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.545140982 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.545207024 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.545315027 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.545357943 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.545435905 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.545505047 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.545557022 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.545654058 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.545696020 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.545746088 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.545869112 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.545964956 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.546025991 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.546065092 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.546120882 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.546169996 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.546219110 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.546266079 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.546338081 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.546390057 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.546478033 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.546506882 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.546649933 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.546693087 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.546751022 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.546814919 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.546847105 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.546904087 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.644546032 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.644582033 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.644654989 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.644735098 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.645263910 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.645286083 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.645361900 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.647166014 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.647198915 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.647315979 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.647353888 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.647814035 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.648109913 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.648184061 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.648185015 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.648245096 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.648281097 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.648333073 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.648843050 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.648929119 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.649396896 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.649580002 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.649655104 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.649668932 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.649713039 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.651066065 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.651124954 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.651186943 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.661178112 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.661231995 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.661322117 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.661374092 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.661514044 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.661571026 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.661616087 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.661674023 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.661789894 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.661818027 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.661871910 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.661907911 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.661910057 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.661961079 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.662038088 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.662087917 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.662166119 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.662208080 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.662323952 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.662435055 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.662478924 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.662555933 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.662693977 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.662719965 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.662735939 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.662887096 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.662926912 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.663587093 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.663826942 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.670185089 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.670337915 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.671987057 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.672015905 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.672086000 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.672154903 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.672203064 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.672254086 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.672314882 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.672430038 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.672489882 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.672580004 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.672771931 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.672822952 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.672827005 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.672970057 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.673016071 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.673090935 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.673146963 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.673194885 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.673306942 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.673433065 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.673485994 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.673547983 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.673938036 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.674778938 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.674828053 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.756341934 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.756453037 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.756804943 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.756855011 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.756908894 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.756926060 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.757246971 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.762568951 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.762636900 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.762687922 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.762764931 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.765125990 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.765188932 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.765217066 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.765269041 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.765325069 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.765366077 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.766928911 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.766993046 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.767015934 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.767091036 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.767144918 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.767208099 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.767268896 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.767335892 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.767369986 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.767417908 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.767488956 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.767549038 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.767618895 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.767694950 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.776154995 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.776238918 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.776272058 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.776326895 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.776396990 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.776714087 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.776789904 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.776931047 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.777014017 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.778546095 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.781307936 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.783904076 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.784122944 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.784193993 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.784262896 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.784379005 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.784429073 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.784451008 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.784485102 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.784498930 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.784548998 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.784571886 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.784599066 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.784620047 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.784656048 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.784689903 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.784745932 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.784753084 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.784823895 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.784913063 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.784982920 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.784992933 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.785104036 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.785356045 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.785408020 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.785439968 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.785458088 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.785608053 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.785667896 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.795759916 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.795783043 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.795795918 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.795809031 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.795821905 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.795835972 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.795849085 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.795861959 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.795871973 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.795874119 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.795886993 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.795898914 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.795943975 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.795989037 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.795994043 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.796000004 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.796006918 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.796022892 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.796053886 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.796083927 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.796258926 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.796345949 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.796418905 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.796490908 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.796677113 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.796701908 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.796722889 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.796746016 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.796768904 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.796786070 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.796808958 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.796855927 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.796907902 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.796945095 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.797108889 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.797169924 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.797182083 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.797243118 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.797369003 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.797449112 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.797553062 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.797662973 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.797698021 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.797728062 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.797755003 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.797918081 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.798007011 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.798067093 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.819873095 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.868834019 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.868948936 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.869165897 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.869282007 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.869338989 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.869395971 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.869467974 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.869916916 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.869990110 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.869991064 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.870043993 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.870146990 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.870217085 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.870513916 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.870579004 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.874593973 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.874643087 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.874674082 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.874707937 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.874742985 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.875108957 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.875206947 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.878724098 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.878837109 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.878859043 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.878905058 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.886603117 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.886701107 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.886718988 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.886764050 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.886993885 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.887058973 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.887269974 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.887444973 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.887677908 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.887717962 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.887814999 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.887837887 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.887962103 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.888020992 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.889538050 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.889592886 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.889657021 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.889760971 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.889776945 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.889873981 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.890161037 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.890260935 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.891295910 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.891367912 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.891618967 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.892256975 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.892299891 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.892342091 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.892359972 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.892383099 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.892401934 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.892421007 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.892446995 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.892471075 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.896418095 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.896470070 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.896531105 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.898092985 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.898156881 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.898236036 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.898292065 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.898463964 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.898514032 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.898544073 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.898588896 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.898621082 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.898667097 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.898688078 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.898756981 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.898823977 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.898935080 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.898964882 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.898988008 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.899133921 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.899518013 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.899601936 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.904232025 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.904376984 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:44.904447079 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:44.979556084 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:45.027458906 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:45.051281929 CEST605149749185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:45.054096937 CEST497496051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:49.171668053 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:49.286825895 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:49.288655043 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:49.527148008 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:49.657870054 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:49.657995939 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:49.821489096 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:49.821640015 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:49.934113979 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:49.935033083 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:50.094407082 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:50.094537020 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:50.256057978 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:50.256959915 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:50.340394974 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:50.368597031 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:50.370614052 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:50.483799934 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:50.532603025 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:50.715969086 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:50.881007910 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:50.881154060 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:50.993572950 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:50.994273901 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:51.105843067 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:51.157660961 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:51.874011040 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:52.037183046 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:52.037394047 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:52.199485064 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:52.199583054 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:52.367518902 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:52.367593050 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:52.531276941 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:52.531375885 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:52.627192020 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:52.693443060 CEST605149752185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:52.693587065 CEST497526051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:56.934473991 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:57.045636892 CEST605149753185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:57.051258087 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:57.123075008 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:57.251605988 CEST605149753185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:57.252012968 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:57.365926027 CEST605149753185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:57.366116047 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:57.673782110 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:57.725893974 CEST605149753185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:57.726006985 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:58.017594099 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:58.324570894 CEST605149753185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:58.324821949 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:58.627055883 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:59.190222025 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:59.355153084 CEST605149753185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:59.355222940 CEST605149753185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:59.355248928 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:59.355288029 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:59.355434895 CEST605149753185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:59.355499983 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:59.512058973 CEST605149753185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:59.512200117 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:59.518150091 CEST605149753185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:59.518263102 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:09:59.518307924 CEST605149753185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:09:59.518377066 CEST497536051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:03.379385948 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:03.490664005 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:03.490828037 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:03.600253105 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:03.732084990 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:03.732197046 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:03.894583941 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:03.894716978 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:04.006520987 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:04.006664038 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:04.186347008 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:04.186458111 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:04.347769976 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:04.347897053 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:04.435592890 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:04.459297895 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:04.462240934 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:04.573909044 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:04.574002028 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:04.735554934 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:04.735759020 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:04.848766088 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:04.867182016 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:04.978497028 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:04.978617907 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:05.141063929 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:05.141185045 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:05.305958986 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:05.306041002 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:05.468054056 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:05.468132973 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:05.596762896 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:05.629964113 CEST605149754185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:05.630141020 CEST497546051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:10.004836082 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:10.122773886 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:10.123172045 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:10.123605967 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:10.252394915 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:10.252794027 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:10.416295052 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:10.416388035 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:10.528645039 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:10.528780937 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:10.691432953 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:10.691625118 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:10.857781887 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:10.857920885 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:10.949207067 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:10.949318886 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:10.969558954 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:11.018824100 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:11.061376095 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:11.061651945 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:11.224772930 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:11.224904060 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:11.336694956 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:11.336796999 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:11.448084116 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:11.448204041 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:11.617932081 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:11.618052006 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:11.628019094 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:11.675033092 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:11.775767088 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:11.775954008 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:11.933828115 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:11.933887959 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:12.097739935 CEST605149767185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:12.097821951 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:12.144480944 CEST497676051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:16.240196943 CEST497826051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:16.353836060 CEST605149782185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:16.354322910 CEST497826051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:16.408765078 CEST497826051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:16.573621988 CEST605149782185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:16.573800087 CEST497826051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:16.925723076 CEST497826051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:16.927973032 CEST605149782185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:16.928145885 CEST497826051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:17.316101074 CEST497826051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:17.584038973 CEST605149782185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:17.584453106 CEST497826051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:18.004957914 CEST497826051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:18.447549105 CEST605149782185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:18.447572947 CEST605149782185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:18.447590113 CEST605149782185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:18.448096037 CEST605149782185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:18.448203087 CEST497826051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:18.448839903 CEST605149782185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:18.492949963 CEST497826051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:18.607508898 CEST605149782185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:18.607738018 CEST497826051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:18.660414934 CEST497826051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:18.775599003 CEST605149782185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:18.775667906 CEST497826051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:22.751681089 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:22.964544058 CEST605149785185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:22.964705944 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:23.037547112 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:23.258943081 CEST605149785185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:23.259047031 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:23.466201067 CEST605149785185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:23.467386007 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:23.579423904 CEST605149785185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:23.580528021 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:23.751121998 CEST605149785185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:23.757819891 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:23.923154116 CEST605149785185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:23.931689978 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:24.015712976 CEST605149785185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:24.015815020 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:24.069796085 CEST605149785185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:24.113583088 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:24.245755911 CEST605149785185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:24.247719049 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:24.418062925 CEST605149785185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:24.418271065 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:24.585050106 CEST605149785185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:24.585150003 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:24.833890915 CEST605149785185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:24.836004019 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:24.997175932 CEST605149785185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:24.997245073 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:25.114332914 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:25.159457922 CEST605149785185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:25.159622908 CEST497856051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:29.359496117 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:29.595645905 CEST605149793185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:29.595887899 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:29.611779928 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:29.829651117 CEST605149793185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:29.829802990 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:30.055855989 CEST605149793185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:30.056027889 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:30.173058987 CEST605149793185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:30.173222065 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:30.345599890 CEST605149793185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:30.345709085 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:30.558717012 CEST605149793185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:30.559051037 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:30.627849102 CEST605149793185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:30.676609993 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:30.730411053 CEST605149793185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:30.730540037 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:30.935765028 CEST605149793185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:30.936501026 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:31.051441908 CEST605149793185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:31.051805019 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:31.164180040 CEST605149793185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:31.207942009 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:31.275199890 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:31.441488028 CEST605149793185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:31.441823959 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:31.603724957 CEST605149793185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:31.605175972 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:31.766366959 CEST605149793185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:31.766616106 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:31.923986912 CEST605149793185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:31.993710995 CEST497936051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:36.456007004 CEST497946051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:36.571216106 CEST605149794185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:36.571535110 CEST497946051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:36.572480917 CEST497946051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:36.705863953 CEST605149794185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:36.705996037 CEST497946051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:36.933773041 CEST605149794185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:36.933942080 CEST497946051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:37.317764044 CEST497946051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:37.739726067 CEST497946051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:38.429887056 CEST497946051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:38.486964941 CEST605149794185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:38.487221003 CEST497946051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:38.504414082 CEST605149794185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:38.504560947 CEST497946051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:42.533628941 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:42.664105892 CEST605149795185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:42.664262056 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:42.665373087 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:42.821649075 CEST605149795185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:42.821892023 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:43.009154081 CEST605149795185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:43.009262085 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:43.133742094 CEST605149795185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:43.133862019 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:43.310260057 CEST605149795185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:43.310344934 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:43.539349079 CEST605149795185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:43.541261911 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:43.612831116 CEST605149795185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:43.662060022 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:43.720354080 CEST605149795185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:43.720623016 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:43.912377119 CEST605149795185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:43.912595987 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:44.024441957 CEST605149795185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:44.024626017 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:44.164186001 CEST605149795185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:44.164321899 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:44.384378910 CEST605149795185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:44.384602070 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:44.475311041 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:44.619440079 CEST605149795185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:44.619587898 CEST497956051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:48.545355082 CEST497966051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:48.765073061 CEST605149796185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:48.765315056 CEST497966051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:48.766046047 CEST497966051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:49.287528038 CEST497966051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:49.978816986 CEST497966051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:50.555800915 CEST605149796185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:50.555988073 CEST497966051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:50.578702927 CEST605149796185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:50.579418898 CEST605149796185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:50.579850912 CEST497966051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:50.616318941 CEST497966051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:50.752064943 CEST605149796185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:50.752094984 CEST605149796185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:50.752162933 CEST497966051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:50.752326012 CEST497966051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:54.680573940 CEST497976051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:54.793234110 CEST605149797185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:54.793448925 CEST497976051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:54.794352055 CEST497976051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:54.924336910 CEST605149797185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:54.924493074 CEST497976051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:55.089050055 CEST605149797185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:55.089282036 CEST497976051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:55.209006071 CEST605149797185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:55.209245920 CEST497976051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:55.373881102 CEST605149797185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:55.374080896 CEST497976051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:55.538582087 CEST605149797185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:55.538727045 CEST497976051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:55.643889904 CEST605149797185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:55.651421070 CEST605149797185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:55.651545048 CEST497976051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:55.783076048 CEST605149797185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:55.783184052 CEST497976051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:56.021264076 CEST605149797185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:56.021397114 CEST497976051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:56.219953060 CEST605149797185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:56.220035076 CEST497976051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:56.420312881 CEST605149797185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:56.420551062 CEST497976051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:56.639746904 CEST605149797185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:10:56.639820099 CEST497976051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:10:56.648406029 CEST497976051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:00.731512070 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:00.897691011 CEST605149799185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:00.897893906 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:00.898726940 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:01.073038101 CEST605149799185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:01.073184967 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:01.256000996 CEST605149799185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:01.256118059 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:01.382878065 CEST605149799185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:01.398555994 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:01.556651115 CEST605149799185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:01.556729078 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:01.653197050 CEST605149799185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:01.653264999 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:01.690093994 CEST605149799185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:01.690208912 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:01.786247969 CEST605149799185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:01.786314964 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:01.861617088 CEST605149799185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:01.861721992 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:01.976133108 CEST605149799185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:01.976248026 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:02.017420053 CEST605149799185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:02.069981098 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:02.145791054 CEST605149799185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:02.145986080 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:02.430113077 CEST605149799185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:02.430296898 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:02.647643089 CEST605149799185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:02.647886038 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:02.727238894 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:02.816324949 CEST605149799185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:02.816596031 CEST497996051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:06.801208019 CEST498036051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:08.628154039 CEST605149803185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:08.631519079 CEST498036051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:08.632342100 CEST498036051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:08.809389114 CEST605149803185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:08.809680939 CEST498036051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:09.029993057 CEST605149803185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:09.030195951 CEST498036051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:09.190560102 CEST605149803185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:09.190650940 CEST498036051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:09.359047890 CEST605149803185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:09.359222889 CEST498036051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:09.542699099 CEST605149803185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:09.542929888 CEST498036051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:09.657999992 CEST605149803185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:09.697971106 CEST605149803185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:09.698240995 CEST498036051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:09.873246908 CEST605149803185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:09.873568058 CEST498036051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:10.125878096 CEST605149803185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:10.126135111 CEST498036051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:10.300056934 CEST605149803185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:10.300213099 CEST498036051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:10.503695011 CEST605149803185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:10.555047989 CEST498036051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:10.576827049 CEST498036051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:14.649756908 CEST498046051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:14.825618029 CEST605149804185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:14.825747967 CEST498046051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:14.826967955 CEST498046051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:15.052045107 CEST605149804185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:15.052150011 CEST498046051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:15.251110077 CEST605149804185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:15.251267910 CEST498046051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:15.378901958 CEST605149804185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:15.379189968 CEST498046051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:15.567882061 CEST605149804185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:15.568083048 CEST498046051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:15.788439035 CEST605149804185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:15.788527966 CEST498046051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:15.889532089 CEST605149804185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:15.889671087 CEST498046051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:15.959712982 CEST605149804185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:15.959953070 CEST498046051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:16.083787918 CEST605149804185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:16.084136963 CEST498046051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:16.195914030 CEST605149804185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:16.196264029 CEST498046051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:16.350101948 CEST605149804185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:16.352221012 CEST498046051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:16.631771088 CEST605149804185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:16.632049084 CEST498046051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:16.665971041 CEST498046051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:20.989744902 CEST498056051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:21.174612045 CEST605149805185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:21.174796104 CEST498056051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:21.175261021 CEST498056051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:21.376516104 CEST605149805185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:21.376777887 CEST498056051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:21.496217966 CEST605149805185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:21.540421009 CEST498056051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:21.697952032 CEST605149805185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:21.698666096 CEST498056051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:21.930402994 CEST605149805185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:22.012367964 CEST605149805185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:22.012794971 CEST498056051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:22.160481930 CEST605149805185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:22.166707993 CEST498056051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:22.322103977 CEST605149805185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:22.322248936 CEST498056051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:22.466484070 CEST605149805185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:22.509183884 CEST498056051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:24.014774084 CEST605149805185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:24.056235075 CEST498056051192.168.2.5185.19.85.137
                                                Oct 12, 2021 15:11:26.500217915 CEST605149805185.19.85.137192.168.2.5
                                                Oct 12, 2021 15:11:26.556329012 CEST498056051192.168.2.5185.19.85.137

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 12, 2021 15:09:28.581779003 CEST6206053192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:28.717128992 CEST53620608.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:28.994478941 CEST6180553192.168.2.58.8.4.4
                                                Oct 12, 2021 15:09:29.173227072 CEST53618058.8.4.4192.168.2.5
                                                Oct 12, 2021 15:09:29.297355890 CEST5479553192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:29.320130110 CEST53547958.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:34.137134075 CEST4955753192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:34.156547070 CEST53495578.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:34.171382904 CEST6173353192.168.2.58.8.4.4
                                                Oct 12, 2021 15:09:34.189163923 CEST53617338.8.4.4192.168.2.5
                                                Oct 12, 2021 15:09:34.248856068 CEST6544753192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:34.423072100 CEST53654478.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:38.479859114 CEST5244153192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:38.496443987 CEST53524418.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:38.502695084 CEST6217653192.168.2.58.8.4.4
                                                Oct 12, 2021 15:09:38.521024942 CEST53621768.8.4.4192.168.2.5
                                                Oct 12, 2021 15:09:38.531282902 CEST5959653192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:38.549801111 CEST53595968.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:42.769747019 CEST6529653192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:42.789721012 CEST53652968.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:49.097486973 CEST6015153192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:49.134582043 CEST53601518.8.8.8192.168.2.5
                                                Oct 12, 2021 15:09:56.914613962 CEST5696953192.168.2.58.8.8.8
                                                Oct 12, 2021 15:09:56.933176994 CEST53569698.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:03.356395960 CEST5516153192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:03.377588987 CEST53551618.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:09.863465071 CEST4999253192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:09.883897066 CEST53499928.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:16.205543041 CEST6007553192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:16.224287033 CEST53600758.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:22.732084036 CEST6434553192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:22.750188112 CEST53643458.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:29.331429958 CEST5479153192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:29.350970030 CEST53547918.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:36.415932894 CEST5046353192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:36.436556101 CEST53504638.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:42.501702070 CEST5039453192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:42.520405054 CEST53503948.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:48.522980928 CEST5853053192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:48.544002056 CEST53585308.8.8.8192.168.2.5
                                                Oct 12, 2021 15:10:54.661490917 CEST5381353192.168.2.58.8.8.8
                                                Oct 12, 2021 15:10:54.678647995 CEST53538138.8.8.8192.168.2.5
                                                Oct 12, 2021 15:11:00.709645033 CEST5734453192.168.2.58.8.8.8
                                                Oct 12, 2021 15:11:00.730202913 CEST53573448.8.8.8192.168.2.5
                                                Oct 12, 2021 15:11:06.779176950 CEST5926153192.168.2.58.8.8.8
                                                Oct 12, 2021 15:11:06.799339056 CEST53592618.8.8.8192.168.2.5
                                                Oct 12, 2021 15:11:14.627098083 CEST5715153192.168.2.58.8.8.8
                                                Oct 12, 2021 15:11:14.647671938 CEST53571518.8.8.8192.168.2.5
                                                Oct 12, 2021 15:11:20.681814909 CEST5941353192.168.2.58.8.8.8
                                                Oct 12, 2021 15:11:20.989131927 CEST53594138.8.8.8192.168.2.5

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Oct 12, 2021 15:09:28.581779003 CEST192.168.2.58.8.8.80x63f8Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:28.994478941 CEST192.168.2.58.8.4.40x5a24Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:29.297355890 CEST192.168.2.58.8.8.80x1570Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:34.137134075 CEST192.168.2.58.8.8.80x27a7Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:34.171382904 CEST192.168.2.58.8.4.40xe05eStandard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:34.248856068 CEST192.168.2.58.8.8.80x9cfaStandard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:38.479859114 CEST192.168.2.58.8.8.80x5fc4Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:38.502695084 CEST192.168.2.58.8.4.40x3e9Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:38.531282902 CEST192.168.2.58.8.8.80xe842Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:42.769747019 CEST192.168.2.58.8.8.80xd004Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:49.097486973 CEST192.168.2.58.8.8.80x733eStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:56.914613962 CEST192.168.2.58.8.8.80xf51fStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:03.356395960 CEST192.168.2.58.8.8.80xb9a8Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:09.863465071 CEST192.168.2.58.8.8.80xf5aaStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:16.205543041 CEST192.168.2.58.8.8.80x71daStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:22.732084036 CEST192.168.2.58.8.8.80x2831Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:29.331429958 CEST192.168.2.58.8.8.80x85d4Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:36.415932894 CEST192.168.2.58.8.8.80xa351Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:42.501702070 CEST192.168.2.58.8.8.80x5457Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:48.522980928 CEST192.168.2.58.8.8.80xefeStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:54.661490917 CEST192.168.2.58.8.8.80xbbcbStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:00.709645033 CEST192.168.2.58.8.8.80x5fe1Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:06.779176950 CEST192.168.2.58.8.8.80xe098Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:14.627098083 CEST192.168.2.58.8.8.80x9026Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:20.681814909 CEST192.168.2.58.8.8.80xa277Standard query (0)harold.2waky.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Oct 12, 2021 15:09:28.717128992 CEST8.8.8.8192.168.2.50x63f8Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:29.173227072 CEST8.8.4.4192.168.2.50x5a24Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:29.320130110 CEST8.8.8.8192.168.2.50x1570Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:34.156547070 CEST8.8.8.8192.168.2.50x27a7Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:34.189163923 CEST8.8.4.4192.168.2.50xe05eName error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:34.423072100 CEST8.8.8.8192.168.2.50x9cfaName error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:38.496443987 CEST8.8.8.8192.168.2.50x5fc4Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:38.521024942 CEST8.8.4.4192.168.2.50x3e9Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:38.549801111 CEST8.8.8.8192.168.2.50xe842Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:42.789721012 CEST8.8.8.8192.168.2.50xd004No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:49.134582043 CEST8.8.8.8192.168.2.50x733eNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:09:56.933176994 CEST8.8.8.8192.168.2.50xf51fNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:03.377588987 CEST8.8.8.8192.168.2.50xb9a8No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:09.883897066 CEST8.8.8.8192.168.2.50xf5aaNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:16.224287033 CEST8.8.8.8192.168.2.50x71daNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:22.750188112 CEST8.8.8.8192.168.2.50x2831No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:29.350970030 CEST8.8.8.8192.168.2.50x85d4No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:36.436556101 CEST8.8.8.8192.168.2.50xa351No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:42.520405054 CEST8.8.8.8192.168.2.50x5457No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:48.544002056 CEST8.8.8.8192.168.2.50xefeNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:10:54.678647995 CEST8.8.8.8192.168.2.50xbbcbNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:00.730202913 CEST8.8.8.8192.168.2.50x5fe1No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:06.799339056 CEST8.8.8.8192.168.2.50xe098No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:14.647671938 CEST8.8.8.8192.168.2.50x9026No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                Oct 12, 2021 15:11:20.989131927 CEST8.8.8.8192.168.2.50xa277No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)

                                                Code Manipulations

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: Proof of payment.jpg.exe PID: 2940 Parent PID: 5620

                                                General

                                                Start time:15:09:16
                                                Start date:12/10/2021
                                                Path:C:\Users\user\Desktop\Proof of payment.jpg.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\Proof of payment.jpg.exe'
                                                Imagebase:0x140000
                                                File size:686080 bytes
                                                MD5 hash:F16A886B0C04454901AC6D0923297C0E
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.260682862.00000000028D7000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.260632599.00000000028A1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, Author: Florian Roth
                                                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.261006592.00000000038A1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: schtasks.exe PID: 5080 Parent PID: 2940

                                                General

                                                Start time:15:09:24
                                                Start date:12/10/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eoPqnTxJGg' /XML 'C:\Users\user\AppData\Local\Temp\tmpB6E9.tmp'
                                                Imagebase:0x1c0000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: conhost.exe PID: 4924 Parent PID: 5080

                                                General

                                                Start time:15:09:25
                                                Start date:12/10/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7ecfc0000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: RegSvcs.exe PID: 2600 Parent PID: 2940

                                                General

                                                Start time:15:09:25
                                                Start date:12/10/2021
                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                Imagebase:0xd60000
                                                File size:32768 bytes
                                                MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:moderate

                                                Chronological Activities

                                                Disassembly

                                                Code Analysis

                                                Reset < >

                                                  Analysis Process: Proof of payment.jpg.exe PID: 2940 Parent PID: 5620 Proof of payment.jpg.exeCOMMON

                                                  Executed Functions

                                                  Function 02520110, Relevance: 2.5, Strings: 1, Instructions: 1293COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: \Tp
                                                  • API String ID: 0-1181567406
                                                  • Opcode ID: 90d58d316e208ec74064f9dd2352d9d8782377b7d31f1455b3de974b0347c89c
                                                  • Instruction ID: eafeea2c99f5cc174154f6d96a2be5ea0ebd3a559d2ddddf01873672a83ded58
                                                  • Opcode Fuzzy Hash: 90d58d316e208ec74064f9dd2352d9d8782377b7d31f1455b3de974b0347c89c
                                                  • Instruction Fuzzy Hash: D2D2B934A01218DFDB25DB64C884BD9B7B2FF8A301F5184E9D909AB361DB35AE85CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02520102, Relevance: 2.5, Strings: 1, Instructions: 1224COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: \Tp
                                                  • API String ID: 0-1181567406
                                                  • Opcode ID: d872a17fed7b14333bfc4f2486b3ab7c8d93eae64529e14d8e1844a3a7aa266e
                                                  • Instruction ID: 6569d9ff2f542aad635101efd768155c4c7a230e97630b090d42b4a0525f4187
                                                  • Opcode Fuzzy Hash: d872a17fed7b14333bfc4f2486b3ab7c8d93eae64529e14d8e1844a3a7aa266e
                                                  • Instruction Fuzzy Hash: 8EC2CC34A01218DFDB25DB24C884BD9B7B2FF4A301F5584E9D909AB361DB35AE89CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252897A, Relevance: .2, Instructions: 220COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f014103062ce5adb6a90d4d3edf2123a11b5998629169b7ce6126ccbce3a11fc
                                                  • Instruction ID: f602196da6ace1e87e9420d2013ffa6d06e25f0bb100e71561449909df10e171
                                                  • Opcode Fuzzy Hash: f014103062ce5adb6a90d4d3edf2123a11b5998629169b7ce6126ccbce3a11fc
                                                  • Instruction Fuzzy Hash: 1B9116B0D052288FCB04DFE9D5886ADBBF2FF4A314F2485A9D414B7394C7349946CB69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02522219, Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: /$c
                                                  • API String ID: 0-3909290379
                                                  • Opcode ID: 67406716ad0b4af0e2b5333b8ce2da4131db1b760e7ba678ea06a9939b168217
                                                  • Instruction ID: 4d69772e8c0ec47ebc7dfe37747a68a9a3db72e18f130c0611094427796d0d27
                                                  • Opcode Fuzzy Hash: 67406716ad0b4af0e2b5333b8ce2da4131db1b760e7ba678ea06a9939b168217
                                                  • Instruction Fuzzy Hash: 89710778E04269CFCB14CFA8C4849EDBBF1FB5A310F2485A9E854EB295D3349986CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252AF30, Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $$
                                                  • API String ID: 0-182950533
                                                  • Opcode ID: ff5d01c43fb38d77195763cb9a33874832f337d7aced77b71f433bf839716a17
                                                  • Instruction ID: c56de6d964ce599e34f35f4b5de06a5bfda4e745e83e216d4b176cd5bb32d671
                                                  • Opcode Fuzzy Hash: ff5d01c43fb38d77195763cb9a33874832f337d7aced77b71f433bf839716a17
                                                  • Instruction Fuzzy Hash: 2631BF75E002688FDB65DF64C8887DDBBB1BB49304F1089E9D419AB290DB759EC8CF00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD0E5E, Relevance: 1.6, APIs: 1, Instructions: 132fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 04CD0F6D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: ac69dd2035e9914273c95cef0279b9eb0e9ae70940428378167a5c9d351bede1
                                                  • Instruction ID: 5d6e2a7f1f8540aba1bd927531a8b23306b5be53315ed3cd4ef69500293bf5e0
                                                  • Opcode Fuzzy Hash: ac69dd2035e9914273c95cef0279b9eb0e9ae70940428378167a5c9d351bede1
                                                  • Instruction Fuzzy Hash: 104168714093C06FE7138B798C54AA2BFB8AF07214F1984DBE984DF1A3D225A909D772
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0225A2AC, Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0225A346
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260233998.000000000225A000.00000040.00000001.sdmp, Offset: 0225A000, based on PE: false
                                                  Similarity
                                                  • API ID: ConsoleCtrlHandler
                                                  • String ID:
                                                  • API String ID: 1513847179-0
                                                  • Opcode ID: b4b8f2d822ea7c0ab7191655e6134503fcc20e4f07af3f48407182bdb50a9fc2
                                                  • Instruction ID: 4684be0b4f4c6bb448566bcc5108eb8f0aee607866276ee8325618e30da25bba
                                                  • Opcode Fuzzy Hash: b4b8f2d822ea7c0ab7191655e6134503fcc20e4f07af3f48407182bdb50a9fc2
                                                  • Instruction Fuzzy Hash: 3D410771409380AFD7128F25DC45B62BFB8EF46624F0981DBED858F653D234A909CBB2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD0AAA, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTokenInformation.KERNELBASE(?,00000E2C,2484FA9B,00000000,00000000,00000000,00000000), ref: 04CD0B54
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationToken
                                                  • String ID:
                                                  • API String ID: 4114910276-0
                                                  • Opcode ID: 30ed23eb02959fcc71172ea4ae023b1d30b52bc5ba4e36f5f65c154d00f3215c
                                                  • Instruction ID: 75c0f263bfa72cfff7bbdf3068c5d791e19dfdec74917bf63536c792c6cda09c
                                                  • Opcode Fuzzy Hash: 30ed23eb02959fcc71172ea4ae023b1d30b52bc5ba4e36f5f65c154d00f3215c
                                                  • Instruction Fuzzy Hash: 2731D7714093806FE712CF65DC81F96BFB8EF06314F0884AAEA858B153D620A508C7A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0225AC22, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0225ACD1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260233998.000000000225A000.00000040.00000001.sdmp, Offset: 0225A000, based on PE: false
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: 9363f033e127d3fae09ebc5243ba9441eab666136f4e587ec5cee18c01cde6bf
                                                  • Instruction ID: a09f56be60ce820b3998d6050b709316624444a4fba99218b48da471fc483123
                                                  • Opcode Fuzzy Hash: 9363f033e127d3fae09ebc5243ba9441eab666136f4e587ec5cee18c01cde6bf
                                                  • Instruction Fuzzy Hash: 0E31B6725043846FE7128B65CC85F67BFBCEF05310F0885AAFD819B152D764A549CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0225AD19, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E2C,2484FA9B,00000000,00000000,00000000,00000000), ref: 0225ADD4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260233998.000000000225A000.00000040.00000001.sdmp, Offset: 0225A000, based on PE: false
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: e450755cf277db34dc8170048810568b69989af92650f826fd5a79dd891a1df6
                                                  • Instruction ID: 6535c1445af135153ff4d632fd22a393fed257490db30b51128ece51d541b31d
                                                  • Opcode Fuzzy Hash: e450755cf277db34dc8170048810568b69989af92650f826fd5a79dd891a1df6
                                                  • Instruction Fuzzy Hash: DA31C2715093846FE722CB65CC85FA2BFF8EF06310F08859AE985CB192D364E548CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD04BE, Relevance: 1.6, APIs: 1, Instructions: 89fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CopyFileW.KERNELBASE(?,?,?), ref: 04CD054A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: CopyFile
                                                  • String ID:
                                                  • API String ID: 1304948518-0
                                                  • Opcode ID: f9e529247401ee61f83d10be0f2870729587f366819206efe3dcb78309bd2917
                                                  • Instruction ID: 0803657d1f98faa54bb4f1831e57e57ca6f6e3a9f4a7b332b382adb6eea33112
                                                  • Opcode Fuzzy Hash: f9e529247401ee61f83d10be0f2870729587f366819206efe3dcb78309bd2917
                                                  • Instruction Fuzzy Hash: 40316F7150D3C45FD7138B259C65A52BFB8AF07214F0D84DFE984CB1A3E265A848C762
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD0676, Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 04CD0713
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: OpenPolicy
                                                  • String ID:
                                                  • API String ID: 2030686058-0
                                                  • Opcode ID: 6d0c1d8d535c490e310bf2389d7e465e1b8448a8b2acdd3e9461f88f69336d5a
                                                  • Instruction ID: 7293eafde22b4c9e1a1300a011962846eee887b8025239d517319a12fee6b360
                                                  • Opcode Fuzzy Hash: 6d0c1d8d535c490e310bf2389d7e465e1b8448a8b2acdd3e9461f88f69336d5a
                                                  • Instruction Fuzzy Hash: CA217E72504344AFEB21CF65DC85FA6FFB8EF05310F1884AAED849F192D364A548CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD0FC4, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileType.KERNELBASE(?,00000E2C,2484FA9B,00000000,00000000,00000000,00000000), ref: 04CD1059
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID:
                                                  • API String ID: 3081899298-0
                                                  • Opcode ID: 1aa4e0d3c93aadbf34175674fc5472235ec6cc41da40e4fe563fb881a72919d0
                                                  • Instruction ID: f90b40da75fa6230d2c9930aec2f0c6673a66af7095a7baafde532ae8c4e2ae8
                                                  • Opcode Fuzzy Hash: 1aa4e0d3c93aadbf34175674fc5472235ec6cc41da40e4fe563fb881a72919d0
                                                  • Instruction Fuzzy Hash: A82107B54087846FE7128B25DC80FA2BFB8EF46720F08859AE9848B193D624B909C771
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD0EEE, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 04CD0F6D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: d3f1d888acee53e07120a742f862ec1e6ef1ccc0ddf3fc8228f56f9e3f934f92
                                                  • Instruction ID: 5da68d6230d41ea98859a7f95e241ac1b9add54e983c0247c7ce7d6137ecbb82
                                                  • Opcode Fuzzy Hash: d3f1d888acee53e07120a742f862ec1e6ef1ccc0ddf3fc8228f56f9e3f934f92
                                                  • Instruction Fuzzy Hash: 3F218E71500340AFEB21DF6ADC84B66FBE8EF08314F18846DEA899B252D771F504CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD1094, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNELBASE(?,00000E2C,2484FA9B,00000000,00000000,00000000,00000000), ref: 04CD1125
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 824277e8716329912c8e0bdbe4ed361e4aaea9e5271e2f0d07645fae300b0974
                                                  • Instruction ID: 705d7a15fd65d6355b0da0aa1e3936723b5068753e91c3b1a26a91630eceea7b
                                                  • Opcode Fuzzy Hash: 824277e8716329912c8e0bdbe4ed361e4aaea9e5271e2f0d07645fae300b0974
                                                  • Instruction Fuzzy Hash: E221A471509380AFD722CF65DC84F56BFB8EF46314F0884ABEA849F153C265A509CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0225AC52, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(?,00000E2C), ref: 0225ACD1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260233998.000000000225A000.00000040.00000001.sdmp, Offset: 0225A000, based on PE: false
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: ad737213698bf0995b73e6f33fbaa468310e4d1927047439cb96335215f0ca07
                                                  • Instruction ID: ed7f449f0fafa7dab28069e2a3f7b5c6170a00679bc0f28c577519e3376dc903
                                                  • Opcode Fuzzy Hash: ad737213698bf0995b73e6f33fbaa468310e4d1927047439cb96335215f0ca07
                                                  • Instruction Fuzzy Hash: 5E21CFB2510204AFE7219B99DC85F6AFBECEF08311F14856AEE419B241D770E5088BB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD06A2, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 04CD0713
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: OpenPolicy
                                                  • String ID:
                                                  • API String ID: 2030686058-0
                                                  • Opcode ID: b3aa891328e441b09a23757be08e78697e504f786f48480e10874767abf3a7d6
                                                  • Instruction ID: dc1c3b008d3152a261561c513d2c62598c965260b7c04d1971c137e044576dff
                                                  • Opcode Fuzzy Hash: b3aa891328e441b09a23757be08e78697e504f786f48480e10874767abf3a7d6
                                                  • Instruction Fuzzy Hash: 99219371900204AFEB20DF6ADC85F6AFBECEF44715F14846AEE459F241D674E5048B71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0225AD5A, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExW.KERNELBASE(?,00000E2C,2484FA9B,00000000,00000000,00000000,00000000), ref: 0225ADD4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260233998.000000000225A000.00000040.00000001.sdmp, Offset: 0225A000, based on PE: false
                                                  Similarity
                                                  • API ID: QueryValue
                                                  • String ID:
                                                  • API String ID: 3660427363-0
                                                  • Opcode ID: 9c99ab1cce372d7337721eaf8dbed853153809faa21f86e562826cdc997c19c3
                                                  • Instruction ID: 3706ea24a44545762905b529861c2684c92e3b255997ff5c662ff7f946097440
                                                  • Opcode Fuzzy Hash: 9c99ab1cce372d7337721eaf8dbed853153809faa21f86e562826cdc997c19c3
                                                  • Instruction Fuzzy Hash: 43218EB1511604AFE720DE65DC82FA6BBECEF04711F08C56AFD458B295DB70E508CAB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD0AEA, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTokenInformation.KERNELBASE(?,00000E2C,2484FA9B,00000000,00000000,00000000,00000000), ref: 04CD0B54
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: InformationToken
                                                  • String ID:
                                                  • API String ID: 4114910276-0
                                                  • Opcode ID: 4f533eb80b2bc38a96cd6e8d7ee564d6713b4f03fc0da22f05c5036297724254
                                                  • Instruction ID: 80fba2f6f3fdc7dd31c8347c153b20646adc20f78ee209962e230258125ba036
                                                  • Opcode Fuzzy Hash: 4f533eb80b2bc38a96cd6e8d7ee564d6713b4f03fc0da22f05c5036297724254
                                                  • Instruction Fuzzy Hash: D911B4B1504204AFEB21CF6ADC85FAAFBACEF44314F04886AEA45DB241D774E544DB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD12D3, Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileW.KERNELBASE(?), ref: 04CD1340
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: 8d534b14fb49c33bb03057ca74d049389e6d7a561614b43d4044cdc974dbcc97
                                                  • Instruction ID: 90d381b23de1f8b83a8f74a4429249752cd3bc55f6ae7f244bb726024156c5ef
                                                  • Opcode Fuzzy Hash: 8d534b14fb49c33bb03057ca74d049389e6d7a561614b43d4044cdc974dbcc97
                                                  • Instruction Fuzzy Hash: CF2190755093C49FD7128F25DC95B56BFB8DF02220F0980EBED85CF293D268A948CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0225B7C9, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0225B845
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260233998.000000000225A000.00000040.00000001.sdmp, Offset: 0225A000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoadShim
                                                  • String ID:
                                                  • API String ID: 1475914169-0
                                                  • Opcode ID: 2b2effb0948122c788d4907e80df04b6a6b1a8dc34db96b25c09867daa34c80d
                                                  • Instruction ID: 9de4307e43a5c9e9b245a83449848fe593928ee1c3cf16ffde46f938561c9da8
                                                  • Opcode Fuzzy Hash: 2b2effb0948122c788d4907e80df04b6a6b1a8dc34db96b25c09867daa34c80d
                                                  • Instruction Fuzzy Hash: 762190755093849FD722CE25DC45B62FFB8EF06618F08809AED858B257D375E908CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD1425, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 04CD1499
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 8db2aaa5aba16b119e9a680646f2fbd922be9e8588a3f7f414d7e1914e2f1aa1
                                                  • Instruction ID: bc28b354c04b5169ee8b33564d11796d3b73e0efbe8c7a60d1b298de4800a1c4
                                                  • Opcode Fuzzy Hash: 8db2aaa5aba16b119e9a680646f2fbd922be9e8588a3f7f414d7e1914e2f1aa1
                                                  • Instruction Fuzzy Hash: C9218C724093C09FDB238F25CC44A52BFB4EF07210F0985DAE9848F663D225A958DB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0225A5FB, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0225A666
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260233998.000000000225A000.00000040.00000001.sdmp, Offset: 0225A000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: f698c2c49a0272d0137158cc4baeb852acab49b2b2c374797a9d423ec28bb4ac
                                                  • Instruction ID: b29ebc947ffad89c0b94ee18de46fc9e657e1f16c50871f21121f6f161869413
                                                  • Opcode Fuzzy Hash: f698c2c49a0272d0137158cc4baeb852acab49b2b2c374797a9d423ec28bb4ac
                                                  • Instruction Fuzzy Hash: EA11A271409380AFDB228F51DC44B62FFF4EF4A210F08C59AED858B252D375A418DB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD05C5, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFileAttributesW.KERNELBASE(?,?), ref: 04CD0627
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: 5306f66b44af9bb25c8ff748df6fe076c3f20e040aaf1950d867ef29f4bc731e
                                                  • Instruction ID: 6ee2e3ad94867e59e2f4bb90255723f056d4413646b7f7e81b6e434da05de9ca
                                                  • Opcode Fuzzy Hash: 5306f66b44af9bb25c8ff748df6fe076c3f20e040aaf1950d867ef29f4bc731e
                                                  • Instruction Fuzzy Hash: 5A1103755083849FDB11CF29DC84B52BFE8EF02214F0880AAED44CB253D274A549CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD10C6, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNELBASE(?,00000E2C,2484FA9B,00000000,00000000,00000000,00000000), ref: 04CD1125
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: 196d584a6f688ae33508f143790b02b04805b19d889f77a9e36237e725fd51fc
                                                  • Instruction ID: 81e602bda569dab2a7bc79406aa97ba2e8e73fa09ce1ca20857b2b4e814cd1f5
                                                  • Opcode Fuzzy Hash: 196d584a6f688ae33508f143790b02b04805b19d889f77a9e36237e725fd51fc
                                                  • Instruction Fuzzy Hash: 3A11E7B1500304AFEB21CF55DC80F56FBA8EF48720F18846AEE459B252D775B508CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD1713, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 04CD177D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 44b8d95bc376ed4aaec577c864370e72ec307ee9d401febbf4069246df8a7aa7
                                                  • Instruction ID: 4595ed9c0916a7d88851278980ae16698d7b2761d50a19f9fb096f000af296bd
                                                  • Opcode Fuzzy Hash: 44b8d95bc376ed4aaec577c864370e72ec307ee9d401febbf4069246df8a7aa7
                                                  • Instruction Fuzzy Hash: 9C11D0714093849FDB22CF15DC85B52FFB4EF06224F08C49EED858B263D265A558CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD0502, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CopyFileW.KERNELBASE(?,?,?), ref: 04CD054A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: CopyFile
                                                  • String ID:
                                                  • API String ID: 1304948518-0
                                                  • Opcode ID: f6a5d9d05d8da1f3498389aca35173583f6a8c131d3bd9985dbddc7ec11db607
                                                  • Instruction ID: f20269833f27c94834892cdad5be75bb4729cc022a868fc9a3675cfdc4d3aa32
                                                  • Opcode Fuzzy Hash: f6a5d9d05d8da1f3498389aca35173583f6a8c131d3bd9985dbddc7ec11db607
                                                  • Instruction Fuzzy Hash: 8C1161B5A002059FDB20CF2AD885B56FBE8EF05224F08C46AEE49CB742E674E544CF75
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD1006, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileType.KERNELBASE(?,00000E2C,2484FA9B,00000000,00000000,00000000,00000000), ref: 04CD1059
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID:
                                                  • API String ID: 3081899298-0
                                                  • Opcode ID: 4962155ad67a6c7d288b5840dc7b21533c03558a7ee87b3edaa85d0d8c6172f3
                                                  • Instruction ID: b7de93b0db4525fe17f2b4ed959aa51b00046df731615d1a3815dc8a0f6e1a68
                                                  • Opcode Fuzzy Hash: 4962155ad67a6c7d288b5840dc7b21533c03558a7ee87b3edaa85d0d8c6172f3
                                                  • Instruction Fuzzy Hash: 9601D671504244AFE710DF15DC85F66FB9CDF44720F18C45AEE459B241DA74B508CAB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0225AAEC, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260233998.000000000225A000.00000040.00000001.sdmp, Offset: 0225A000, based on PE: false
                                                  Similarity
                                                  • API ID: LongWindow
                                                  • String ID:
                                                  • API String ID: 1378638983-0
                                                  • Opcode ID: cb3f730ceecd996f6135d1e3b692034fcb482926d2de808616863ee015d74600
                                                  • Instruction ID: 2371d8aabdc1548e5e400bdc5b3e44a75d5effa60e51740034c7b5e95a676cc8
                                                  • Opcode Fuzzy Hash: cb3f730ceecd996f6135d1e3b692034fcb482926d2de808616863ee015d74600
                                                  • Instruction Fuzzy Hash: 0A118E314097849FDB21CF55DC85B52FFB4EF06220F08C5DAED894B262D375A958CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD05EA, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFileAttributesW.KERNELBASE(?,?), ref: 04CD0627
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: 338226444b11d6c34f645b064e32a927a96168de895f3fe215fee59f8dfb9aa6
                                                  • Instruction ID: dfb7dd6533922ffc5f4716d5da22a5a7914cee5af785573a050606d03caa2f45
                                                  • Opcode Fuzzy Hash: 338226444b11d6c34f645b064e32a927a96168de895f3fe215fee59f8dfb9aa6
                                                  • Instruction Fuzzy Hash: 57019275A042449FDB10CF2ADC84756FBD8EF44724F08C4AAEE49DB242D274E504CE62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0225A42A, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(?), ref: 0225A480
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260233998.000000000225A000.00000040.00000001.sdmp, Offset: 0225A000, based on PE: false
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 18060093174ae250382d71609ea96040be85183986f8a6b5336588d7d2d79fe0
                                                  • Instruction ID: 41982a4e59661d9f0178430f012473ed086004e320bcbfe1949340b4e2152165
                                                  • Opcode Fuzzy Hash: 18060093174ae250382d71609ea96040be85183986f8a6b5336588d7d2d79fe0
                                                  • Instruction Fuzzy Hash: A711A1754093849FD712CB25DC89B52FFB4DF46220F09C0DAED854F262D278A948CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD1306, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileW.KERNELBASE(?), ref: 04CD1340
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: DeleteFile
                                                  • String ID:
                                                  • API String ID: 4033686569-0
                                                  • Opcode ID: ffaad29a76f615c93f3070964910af31cc14a0e94b5b492a9d1db70db331b97d
                                                  • Instruction ID: d09839162cad824d215a7b12158e475dcd5f71d99de9efb2db9bf799665afd34
                                                  • Opcode Fuzzy Hash: ffaad29a76f615c93f3070964910af31cc14a0e94b5b492a9d1db70db331b97d
                                                  • Instruction Fuzzy Hash: 9C01B171A002448FDB10DF2AE885766FB98DF00220F0CC4AADE89CF742D674E544CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0225B7FA, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryShim.MSCOREE(?,?,?,?), ref: 0225B845
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260233998.000000000225A000.00000040.00000001.sdmp, Offset: 0225A000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoadShim
                                                  • String ID:
                                                  • API String ID: 1475914169-0
                                                  • Opcode ID: dbf123558414122e224c20132ee588c5941f2a85d2165936262d64c055fdd05e
                                                  • Instruction ID: 32b3e515009ce7b248cb8ba3a2bfed505441bb9b129d64ec673ed6bf1ccdcdf0
                                                  • Opcode Fuzzy Hash: dbf123558414122e224c20132ee588c5941f2a85d2165936262d64c055fdd05e
                                                  • Instruction Fuzzy Hash: 580192719202019FDB20DF59DC89B26FBE8EF04618F08C499DD498B759D375E408CB71
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0225A622, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0225A666
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260233998.000000000225A000.00000040.00000001.sdmp, Offset: 0225A000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 9d2292cdfe6e74c5e3527081266a432570e62a4d7a1e41007e7e04b42ef9678a
                                                  • Instruction ID: 944dbd1a0c2cb5b1e31f9948c5cb41e9e1720bbcd4982c1a51ed99d7e9b063f2
                                                  • Opcode Fuzzy Hash: 9d2292cdfe6e74c5e3527081266a432570e62a4d7a1e41007e7e04b42ef9678a
                                                  • Instruction Fuzzy Hash: 55016D318106049FDB21CF95D845B56FFE4EF48320F08C9AAEE494B656D375A418CF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0225A2F6, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetConsoleCtrlHandler.KERNELBASE(?,00000E2C,?,?), ref: 0225A346
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260233998.000000000225A000.00000040.00000001.sdmp, Offset: 0225A000, based on PE: false
                                                  Similarity
                                                  • API ID: ConsoleCtrlHandler
                                                  • String ID:
                                                  • API String ID: 1513847179-0
                                                  • Opcode ID: 9d038729ac8acd90075765b27d9db2930babae84ec1da0cd9d31c3869d27a6f1
                                                  • Instruction ID: 8363b7515363c83c74518980afacb828d8fe927715b1a1a65e455497d7f934a1
                                                  • Opcode Fuzzy Hash: 9d038729ac8acd90075765b27d9db2930babae84ec1da0cd9d31c3869d27a6f1
                                                  • Instruction Fuzzy Hash: 8801A271500200ABD310DF1ADC86B26FBE8FB88B20F14815AED084B745E635F515CBE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD1742, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 04CD177D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: b846e4a3b143e860d528c67af8a2200bbfb4d6531f5e0be753bceec25cacb2bb
                                                  • Instruction ID: 4d0b46a78aa300d0501d86c88df89d1d62518f8a548ee3d8a610ddbb1e6274fe
                                                  • Opcode Fuzzy Hash: b846e4a3b143e860d528c67af8a2200bbfb4d6531f5e0be753bceec25cacb2bb
                                                  • Instruction Fuzzy Hash: 9501B1355006008FDB208F16D884B65FFA4EF04320F0CC4AEEE4A4B661D671A558DF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04CD145E, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 04CD1499
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.262970735.0000000004CD0000.00000040.00000001.sdmp, Offset: 04CD0000, based on PE: false
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: ac388993fe3cee917ad229e69ef9f8130131b2cdcc441242f22a7b12c305440e
                                                  • Instruction ID: 625aeb11ecb7ccff4c7045185dc5b93cb4efcc6d1d0dd8c4a61c417bed385d73
                                                  • Opcode Fuzzy Hash: ac388993fe3cee917ad229e69ef9f8130131b2cdcc441242f22a7b12c305440e
                                                  • Instruction Fuzzy Hash: 76018B35900204DFDB20CF16D884B2AFFA1EF48320F0CC4AAEE490B656D275A558DFB2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0225AB0E, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260233998.000000000225A000.00000040.00000001.sdmp, Offset: 0225A000, based on PE: false
                                                  Similarity
                                                  • API ID: LongWindow
                                                  • String ID:
                                                  • API String ID: 1378638983-0
                                                  • Opcode ID: 59ba198e656dafedac7c7d192f62822c37e1457b38c5758d0544ac333c029684
                                                  • Instruction ID: 86a602b848cc57ec121f9248d35d0e5f032abe108fa9b3c56a749eda1daec6d0
                                                  • Opcode Fuzzy Hash: 59ba198e656dafedac7c7d192f62822c37e1457b38c5758d0544ac333c029684
                                                  • Instruction Fuzzy Hash: 0801D131420A04CFDB20CF45D885B11FFA0EF14720F08C5AADD4A0B656C3B5A408CFB2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0225A44E, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(?), ref: 0225A480
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260233998.000000000225A000.00000040.00000001.sdmp, Offset: 0225A000, based on PE: false
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: a33625b10b0b08f93538addc509c21d05be8966525276085969bc03d4e54b38e
                                                  • Instruction ID: bd24d9956f6ded66b722ab65588155376524094c1383e61908280b648e569188
                                                  • Opcode Fuzzy Hash: a33625b10b0b08f93538addc509c21d05be8966525276085969bc03d4e54b38e
                                                  • Instruction Fuzzy Hash: 6FF0C275824245CFDB10CF95E889765FFA4EF44330F08C1AADD494B75AD3B9A448CEA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02529792, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: !
                                                  • API String ID: 0-2657877971
                                                  • Opcode ID: ea538a9f70fe7e8e63e7a5208cf21a4ef5945c16cad251ee4022924c659e6cdd
                                                  • Instruction ID: e6b6f6399b0be6db54b7a0aae8c3358436b793aacbac54291bf70921240e2f2c
                                                  • Opcode Fuzzy Hash: ea538a9f70fe7e8e63e7a5208cf21a4ef5945c16cad251ee4022924c659e6cdd
                                                  • Instruction Fuzzy Hash: 8441C075D05228CFDB20DFA0E4987EDBBB1BB4A319F249969D002A72D0D77449C9CF19
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02529547, Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: !
                                                  • API String ID: 0-2657877971
                                                  • Opcode ID: 5c4691a24d35710220b941e449d76c71f5279e9fdedd3188ff2f682e06c3628c
                                                  • Instruction ID: 5358c05db196f825ae1b741450f74a186920b66fabf8e14f55be7f67e24e5976
                                                  • Opcode Fuzzy Hash: 5c4691a24d35710220b941e449d76c71f5279e9fdedd3188ff2f682e06c3628c
                                                  • Instruction Fuzzy Hash: C5316A75D0A368CFDB10DFA4E4887ADBBB0BB07315F284A99C445AB2D1C735488ACB19
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252927A, Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID: 0-3916222277
                                                  • Opcode ID: b098411d3ee7cf13a0f7887b100687c619f5ba68201e319cb15ec94267eb2032
                                                  • Instruction ID: bd21d589a212718c712bf02d53d5e728a75b98d654905b9b25d4ba13ec2c2f2c
                                                  • Opcode Fuzzy Hash: b098411d3ee7cf13a0f7887b100687c619f5ba68201e319cb15ec94267eb2032
                                                  • Instruction Fuzzy Hash: 29014079C49228CFDB209FA1D5587EDBAB0BB07315F24596AC046622D1C7784ACDCF1A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252B23D, Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: '
                                                  • API String ID: 0-1997036262
                                                  • Opcode ID: 489bdafd2da46fc67531db646117a5ecc29ada2dd4e5bf69ff58d4fb4a12b3e8
                                                  • Instruction ID: 05229fb95c76f67c204f8df06541a4a9ad95f84e918eb32c58bbdd1f52d904de
                                                  • Opcode Fuzzy Hash: 489bdafd2da46fc67531db646117a5ecc29ada2dd4e5bf69ff58d4fb4a12b3e8
                                                  • Instruction Fuzzy Hash: 4201C075A00228CFCB24CF54CC88BD9BBB6FB09304F1485C5E529A7291C7329E99CF04
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252B2B8, Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: &
                                                  • API String ID: 0-1010288
                                                  • Opcode ID: 0736de21efa5180f39bb09487818aa577ad4ea475183b9b12997d7a0f7962347
                                                  • Instruction ID: 4bcede22ffd52adb6509bb40378a219c68fe0e61ff24d228f8438e707d819a61
                                                  • Opcode Fuzzy Hash: 0736de21efa5180f39bb09487818aa577ad4ea475183b9b12997d7a0f7962347
                                                  • Instruction Fuzzy Hash: FAF0D435E04228CFDB24CFA4C844BDCB7B1BB09304F604499D519AB2C1D7729A85CF04
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02529C50, Relevance: .3, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cb34edb0ad3fc05ceefc5e2195f370cc6475b874bba426730c29159f1f9b5128
                                                  • Instruction ID: bd8ba2c57db8ab32e7ed3ecc83f36799b6d24e4bb9a320cc70c4d61b81f6bb38
                                                  • Opcode Fuzzy Hash: cb34edb0ad3fc05ceefc5e2195f370cc6475b874bba426730c29159f1f9b5128
                                                  • Instruction Fuzzy Hash: 44A1E374E41228DBDB14DBA8D998BEDBB72BF8A700F208119D9157B3C4CBB15849CF09
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A898, Relevance: .2, Instructions: 226COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 18380b6c7c7f0b0b7cf0d212acc22eddd4e393d786009e63c3bebe72118daed2
                                                  • Instruction ID: 577264396fbd7039106ff85e43f2af6f25d5ee89669ef53f57334c9514cbf3a3
                                                  • Opcode Fuzzy Hash: 18380b6c7c7f0b0b7cf0d212acc22eddd4e393d786009e63c3bebe72118daed2
                                                  • Instruction Fuzzy Hash: 6591E174D05228CFDB14CFAAD5887ADBBF1BB4A304F10956AD415B72C0E7785A89CF48
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A8E0, Relevance: .2, Instructions: 198COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 588522024395b3b910ff38e2cc2caed53bcff8fa3d52510b79162c3ac87c0aee
                                                  • Instruction ID: a21b1766ae20927ab812789748b2fd91acd0cfe3b25c94613afbe4a72460da60
                                                  • Opcode Fuzzy Hash: 588522024395b3b910ff38e2cc2caed53bcff8fa3d52510b79162c3ac87c0aee
                                                  • Instruction Fuzzy Hash: DF81C074D05228CFDB14CFAAD5887ADBBF1BB4A304F20952AD415B72C0E7785A89CF48
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02521958, Relevance: .2, Instructions: 195COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 78584987162135cf5f5523f7216893004707bc1225fbc8556b32f40df53e203d
                                                  • Instruction ID: 15085169c8db5d82ca118d09d255029ea1118900612f55dc7a8a57d6c0f22e10
                                                  • Opcode Fuzzy Hash: 78584987162135cf5f5523f7216893004707bc1225fbc8556b32f40df53e203d
                                                  • Instruction Fuzzy Hash: F571F674E052589FCB14DFB9D884AAEBFB2FF4A300F14846AD809EB291E7349945CF54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02521EFA, Relevance: .2, Instructions: 178COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0340408e1385e299414a105065feaf5a0be3c402fb5d0174da094430d7991191
                                                  • Instruction ID: 031a90479923804f6fd273cc9105a7a4794056b2920c02af88ea9702c3ea0ffe
                                                  • Opcode Fuzzy Hash: 0340408e1385e299414a105065feaf5a0be3c402fb5d0174da094430d7991191
                                                  • Instruction Fuzzy Hash: 71715475E04229CFDF10DFA9C880BADBBF2BB49310F1094A9D919E7295D7349A85CF14
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A0E7, Relevance: .2, Instructions: 175COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cac61d236d9bd5a07ba9f8990b8a518e46b67adb34c27ed72420e604cffe6095
                                                  • Instruction ID: cfc9c726b5b3c7ebe0f3e2ced3d39565ce7583e3bb384c1a08413b05d11528bc
                                                  • Opcode Fuzzy Hash: cac61d236d9bd5a07ba9f8990b8a518e46b67adb34c27ed72420e604cffe6095
                                                  • Instruction Fuzzy Hash: 0E71EDB4D00218DFDB04DFE8D5886ADBBB2FF8A300F20856AD815A7394DB35598ACF15
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025223F8, Relevance: .2, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 56c49652c95a060c9ab17992e01bf5e7b9ee609e584cb1baa725090c273738df
                                                  • Instruction ID: d818ca06660f3510b18e02334723b5caf97275425183d5dd40b80051714d9b07
                                                  • Opcode Fuzzy Hash: 56c49652c95a060c9ab17992e01bf5e7b9ee609e584cb1baa725090c273738df
                                                  • Instruction Fuzzy Hash: 7F518974E00368CFDB10DFA9D4486ADBFB1BF4A310F2088AAD805EB2C5DB748949CB55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02528DD0, Relevance: .2, Instructions: 153COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7b76a66002c51b263219b7194597d2fa54f341616d134c9f3025a0b141ef701c
                                                  • Instruction ID: 3c6b7220e44034916f85fdeeda8949a3dc11d56f43258fd865cc5656183bef37
                                                  • Opcode Fuzzy Hash: 7b76a66002c51b263219b7194597d2fa54f341616d134c9f3025a0b141ef701c
                                                  • Instruction Fuzzy Hash: 6F513570D02228DFCB00DFE9D9487AEBBB2BF8A314F649595E414B72D4D3344A49CB69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02528DCF, Relevance: .1, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 58966ccba59585ebb43e0d43cff49dc0f5ef8d247d0dac21d717c0ab9060f5aa
                                                  • Instruction ID: eb65b713d1770305118e8b95ba1e46bd23d48201cad87cb43f5fc784be2ba33e
                                                  • Opcode Fuzzy Hash: 58966ccba59585ebb43e0d43cff49dc0f5ef8d247d0dac21d717c0ab9060f5aa
                                                  • Instruction Fuzzy Hash: E7410570D02228DBDB00DFE9D9487ADBBB2FF8A315F609565E404B32D0D7344A498B69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025299F0, Relevance: .1, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 012d8cf9f3a039d0b47365bee3f3a05789f0bdc6943568c2a6a4d88fcade763a
                                                  • Instruction ID: 8ea3c656bf6ed0918ee81186aca64e15ce9107c5a6e139bc9eb4bc9247c55c10
                                                  • Opcode Fuzzy Hash: 012d8cf9f3a039d0b47365bee3f3a05789f0bdc6943568c2a6a4d88fcade763a
                                                  • Instruction Fuzzy Hash: 25314871D452189BDB05DFB9E4486EEBBB6FB8A300F209429D405B3390CB755889CB18
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A6EC, Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e7693cba719459fe3e316f4107e8928a1fdbbdbe3e10d56d44841a93f9b12f24
                                                  • Instruction ID: 8adb2fbc5c4d85679304052d9d9db424a953179ee6899c81ea382c6eedf780c7
                                                  • Opcode Fuzzy Hash: e7693cba719459fe3e316f4107e8928a1fdbbdbe3e10d56d44841a93f9b12f24
                                                  • Instruction Fuzzy Hash: 66319CB6508340AFD310CF59EC40E57FFE8EB89620F18C96EFD499B211D271A804CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025293C4, Relevance: .1, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5a857fd34b267dd6a8ec7d9d8112f7c49d8f0c6ac8c227537a115e5734e0fe0d
                                                  • Instruction ID: 7c16ccc721f7bd97193cadae3ebdafbbe5f6d0a094b8c9a2c01841237d247647
                                                  • Opcode Fuzzy Hash: 5a857fd34b267dd6a8ec7d9d8112f7c49d8f0c6ac8c227537a115e5734e0fe0d
                                                  • Instruction Fuzzy Hash: 4D415C74D05228CFEB60DF64D898BADBBB1BB4A305F1085EAD449A3390DB345AC8CF15
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A944, Relevance: .1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0dce652a1c641c3a597bb28163c913baf5dadd24639cc9dfa650317cc6443691
                                                  • Instruction ID: e4054018bb3056a904ea3fa8c8207e07437a4f8ed8211d162b3dad7f7d17add8
                                                  • Opcode Fuzzy Hash: 0dce652a1c641c3a597bb28163c913baf5dadd24639cc9dfa650317cc6443691
                                                  • Instruction Fuzzy Hash: 5F217FB6508340AFD311CF19EC41D57FFE8EB89620F04C96EFD499B212D271A914CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A81A, Relevance: .1, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 626fc45630a27a9e8536b82f54e24fd19574fcdd5fac30f27d9e697825930083
                                                  • Instruction ID: 76bc7a8e88178be929d123e1c3ab47f093db38d0da680e7de807693c2d979dfe
                                                  • Opcode Fuzzy Hash: 626fc45630a27a9e8536b82f54e24fd19574fcdd5fac30f27d9e697825930083
                                                  • Instruction Fuzzy Hash: 332180B6518340AFD311CF1ADC45D56FFE8EB89630F08C96EFD4997212D271A918CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A5C0, Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9267455d0b1f046a792d8600d075f95b5df85715feb85332771cc80d587d4ca3
                                                  • Instruction ID: dd5523adb733cdf8638c09e6fd527bc42f82093f6d37b0e3a62d3ebb897214b0
                                                  • Opcode Fuzzy Hash: 9267455d0b1f046a792d8600d075f95b5df85715feb85332771cc80d587d4ca3
                                                  • Instruction Fuzzy Hash: 1421F772508340AFD310CF1ADC41D56FFA8EF85630F08C99EFD495B212D236A515CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02522ABE, Relevance: .1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 03da515d6bf4bed2f68123c94971f8b3942fdb3c016af9b32de6204cc77f233f
                                                  • Instruction ID: aefbd0b2f92bcbe0377a55ef531c8e979de7c51cd3ea4974342f5ab44d5ba6a0
                                                  • Opcode Fuzzy Hash: 03da515d6bf4bed2f68123c94971f8b3942fdb3c016af9b32de6204cc77f233f
                                                  • Instruction Fuzzy Hash: 2941E2B8D00218CFDB50DFA8E08CA9CBBB1FB19314F1484A9D949EB384DB749988CF15
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A3AA, Relevance: .1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5dadf45f517d7f0f8abc00acd65609f105ef0f05a33abfcb4eb53f3cf98ca124
                                                  • Instruction ID: 16963dec167acd716ea697249c97c45267b44f2e303018f174b5ac377e98cd2d
                                                  • Opcode Fuzzy Hash: 5dadf45f517d7f0f8abc00acd65609f105ef0f05a33abfcb4eb53f3cf98ca124
                                                  • Instruction Fuzzy Hash: C521B576508340AFD711CF1A9C45956FFA8EF85630F08C99EFD495B212D271A514CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A191, Relevance: .1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fc22a4a3ec8c39cc19fd2a2e84e7cb881ee9ed0af4688d2e67f40be7b5b1dbaf
                                                  • Instruction ID: 592fb3b35d45cbb3471971256113a1ec6655ba7e8fdaab9d120e0e7683487e5b
                                                  • Opcode Fuzzy Hash: fc22a4a3ec8c39cc19fd2a2e84e7cb881ee9ed0af4688d2e67f40be7b5b1dbaf
                                                  • Instruction Fuzzy Hash: 5221D776508340AFD711CF1A9C45D62FFA8EB85630F08C59EFD495B252D272B514CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A716, Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 34264852d7c487aa883137e4bcbf2cbf65fda5d430f999af4d5f5a8bdc9fb2b3
                                                  • Instruction ID: 9150602e0a23678074227507ae959f7491aa5a5e15d1cc9d2a37d226c251fbb6
                                                  • Opcode Fuzzy Hash: 34264852d7c487aa883137e4bcbf2cbf65fda5d430f999af4d5f5a8bdc9fb2b3
                                                  • Instruction Fuzzy Hash: AB213AB6514304AFD310CF0AEC41E67FBE8EB88670F14C92EFD4997301D275A9148BA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A96E, Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 996e9042ee20e2d25ee6a15f3bde96759b14e99642ed97f5179458fc067e3595
                                                  • Instruction ID: b3bb5083cc24183221253a1f0a2a894012fed6ece3cf07d676b5aba10c5f630b
                                                  • Opcode Fuzzy Hash: 996e9042ee20e2d25ee6a15f3bde96759b14e99642ed97f5179458fc067e3595
                                                  • Instruction Fuzzy Hash: 56212CB6554305AFD310CF0AEC41E57FBE8EB88670F14C92EFD499B311D275A9148BA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A842, Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ca271fecd6584bca14fe536eb0edf3f361c31ba867dd919003da4c215588d5ba
                                                  • Instruction ID: fd9b5afeab9b4a465ca9b86711e95d9f86f7ea93a393dea614d374fd7c19cf0d
                                                  • Opcode Fuzzy Hash: ca271fecd6584bca14fe536eb0edf3f361c31ba867dd919003da4c215588d5ba
                                                  • Instruction Fuzzy Hash: 9E212FB6554305AFD310CF0AEC41E57FBE8EB88670F14C92EFD4997311D275A9148BA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02520006, Relevance: .1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 185481e6464ddeec30e237cbdc379398418a21348d2b17da593f4691a3b78ab7
                                                  • Instruction ID: b13695ee949730283e89effcaa55940cc682fa495ae4c7a761db55a1cf6b8567
                                                  • Opcode Fuzzy Hash: 185481e6464ddeec30e237cbdc379398418a21348d2b17da593f4691a3b78ab7
                                                  • Instruction Fuzzy Hash: 791146A048F3C05FC7075BB458766AABF709E43114B1E49CBC0C09B0A3C55D0D2ED762
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A5EA, Relevance: .1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e0ef42f5716cb335f3d7aa7b327a10b81c4af5113be77684e2f31acd5abbafcc
                                                  • Instruction ID: d55a891b4eacdecd08d8d89598efcd839b270d9da5245505ddae1e5adbf83c70
                                                  • Opcode Fuzzy Hash: e0ef42f5716cb335f3d7aa7b327a10b81c4af5113be77684e2f31acd5abbafcc
                                                  • Instruction Fuzzy Hash: 64119376554204BFE310CF0AEC41D67FBA9EB84670F18C96EFD095B311D276B5148AA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A3D2, Relevance: .1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 835e6f77fb4679547e9bca69dd07ed4378360b02ffa75db9a49e780bba111f7f
                                                  • Instruction ID: 5f3cf9e317f925a0afc991abb97cd394a0d94709c94ff38cc0ee2abaccb96c5f
                                                  • Opcode Fuzzy Hash: 835e6f77fb4679547e9bca69dd07ed4378360b02ffa75db9a49e780bba111f7f
                                                  • Instruction Fuzzy Hash: 3A1193B6554304BFD310CF0AEC41D67FBA8EB84670F18C96EFD095B311D276B5148AA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226AAC8, Relevance: .1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 93309cae1354ee2d61e9a2c8b16440d49dccbd6f75c67d00132c562c5d966486
                                                  • Instruction ID: 920388192a2ba8994cb94597f8482ce5521a9c72de6d0c72ee7831269cadb0ea
                                                  • Opcode Fuzzy Hash: 93309cae1354ee2d61e9a2c8b16440d49dccbd6f75c67d00132c562c5d966486
                                                  • Instruction Fuzzy Hash: 38212FB55093819FD341CF29D841A57FFE4FB89654F04899EF88897312D234E908CFA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025224FA, Relevance: .1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c43d87f41b3fd2d3ba01fd4f7a1943e4a8ab7d4ee787f913d7990387f74386f1
                                                  • Instruction ID: 6b40fa5e2f4cb11447aff89be1f27054116a21a8d7de0184e39473d767e7d484
                                                  • Opcode Fuzzy Hash: c43d87f41b3fd2d3ba01fd4f7a1943e4a8ab7d4ee787f913d7990387f74386f1
                                                  • Instruction Fuzzy Hash: AC31A378D00219CFDB10DFA8E08C69CBBB0FB09315F1488A9D805EB398D7749A88CF15
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A640, Relevance: .1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: be7a7033852f58881970f7da688722049205853b9552f8c7c4dcd413687413af
                                                  • Instruction ID: e3454a61b0ee421fc837ba45d4d104c55e000837c32a030bc5ba3898c3405df8
                                                  • Opcode Fuzzy Hash: be7a7033852f58881970f7da688722049205853b9552f8c7c4dcd413687413af
                                                  • Instruction Fuzzy Hash: 4D2151B550D3816FD302CF19DC51956FFF5EF86620F0989DEF8889B252D235A908CB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A1BA, Relevance: .1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dabb40558bb6fed76541aa112ece598cc1123277fc707973fabdfc46bc53090e
                                                  • Instruction ID: 40f59f180b3c043d370017fb644893a4a2b261c82796014d20e7981d5b613dfb
                                                  • Opcode Fuzzy Hash: dabb40558bb6fed76541aa112ece598cc1123277fc707973fabdfc46bc53090e
                                                  • Instruction Fuzzy Hash: 1511C676650204BFE7108E0AEC41E66FB98EB84670F08C96EFD095B701D276B5148BB1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02522725, Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 13124942ebf0b98fcae5d9d31970dd8b406d2223cceed612a46992a8197dc6a1
                                                  • Instruction ID: 1419fe7471cfa234c21781575b0f8f2f58c15d77b24ec2d9c5c14eafd1f9efb1
                                                  • Opcode Fuzzy Hash: 13124942ebf0b98fcae5d9d31970dd8b406d2223cceed612a46992a8197dc6a1
                                                  • Instruction Fuzzy Hash: 6A31B278D00258CFDB10DFA8E08CA9CBBF0FB09315F2594A9D805EB298D7749998CF19
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226AB00, Relevance: .1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 36d1be31a8f0f702c41b7566a2dff9a2bcbf3c0503b8b5812df0e8e62a104cd1
                                                  • Instruction ID: 8fbd48de65e808773913551e2f675333fe046e27bc80068abb69b1d436060a5b
                                                  • Opcode Fuzzy Hash: 36d1be31a8f0f702c41b7566a2dff9a2bcbf3c0503b8b5812df0e8e62a104cd1
                                                  • Instruction Fuzzy Hash: A611BDB5508341AFD340CF19D881A5BFBE4FB88664F04896EF999D7311D231EA148F66
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023B0726, Relevance: .1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260422100.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5ebdded866c74b406bebe9c7ec9e9bc13f4ed76850f34b9efc1eda4305e7b2d6
                                                  • Instruction ID: 4b55f457e4a73169fce3de66a79f80c8a3dff84c7e89abd3bf0858bcb81c503c
                                                  • Opcode Fuzzy Hash: 5ebdded866c74b406bebe9c7ec9e9bc13f4ed76850f34b9efc1eda4305e7b2d6
                                                  • Instruction Fuzzy Hash: 29215E3510D3C59FD7178B20C891B56BFB1AF47604F1986DED5848BA63C33A8807DB52
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023B075C, Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260422100.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1f0c1ff280ef67b1ac63ebb48ef0bb1e87ad1e3a4dc5a01940d7e68c19086a39
                                                  • Instruction ID: b355b4200be9f9d35109985563dbc5d71f5047a0f6931b27ed90c146595b8e99
                                                  • Opcode Fuzzy Hash: 1f0c1ff280ef67b1ac63ebb48ef0bb1e87ad1e3a4dc5a01940d7e68c19086a39
                                                  • Instruction Fuzzy Hash: 1E11C034204244DFD71ACF24C985B66FB95EF88708F24C59CEA495BE52C77BD803CA51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02529118, Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 070a66a66ecf3a885c66cf8eaac616278e239e2731da058e1771915489841003
                                                  • Instruction ID: f214ea460ff9dee0dd96bfe77a037346eeaea578e314b145fcfe84006be43ed3
                                                  • Opcode Fuzzy Hash: 070a66a66ecf3a885c66cf8eaac616278e239e2731da058e1771915489841003
                                                  • Instruction Fuzzy Hash: 7C21C574D04219CFCB04DF99C5999EEBBB5FF49310F208569D805AB390DB30AA44CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252B150, Relevance: .1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dc64dadff7dc58ff7da7387b7aafe78185095cb6e7ceb1efd0b38869a39f91fb
                                                  • Instruction ID: a17aaa6eb801cf569d8d212eebb4669bc795209f487ef397ba8d80c86edeb3f5
                                                  • Opcode Fuzzy Hash: dc64dadff7dc58ff7da7387b7aafe78185095cb6e7ceb1efd0b38869a39f91fb
                                                  • Instruction Fuzzy Hash: 4B210471E012288FDB60DF64D894BDCBBB1BF4A304F0485DAD509AB281DB309E84CF11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02529117, Relevance: .1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fb793044bac48ddb8356440a5f31b3d9059ae6f0a84391c64171e58d5a375f8e
                                                  • Instruction ID: 54bb374cf25b7e45f51150067a6d0a9700f480d390a83f5b3cb29e9bab593515
                                                  • Opcode Fuzzy Hash: fb793044bac48ddb8356440a5f31b3d9059ae6f0a84391c64171e58d5a375f8e
                                                  • Instruction Fuzzy Hash: 27111674D0422ACFCB04DF9AD5899EEBBB5FF49310F208469D805AB390DB30AA44CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252B9C1, Relevance: .1, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d69b47464df0164bd61995d756ff46f6f7a9ff2814270809cb5fbdf746d483eb
                                                  • Instruction ID: 9bf4e50ab83e05dd15be378effe1532220004b1b562548999d237ec672f59af2
                                                  • Opcode Fuzzy Hash: d69b47464df0164bd61995d756ff46f6f7a9ff2814270809cb5fbdf746d483eb
                                                  • Instruction Fuzzy Hash: C321C075E002288FCB60DF64C884BDDB7B5BB0A308F1088DAD919AB280D7759AC9CF44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A118, Relevance: .0, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: db227fc843b5ed9730054cf37a77b563696947bb1d333298e9c1f606e50ea2cf
                                                  • Instruction ID: 371233a4cb6945a5ebbcc471b88c1e221e5735820a0055e63f1f120c42dd8831
                                                  • Opcode Fuzzy Hash: db227fc843b5ed9730054cf37a77b563696947bb1d333298e9c1f606e50ea2cf
                                                  • Instruction Fuzzy Hash: 0901D4B240E3C06FE31287255C95AA2BF78DF43664F0D85DBE9849F193D2266909C7A2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023B05CF, Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260422100.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 31dd103d7044b4439dc5323f57f45502542b8a76a638632b4f4287733c948be4
                                                  • Instruction ID: 14e1247a746c5e97a2b86b9f87fc30e55fdaa2ed1ca2bf68a5bb115964162715
                                                  • Opcode Fuzzy Hash: 31dd103d7044b4439dc5323f57f45502542b8a76a638632b4f4287733c948be4
                                                  • Instruction Fuzzy Hash: 0101A2B15093806FD7128B16AC51862FFB8DF86620708C5DFEC898B612D125A908CBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A7C7, Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ce191ec61aa237dce5e0fa049089981ae5210fe01cfcd8e90376061b897e24ba
                                                  • Instruction ID: 70cc6da7c04cf9a85a6abe3a779630b4d28108805ba0d1e4d4aa50759be6f81d
                                                  • Opcode Fuzzy Hash: ce191ec61aa237dce5e0fa049089981ae5210fe01cfcd8e90376061b897e24ba
                                                  • Instruction Fuzzy Hash: 52F0287188A2949FC7168BB4A4596FD7F70FB83225F1449D5C449533D2E736082BC698
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A5C0, Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a49b5362ed17f5bbec239d508716ea9f565b6b3bd92018b6417ea44ea39bd53f
                                                  • Instruction ID: 44d417249cfc077cce15f8911965057335068e8c6ff19b1e182c9a3beb48126c
                                                  • Opcode Fuzzy Hash: a49b5362ed17f5bbec239d508716ea9f565b6b3bd92018b6417ea44ea39bd53f
                                                  • Instruction Fuzzy Hash: 1301BC70C08244EBCB26DFB8A1596EDBF74EF06328F1082D8D84467382D7722959CB14
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02528867, Relevance: .0, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4cee151e24b9c209a4c4bfd3661e5e82cfca212b361cd655f7b0f5afbf032b3a
                                                  • Instruction ID: 166b23a5285e83f4080152a1d44953d7117920979e2ef9b8e4c85750475752f4
                                                  • Opcode Fuzzy Hash: 4cee151e24b9c209a4c4bfd3661e5e82cfca212b361cd655f7b0f5afbf032b3a
                                                  • Instruction Fuzzy Hash: 4601D3B4D04219DFCB04DFE9D4459AEBBB6FB89310F1085A99914A3384DB305A41DBA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025217B8, Relevance: .0, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cf5b91d72c45ccac36db60bc62c9de541b0ff5125499373a5f0ebb9740c71ce2
                                                  • Instruction ID: 733c59bc9cc1b2dee25f3981aaf7a001288e73800770141931f940bfe5bc88e6
                                                  • Opcode Fuzzy Hash: cf5b91d72c45ccac36db60bc62c9de541b0ff5125499373a5f0ebb9740c71ce2
                                                  • Instruction Fuzzy Hash: 980165B0D042489FCB08DFB8C4559AEBFF1EF8A310F1481AAD444A7362CB354A19CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A788, Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 80d82b1d9377b6e9dce70081acb8992ad13c1077b8e59cc801934a3d36617702
                                                  • Instruction ID: 0152cfc7599995212983727606306206c61e85d3f76100b5a03fdeef9f19b4d3
                                                  • Opcode Fuzzy Hash: 80d82b1d9377b6e9dce70081acb8992ad13c1077b8e59cc801934a3d36617702
                                                  • Instruction Fuzzy Hash: DDF0FA7084E1948FCB169BB490A56A87F34EB43304F1809EAC4442B2C3CA3A1916CBAC
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02529C18, Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ecbac1e402d80aa2199c6fdbe34ff53290d0094533c9471cfa39043e8d9982e9
                                                  • Instruction ID: 9146ba9aa0cb8e825513497940b8b6d702be170f205732df9cc17a6a88a74af5
                                                  • Opcode Fuzzy Hash: ecbac1e402d80aa2199c6fdbe34ff53290d0094533c9471cfa39043e8d9982e9
                                                  • Instruction Fuzzy Hash: 06F0B47044D194DFC715CBA4A8595B9BF65EF03205F2868D9D089633C2CB320819C728
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025296CE, Relevance: .0, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 77d72867a5fa6d2ebbfed7147e8f6e46b0bce00b6cfe91c09a2b492da197be8f
                                                  • Instruction ID: 0635f21d5457afccc3b05cc64fcede6ffee2205fe15942e71b5897dcf502947c
                                                  • Opcode Fuzzy Hash: 77d72867a5fa6d2ebbfed7147e8f6e46b0bce00b6cfe91c09a2b492da197be8f
                                                  • Instruction Fuzzy Hash: 0F01C478C05228CBDB209FA0D4587EDBAB0BB07315F289959C046633C0C77449CDCF5A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025217C8, Relevance: .0, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0082024dee11a128d7022fe489e6285682e0e5798e9abf5944ba438b71fbdddd
                                                  • Instruction ID: caf36f54f858bd6d02bf070b98150d74c4f57d6b0b8ca3c8c684ed9c0b09bc42
                                                  • Opcode Fuzzy Hash: 0082024dee11a128d7022fe489e6285682e0e5798e9abf5944ba438b71fbdddd
                                                  • Instruction Fuzzy Hash: 8301A4B4D00219DFCB44DFA9C5459AEBBF1FF49304F5085A9D808A7351DB305A54CF95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023B0818, Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260422100.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
                                                  • Instruction ID: e6523f9a4659e3a4948d508ed0edca34e2cda3336f31902ce95ed1c4d4ef6723
                                                  • Opcode Fuzzy Hash: 693b7c54016a59cdbfed5bf97d611671327a7796b2b33607a59a4987e9e37b45
                                                  • Instruction Fuzzy Hash: 3AF01D35104645DFC706CF40D940B66FBA6EB89718F24C6ADE9490BB52C737D813DE81
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252AE4A, Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bd1a041560842f1df48422eeeb22467323711ca7a34639ddc6da6c18c6eb8f9f
                                                  • Instruction ID: 0d6ec24fba2ac534fcc85f87256bfd894a3522b37b68e9885c739c43e4c6e992
                                                  • Opcode Fuzzy Hash: bd1a041560842f1df48422eeeb22467323711ca7a34639ddc6da6c18c6eb8f9f
                                                  • Instruction Fuzzy Hash: 8AF01D75A44228DFEB24CF54CC41BD9B7B5BB09304F1049D5E219AB2C0D3B49E89CF48
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252B3C0, Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2efbcdef99039c354aedb1e5ff5f843a85a78de8fe5de62e541f3fc414deed93
                                                  • Instruction ID: d5f281c49efa9b8b5e35ba470fb75519145a26a5c555250c5c6f6687685706f8
                                                  • Opcode Fuzzy Hash: 2efbcdef99039c354aedb1e5ff5f843a85a78de8fe5de62e541f3fc414deed93
                                                  • Instruction Fuzzy Hash: 0201C031910228CFCB25DF64C890BECBBB2BF49304F1485D9D519A7294D7329E89DF05
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025200B8, Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eead9293a172e5f2471dd8819cc988f79d47588d28c4b9e98aa7d5f1d9fcbd57
                                                  • Instruction ID: 7758095d0bd8c7a1698fbf6559f133f8e6eadfcc7f756c9ffe0b5bbca3275382
                                                  • Opcode Fuzzy Hash: eead9293a172e5f2471dd8819cc988f79d47588d28c4b9e98aa7d5f1d9fcbd57
                                                  • Instruction Fuzzy Hash: 45F030309061449FD719DFA4D999BF9BBB29F87304F1442EBD404B72A2C6351E19CB25
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A842, Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 12264cf545c8155f681c8469af9f5461a8e4c7719ea422b3bce275a15aea4f01
                                                  • Instruction ID: dd64c07238455be919ee4439f0f12eef8bc06b2a299b95b8b56686e08ea1015b
                                                  • Opcode Fuzzy Hash: 12264cf545c8155f681c8469af9f5461a8e4c7719ea422b3bce275a15aea4f01
                                                  • Instruction Fuzzy Hash: 24F08C70D892489FDB05DFB4E4598EDBF70EB4B320F1085E9C845A3392DB340956CB84
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252B090, Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8bf1e9e502669b80552efde6c8ed7fd0309e67cde0496d6260092be20f5df6bd
                                                  • Instruction ID: 6d54e577ae6bd2b2e1e3370bc9fd9d42593d8e5a6ce61c15ddc8e23340383d56
                                                  • Opcode Fuzzy Hash: 8bf1e9e502669b80552efde6c8ed7fd0309e67cde0496d6260092be20f5df6bd
                                                  • Instruction Fuzzy Hash: 19F0C431D04668CBCB28DE64DC583ECB772BB86316F1446D9801A6B2D4D7344EC8CF04
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252BD6F, Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 62ec884749d55c30d9de37c1709726968a33757c80c9987e9533a34cb9abb07a
                                                  • Instruction ID: 2b3c4c9f491f8b820a29dee14386cae48ed95d7674f3a2404a2e75f57f52d313
                                                  • Opcode Fuzzy Hash: 62ec884749d55c30d9de37c1709726968a33757c80c9987e9533a34cb9abb07a
                                                  • Instruction Fuzzy Hash: B8F0B47084C288AFCB02CFA4D4916EDBFB1EF46314F1481EADCC453392C63A1616DB11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252952B, Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8a87769bc6ffee2f702222b10fb13ccfd448110ed1afbfc21f4723d205d1d288
                                                  • Instruction ID: a3f8445215bf44c2afe0f710c3ae1d9ed35241553162d220b1bf140e5ce57413
                                                  • Opcode Fuzzy Hash: 8a87769bc6ffee2f702222b10fb13ccfd448110ed1afbfc21f4723d205d1d288
                                                  • Instruction Fuzzy Hash: 12F0D475C05228CFDB209FA0E8883EDBAB0BB07315F245999C086622C0C7344ACDCF1A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 023B05F6, Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260422100.00000000023B0000.00000040.00000040.sdmp, Offset: 023B0000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 49be3bed1a85038c6200c2e8a6b7c383aaa96392acabb4acb74c6432da5afb4b
                                                  • Instruction ID: 45093cd77fc09fbad2e2243648e9947651e0dc8df2c682f091d6d53866806e1a
                                                  • Opcode Fuzzy Hash: 49be3bed1a85038c6200c2e8a6b7c383aaa96392acabb4acb74c6432da5afb4b
                                                  • Instruction Fuzzy Hash: 03E06DB6A006048B9650CF0AEC81452F7D8EB84630B18C47FDC0D8B701D135B5088EA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02528930, Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: decdd8a22176bfe65d655ec6c7a5dcda971805803caef00785292a84b71c9460
                                                  • Instruction ID: 0b916864cd0f59b7591fee561a59990d452303c9fbc4a4618dd37b48c1005395
                                                  • Opcode Fuzzy Hash: decdd8a22176bfe65d655ec6c7a5dcda971805803caef00785292a84b71c9460
                                                  • Instruction Fuzzy Hash: D0F03070C591849FCB15CBE8949D5EDBFB0EB4A310F1085EAD84463292C278161ADB55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A6A3, Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: edf0335adc9d5f633ae9c5053db2a68fa14535087a2901caf3f996c970074bcf
                                                  • Instruction ID: 0d1e53030cb0f522dc45da10e7f06c94b19232aa5224d55aeed8581d23351f40
                                                  • Opcode Fuzzy Hash: edf0335adc9d5f633ae9c5053db2a68fa14535087a2901caf3f996c970074bcf
                                                  • Instruction Fuzzy Hash: D7E0D8B295130467E210CF0A9C82F22FB58EB54A30F04C56BED091B701D171B514CAE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A363, Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 841994f2597a65215ebcc04fba1c13583217ba4032052ef1f4736823711ca52e
                                                  • Instruction ID: 1024cbbee2654881ee5c829f3cf7f79ad32e45653832db3056383f178c748dee
                                                  • Opcode Fuzzy Hash: 841994f2597a65215ebcc04fba1c13583217ba4032052ef1f4736823711ca52e
                                                  • Instruction Fuzzy Hash: 86E0D8B194130467E210DE0A9C82B12FB58EB44930F04C56BED091B701D175B5048AE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226AB6B, Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7bfd037b09d6eb1f18ed63ec3bb59322edf48585c13a526da739f57e76c35048
                                                  • Instruction ID: b4ea12e50ff41133941743734e63d55080feb07b94a470a471c5656ae3291800
                                                  • Opcode Fuzzy Hash: 7bfd037b09d6eb1f18ed63ec3bb59322edf48585c13a526da739f57e76c35048
                                                  • Instruction Fuzzy Hash: 6EE0D8B2A5130467E210CE0A9C82F13FB58EB84A30F04C56BFD091B741D171B6148AE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A8FB, Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0004dae1cb680adc47d381d368762a80690f7476f5dd55cb1d9cab423f5ae4e8
                                                  • Instruction ID: a41be48e6b667fd9f0cfb6028b331fd48a932968bde1c2f80a083c1265b9a746
                                                  • Opcode Fuzzy Hash: 0004dae1cb680adc47d381d368762a80690f7476f5dd55cb1d9cab423f5ae4e8
                                                  • Instruction Fuzzy Hash: 85E0D8B294130467E210CF0A9C82F12FB58EB54A30F04C56BED095F701D171B5148AE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A57B, Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b5027855278a367d042307e17cbb659e383f784597af64ecf1a7cf3aad822bc1
                                                  • Instruction ID: b16cc77776bbc9c070986b509744693c3e30a755c5522590662cdac6d5570daa
                                                  • Opcode Fuzzy Hash: b5027855278a367d042307e17cbb659e383f784597af64ecf1a7cf3aad822bc1
                                                  • Instruction Fuzzy Hash: 7BE0D8B19413046BE210CE0ADC82B12FB58EB44930F08C56BED091B701D176B5048AE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A7CF, Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8932f6b460d1da97d02988f7aec65d56c511f48e5907cc2fda1aa2a0e412426c
                                                  • Instruction ID: 0a430e638dfbe7089de05a8be0e23eb0b092570ecf26a10646a2d900500bf927
                                                  • Opcode Fuzzy Hash: 8932f6b460d1da97d02988f7aec65d56c511f48e5907cc2fda1aa2a0e412426c
                                                  • Instruction Fuzzy Hash: D3E0D8B294130467E210DF0AAC82F23FB58EB44A30F04C56BED091B701E171B5148AF5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0226A14C, Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260252105.0000000002262000.00000040.00000001.sdmp, Offset: 02262000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d4c8e02246f52d85869181b8fdd2ab1dc8a1a22bc131fc700a03e9740c9ac027
                                                  • Instruction ID: 3955c46d76430fc4d119de47a29d447775eed221decacbc48e41bb3b7eae01d8
                                                  • Opcode Fuzzy Hash: d4c8e02246f52d85869181b8fdd2ab1dc8a1a22bc131fc700a03e9740c9ac027
                                                  • Instruction Fuzzy Hash: 85E0D8B194130467E210DE0A9C82B12FF58EB44930F44C5ABED091B701D175B5048AE5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252BE4F, Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a40fe0e589aa7967af85dd0857f432f9ed1699de4c3d7daec613d71c0bd22ce2
                                                  • Instruction ID: bd451191d157800867d79c4637a13a98c151ec75b4715e6716b01e6bf1d9cb4a
                                                  • Opcode Fuzzy Hash: a40fe0e589aa7967af85dd0857f432f9ed1699de4c3d7daec613d71c0bd22ce2
                                                  • Instruction Fuzzy Hash: 24F0A070D48188EFCB01CBA8D4946ECFFB1EB8A318F1481DAC884A3392C7365907CB00
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A800, Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e6b26adcbf9b897f9809292f5e22e08ef1b35d9f7766cd6374cd5b811e1f160
                                                  • Instruction ID: ac8159569766a14fefd773f54deceaf876beb648409646269642bfb84458de42
                                                  • Opcode Fuzzy Hash: 2e6b26adcbf9b897f9809292f5e22e08ef1b35d9f7766cd6374cd5b811e1f160
                                                  • Instruction Fuzzy Hash: 56E0ED708992849FCB028BB0A85E5EDBF30EF43220F1046C9C48027292D275091ACB95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02528818, Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aefba93a494be65d7b00031a786e626784c1e9c218255151e80d201afde6d4f5
                                                  • Instruction ID: d2edce56569208bf3683d339810c9fccbcf0d6b98c6db3d28ff88313b12dd171
                                                  • Opcode Fuzzy Hash: aefba93a494be65d7b00031a786e626784c1e9c218255151e80d201afde6d4f5
                                                  • Instruction Fuzzy Hash: 25E0D8708A9284AFC7168BB8A85E5EE7F30FB07221F0405DED88463383C339095AC761
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025228FE, Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 09e146c6039e85627f087e7b41de947315b04f7aa616703cedf35d5760f2e647
                                                  • Instruction ID: fd73ed90daaa01e7de53c5b3efadd41a9ecc8637351397984034cd369ec83f3c
                                                  • Opcode Fuzzy Hash: 09e146c6039e85627f087e7b41de947315b04f7aa616703cedf35d5760f2e647
                                                  • Instruction Fuzzy Hash: B201C974901629CFEB64DF64DC58F98BBB2FB44301F0086E9D90993294EB741E84CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A0A8, Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e447874112f576ad3db5fec9b65eb7dbce40b40f8030bb861d25fddfeb211c3d
                                                  • Instruction ID: def5608b2417756f437c66cabaeebb3063c6d7bc284c4b5cd3dec356762d0ee5
                                                  • Opcode Fuzzy Hash: e447874112f576ad3db5fec9b65eb7dbce40b40f8030bb861d25fddfeb211c3d
                                                  • Instruction Fuzzy Hash: 1FE02A3088D2C89FCB028BB4A8990FCBF31EF0B324F1445C9C88463282C3320A2ACB44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02529978, Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a7dc7ebc102ff77e6d6f79b119e3e7b222d7aed92729340d26b290926303ba0b
                                                  • Instruction ID: 5656f128e6bd7394de0ef630f17e068afb65815b5c5b6cecbfb67967263951ab
                                                  • Opcode Fuzzy Hash: a7dc7ebc102ff77e6d6f79b119e3e7b222d7aed92729340d26b290926303ba0b
                                                  • Instruction Fuzzy Hash: 10E092708991C4AEC7139BB458556EDBFB4DB03220F2405EAC88463282C2390A1AD721
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252B45C, Relevance: .0, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e6c2a4e5ccb983a15bd894f8506ee4a30a0fd64f8d36bcf0679f165d8edc735d
                                                  • Instruction ID: f82e9342c491707d0d66073e324ea65e6ac013d08e18655eabd048af8ff739bd
                                                  • Opcode Fuzzy Hash: e6c2a4e5ccb983a15bd894f8506ee4a30a0fd64f8d36bcf0679f165d8edc735d
                                                  • Instruction Fuzzy Hash: D3F0F431D10668CBCB29DF64C8543DC7772BB89311F1046DA8416AB2C8DB304E84CE04
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02520070, Relevance: .0, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d9e7828570a8d87049290be25baf56b556d5b86a1df3843361f0681e95229fc8
                                                  • Instruction ID: fea880f8c9de643da76814c1a9f2d53d40d2d92b65866cf29d3a449aaf916a81
                                                  • Opcode Fuzzy Hash: d9e7828570a8d87049290be25baf56b556d5b86a1df3843361f0681e95229fc8
                                                  • Instruction Fuzzy Hash: 15E08CB19822089ACB08FBF8D51E67FB769DB42204F501969940133280CE796E209AB9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252ACD0, Relevance: .0, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f8147e1356a3497dc19c40ee0930829582f0bda8e48a8b2901e7071a8678497
                                                  • Instruction ID: 41cb9f683335a783b687a90c07d40ba190325679379fa873581daeed42111330
                                                  • Opcode Fuzzy Hash: 6f8147e1356a3497dc19c40ee0930829582f0bda8e48a8b2901e7071a8678497
                                                  • Instruction Fuzzy Hash: 3CE0D830C4D2849FCB12DBB8E49E6EDBF30EB0B211F1441EAD845A72D2C7300695CB55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025299B8, Relevance: .0, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9b8db6703ca981f0804a9d65c3ab90e02dbf295354fa71598fdb13f16a1ac165
                                                  • Instruction ID: 65d5ef9dea0179ebd4697d286587c7b84b8f42649e81ef764f5827ac123f76bf
                                                  • Opcode Fuzzy Hash: 9b8db6703ca981f0804a9d65c3ab90e02dbf295354fa71598fdb13f16a1ac165
                                                  • Instruction Fuzzy Hash: 49E0DFB048C2809FC3068BB8685A6FA7F75EB43321F1445DDE48463282C639082AC624
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A640, Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3f1cb386fd46feeeefe0f0a1a549e71ccc1d214c6e35ed7889948b801f56fec7
                                                  • Instruction ID: 5cfe040170e78f3ca7deeafc4da9f303b563bdea6779adeecca6cc33f46c1585
                                                  • Opcode Fuzzy Hash: 3f1cb386fd46feeeefe0f0a1a549e71ccc1d214c6e35ed7889948b801f56fec7
                                                  • Instruction Fuzzy Hash: 71E09A30D45118CFCB05CFA8E0886DCBFB0EB06225F2082E8D84497382D73A994ACB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02522E28, Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6bfbdb88d859320b98d088a1c543128ba43e6629e1e421bad068b0c7aa19e0f4
                                                  • Instruction ID: 0b7eb965caaf5eafab713f2ff6ee8ad03414ae236a1b91d61673951ff4cde49a
                                                  • Opcode Fuzzy Hash: 6bfbdb88d859320b98d088a1c543128ba43e6629e1e421bad068b0c7aa19e0f4
                                                  • Instruction Fuzzy Hash: C6E0D8708691C49FC7168F7898595E87F34EF07215F0441EED884A7292C7390516C715
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252BD3B, Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4d2dbf96cb1f1d1811835620f63f01536084bcb918da1737ad92667eb87e654d
                                                  • Instruction ID: 2afceabc8fe2e95255e054a20c797fb6553da859dea0d085e431f6a826f53aba
                                                  • Opcode Fuzzy Hash: 4d2dbf96cb1f1d1811835620f63f01536084bcb918da1737ad92667eb87e654d
                                                  • Instruction Fuzzy Hash: 19E0D8349041889FCB01CB90D4D16BCFFF0EF4A114F1480C7DC4997391C5329A12CB41
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A680, Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5a327dc7c553508cc80f9fb4c6b2747fc5c42a431aa70b2978148983ac7b4993
                                                  • Instruction ID: a1931d3e6ae6dbefb2b88bc456d7180e3a87d132685f257eaa54eae6fa3aac14
                                                  • Opcode Fuzzy Hash: 5a327dc7c553508cc80f9fb4c6b2747fc5c42a431aa70b2978148983ac7b4993
                                                  • Instruction Fuzzy Hash: B2E0866088A1C4DEC7139B78B4596EDBF79EF43318F2845C5D44897293C7761919CB24
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252BA88, Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9185a9e0550a26c76411e4ca19a82873c8d413905f5cc1447185e5017f060682
                                                  • Instruction ID: 564dda0805929694a831764ef8276dc71ee10f2c404526c5ddbc228ed924e62a
                                                  • Opcode Fuzzy Hash: 9185a9e0550a26c76411e4ca19a82873c8d413905f5cc1447185e5017f060682
                                                  • Instruction Fuzzy Hash: 4DF01C35D14628CFCB29CF64D8483D87772BB4A315F004AD6C065672C4D3704EC8CE04
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A708, Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d19ae9fec20838209ed91b69a97e406749d9b068bdcb9b2b349150f28f4f3ffa
                                                  • Instruction ID: 64570ef4a43f61ffb4abef39aac7da1596c9c2a4052898cc766c3e11db842829
                                                  • Opcode Fuzzy Hash: d19ae9fec20838209ed91b69a97e406749d9b068bdcb9b2b349150f28f4f3ffa
                                                  • Instruction Fuzzy Hash: 42E0DF70C4D288DFCB068BB8A4996EDBF30EF47300F1941D9C48423282D371192ACB58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025200C8, Relevance: .0, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4a46b330ca7b19404b834e9a81720e1c3f549146b44c83692a5787ff74127b40
                                                  • Instruction ID: 52b957578b948d6d2d62aa00aaf728ed299ce97cc272425215f2880aabca351b
                                                  • Opcode Fuzzy Hash: 4a46b330ca7b19404b834e9a81720e1c3f549146b44c83692a5787ff74127b40
                                                  • Instruction Fuzzy Hash: 4EE08C30D05208DBCB08EFA9D549BADF7B6EF46304F1051B99808732A0DA316E04CA68
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02521968, Relevance: .0, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 27c7b9248eb6f212aa9311ad8520f7eb3ae35a3765a3d8505df85e994b52e65a
                                                  • Instruction ID: aeb347df22a6105430d9e09d833d4a50bac89538a8f0c940fdf22b978ef82e59
                                                  • Opcode Fuzzy Hash: 27c7b9248eb6f212aa9311ad8520f7eb3ae35a3765a3d8505df85e994b52e65a
                                                  • Instruction Fuzzy Hash: D6E01A31C41208EBC714EFA4E8496ADFB35EB46301F10C159DC4423280CB315A54DB59
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252BD80, Relevance: .0, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 182f10a8e33575d8cd61309277c22e7fa1573b4b9426054f01371f62de0d0b81
                                                  • Instruction ID: c1803de758dc8de002a2b6359e5722d26763c95a0651d1177aa54a705d433288
                                                  • Opcode Fuzzy Hash: 182f10a8e33575d8cd61309277c22e7fa1573b4b9426054f01371f62de0d0b81
                                                  • Instruction Fuzzy Hash: CEE0E574D04208ABCB05DF98D444AACFBB5EB49314F10C1AAD85963381C736AA55DB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252BE60, Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3359d42fe6bd506627ef64c4412f6da3e155b18cd7effdc4459e8abc230d4999
                                                  • Instruction ID: b3c111c6074102e97d99e35157643c9a4155a00405589dfa5f3e69c87702b77d
                                                  • Opcode Fuzzy Hash: 3359d42fe6bd506627ef64c4412f6da3e155b18cd7effdc4459e8abc230d4999
                                                  • Instruction Fuzzy Hash: 36E04674D04208EFCB04DF98E4446ACFBB4FB89308F20C5A9D818A3381C732AA06DF84
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A030, Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0b157457e4792a73979a4bdd39a3502bb249117f70c190f2c3f2929ad021bf76
                                                  • Instruction ID: 641a80a54da423b16e60039faa8157d39b34d3440b99457648a67933e571c94d
                                                  • Opcode Fuzzy Hash: 0b157457e4792a73979a4bdd39a3502bb249117f70c190f2c3f2929ad021bf76
                                                  • Instruction Fuzzy Hash: 43E0C23058E1D48EC713CB78A8186FCBF75EB0B304F2409E9D884972C3C275081AD728
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A8A8, Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 385f3513456672d733a22b39e9aa494abab73280609b1ad8591b697f0b8d3f82
                                                  • Instruction ID: 781bb6da9bc8e50525c96297756e655b0e76a3872cc571e23bc7b2c34fee16dd
                                                  • Opcode Fuzzy Hash: 385f3513456672d733a22b39e9aa494abab73280609b1ad8591b697f0b8d3f82
                                                  • Instruction Fuzzy Hash: 79E04671D45208EBCB08EFA8E0085ACFBB9FB49310F1081A9D80463380D7301A55CE89
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02528940, Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a0dc4e8daf020aad9f167800c10e93d6cb37ab63380d26853a5d7af34f015bdc
                                                  • Instruction ID: c0e97a08bd9dd44ec0789fda4ea6ee7c64f357214e3266d963e85f89b7d0bafd
                                                  • Opcode Fuzzy Hash: a0dc4e8daf020aad9f167800c10e93d6cb37ab63380d26853a5d7af34f015bdc
                                                  • Instruction Fuzzy Hash: B7E0B674D45208EBCB04DFE8E44D6ADBBB5FB49305F1085A9D80863380D7742A58DBA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A718, Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3f87a4c578155a8a0992eea521859a11554c14d019fc2fd1ae7d2b0cbcf294ba
                                                  • Instruction ID: fd00834ef82acaad4da13e2983b4080d53731ef2cc0f1215978b97563f362c8c
                                                  • Opcode Fuzzy Hash: 3f87a4c578155a8a0992eea521859a11554c14d019fc2fd1ae7d2b0cbcf294ba
                                                  • Instruction Fuzzy Hash: 3ED0127084520C9BC704DAA8A4495ADBB78E746304F104199C84423280D7711955C69D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A810, Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 146147f4186be8dbc2fbcf71dc71d8505ee1a5d8052e10ccad652262a496ccf3
                                                  • Instruction ID: 1102dc929523a20bcceb07581f358e4cbe85ab0894eaad64220abb2d3bb93776
                                                  • Opcode Fuzzy Hash: 146147f4186be8dbc2fbcf71dc71d8505ee1a5d8052e10ccad652262a496ccf3
                                                  • Instruction Fuzzy Hash: 63D01770C59208DBC704EFA4E50D5ADBF78FB46315F2096A9D80923280EB711A59CAD9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252ACE0, Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 20f5a1cffc64f81ea4bcd75a2484aad49904c625e2c5f888ddf2ce8a93d065dc
                                                  • Instruction ID: dc699807727dcf72efecc3c6ce8cad0d7d05aeba919fc5e2a14b18ab2924e9f7
                                                  • Opcode Fuzzy Hash: 20f5a1cffc64f81ea4bcd75a2484aad49904c625e2c5f888ddf2ce8a93d065dc
                                                  • Instruction Fuzzy Hash: F4D01270C45208DBCB05DFA4E44D5ADBB74F747305F109595D80573290C7701994CA99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A0B8, Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f5e34a7f09808096228959147a0aa598e9dac8fc0ec4809d518562af13a9a3e2
                                                  • Instruction ID: 032d248fe252409e95140dc392329c07442d0b7ff50b3b8c7f01d948498374da
                                                  • Opcode Fuzzy Hash: f5e34a7f09808096228959147a0aa598e9dac8fc0ec4809d518562af13a9a3e2
                                                  • Instruction Fuzzy Hash: 5BD01775C49218DBC704EFA8E40D5BDBB78FB4A315F1095A8D80823280CB712AA8DA99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A650, Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 496ea1c3d3fb8ab5017d699bc9db38b9244326a5e0953fc0366b68f9f38f0ae0
                                                  • Instruction ID: 7f1660c4a0dbab51044c86bacfad79e37d4a033179fe06dfe57d8cb612a5f45c
                                                  • Opcode Fuzzy Hash: 496ea1c3d3fb8ab5017d699bc9db38b9244326a5e0953fc0366b68f9f38f0ae0
                                                  • Instruction Fuzzy Hash: C8E01774D04208DFC704EFA8E148AACBFB8FB46A05F1041A8D80467391D776AA98CB55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02522E38, Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 38daa610cde32f80de75c752d46878a07de7afaf310716a75569a945074a8ef6
                                                  • Instruction ID: 0cc6745532dfe478dc55f6332da90770cf1b9833d5b461b07129eef6de3a92aa
                                                  • Opcode Fuzzy Hash: 38daa610cde32f80de75c752d46878a07de7afaf310716a75569a945074a8ef6
                                                  • Instruction Fuzzy Hash: 0AD05E78D6524CDFC701EFA8E40D6ACBF78FB06605F1041A9DC08A3380DB715A58DB55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02528828, Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 65192f07a1de995d7b7a81187ddfcb18270b3cc8505865f078d686290d705f7f
                                                  • Instruction ID: 954415290222fbcc4ff191178631a7ea1b374d0e669f89707f52dbd87493b705
                                                  • Opcode Fuzzy Hash: 65192f07a1de995d7b7a81187ddfcb18270b3cc8505865f078d686290d705f7f
                                                  • Instruction Fuzzy Hash: D7D05E70C59208DBC704EFE8E40D6ADBF79FB06215F1049A8DC4863380D7715A54CBB5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252BD39, Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6e1828799143627d7c9c8315592fb5c0a0a71a83055193f6a6201766d5847379
                                                  • Instruction ID: 2b0d707f5c59860f21089209e735d5668e9c10045b2443b4a9e9e003a268cb6e
                                                  • Opcode Fuzzy Hash: 6e1828799143627d7c9c8315592fb5c0a0a71a83055193f6a6201766d5847379
                                                  • Instruction Fuzzy Hash: E1E08C34904108EBCB11CF84D484BECFBB1FB4A218F14C48ADC49533C1C7329A56CA54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02529988, Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b520e963979d3fed6322533a48cf858f4b8f420cad9c869c4efee5393d10b751
                                                  • Instruction ID: 09f160017b47612b5d781855e88be8140e987737f8f613425d4e623c58237a3c
                                                  • Opcode Fuzzy Hash: b520e963979d3fed6322533a48cf858f4b8f420cad9c869c4efee5393d10b751
                                                  • Instruction Fuzzy Hash: 0BD05E70C5915CDAC711EBA8A4082ADBFB8EB02215F2055E9C844323C1D7755A54C7AA
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252B306, Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fd577fe6362d372b853ef400fd69645094706ea86640dafe2707d701cb27bd20
                                                  • Instruction ID: 1506f6c767fb03beeda85e175849dae19a9deed5609bbc239ee1e829322677ef
                                                  • Opcode Fuzzy Hash: fd577fe6362d372b853ef400fd69645094706ea86640dafe2707d701cb27bd20
                                                  • Instruction Fuzzy Hash: C2E09235D08228CFCB249F20D8487D8BBB1BB4A305F4048D9D019AB2D4D7754ED8DF44
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A7D8, Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 97efeeb3363fc20d500753d4350ca0a2888bfa92c4fcd8b9a809fe97cf9a94b3
                                                  • Instruction ID: 2c8ababeda48292c1d0e9a94870f5b9bd56f455cd971c8509ff62170108c6510
                                                  • Opcode Fuzzy Hash: 97efeeb3363fc20d500753d4350ca0a2888bfa92c4fcd8b9a809fe97cf9a94b3
                                                  • Instruction Fuzzy Hash: 05D0227088A208DBC304EAA8E408ABEBB7CF703204F100C98C408233C29BB21A20C26C
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02529C28, Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 80d7908eae6458e7680128515a09374a76b8cf50b7fbe6a097c3a1af6c453229
                                                  • Instruction ID: 41319b4e22af053d403d12994e3eede8ac87e97268bff23de674298fd22ee02b
                                                  • Opcode Fuzzy Hash: 80d7908eae6458e7680128515a09374a76b8cf50b7fbe6a097c3a1af6c453229
                                                  • Instruction Fuzzy Hash: 5CD0A770885118DBC704DA94E40C66AB76CE707215F106854D408233808B711914C568
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025299C8, Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c175ec207845dc969154d8a3c6d945740398acbe7ae0deac96b52fbac6667fe1
                                                  • Instruction ID: 47b3103a6b00e958b86c0525f3ff2f3d3f23391ac8079df49994891c5a34e2ce
                                                  • Opcode Fuzzy Hash: c175ec207845dc969154d8a3c6d945740398acbe7ae0deac96b52fbac6667fe1
                                                  • Instruction Fuzzy Hash: E5D0A771849108DBC700DAA4E80D769776CF703215F104499D408333808B711914C568
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 022523F4, Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260226759.0000000002252000.00000040.00000001.sdmp, Offset: 02252000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dea8f7ea47e5a0b3795523c78c88e9cfd48f2913b5262cb2c6d53226cacf1f21
                                                  • Instruction ID: a84d363077e7bcd79cf6ed2a4719cd3c85545481911e195af95b715c2de3254b
                                                  • Opcode Fuzzy Hash: dea8f7ea47e5a0b3795523c78c88e9cfd48f2913b5262cb2c6d53226cacf1f21
                                                  • Instruction Fuzzy Hash: BAD05E79215AA28FD3268A1CC1A8B953B94EF51B08F4684F9EC008B6A7C378D581D200
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A690, Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 01f17310a020af8163181c9efc2d75af3541623fbedfd332b43845ec68b7bda4
                                                  • Instruction ID: f78b9ac4fb4b54f1c9f15600285066f70f06521c7051cf5c99348d3a17c8b6c7
                                                  • Opcode Fuzzy Hash: 01f17310a020af8163181c9efc2d75af3541623fbedfd332b43845ec68b7bda4
                                                  • Instruction Fuzzy Hash: 34D0C97088A1189AD751EAA9A4086AABAACE706618F204994D80862386D7716918D6A5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0252A040, Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3bb2b7f096e6f5948258a7a4628c653e1bad5877cb8ff9ce8ad081761ce97372
                                                  • Instruction ID: 75cac35c9459d59caddae72327eb0453fdba82e8291a4a662aa071c4ff29783e
                                                  • Opcode Fuzzy Hash: 3bb2b7f096e6f5948258a7a4628c653e1bad5877cb8ff9ce8ad081761ce97372
                                                  • Instruction Fuzzy Hash: 63D0127099911CDBC741EB98A40C6BEBBACFB0F714F104D94D80853281D7B16D14D665
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 022523BC, Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260226759.0000000002252000.00000040.00000001.sdmp, Offset: 02252000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6504a8e7060e471a741961b8edc8ef7e08ec5329082e93063bced4e7d6fadf7c
                                                  • Instruction ID: 6bf9f957de0ed05b0c6e018ea115af3eea0b86ea753fcae06c8e47ad4ae5add5
                                                  • Opcode Fuzzy Hash: 6504a8e7060e471a741961b8edc8ef7e08ec5329082e93063bced4e7d6fadf7c
                                                  • Instruction Fuzzy Hash: 18D05E342112828BC715DB1CC194F5937D4AB41B04F0684E8BC008F2A6C3B4E881C600
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 00144351, Relevance: 3.6, Instructions: 3552COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.259538383.0000000000142000.00000002.00020000.sdmp, Offset: 00140000, based on PE: true
                                                  • Associated: 00000000.00000002.259529562.0000000000140000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.259632997.00000000001D2000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.259658160.00000000001EA000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ebeb708d46d774aaa368cc51b9967b07d75d22d0555d96944aeae22de5a8862
                                                  • Instruction ID: ac5e1d11803bbe55cc3d0d86adc14e90611d92b62622717095950c23fe0fe7ed
                                                  • Opcode Fuzzy Hash: 9ebeb708d46d774aaa368cc51b9967b07d75d22d0555d96944aeae22de5a8862
                                                  • Instruction Fuzzy Hash: D753EC6144F7C15FCB138BB85CB16E27FB2AE5321471E49C7D4C08F0A3E2185AAAD766
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 001466F9, Relevance: .5, Instructions: 514COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.259538383.0000000000142000.00000002.00020000.sdmp, Offset: 00140000, based on PE: true
                                                  • Associated: 00000000.00000002.259529562.0000000000140000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.259632997.00000000001D2000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.259658160.00000000001EA000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e45a0978c67b8ebe0a9ba6a4a62b395c28676a20fb3d80dc49ba775a6184246a
                                                  • Instruction ID: 7e9e6b80bbc1fe97c234c20f296ef5e9602195b7c7e52e00ba5abf7a0ea268ba
                                                  • Opcode Fuzzy Hash: e45a0978c67b8ebe0a9ba6a4a62b395c28676a20fb3d80dc49ba775a6184246a
                                                  • Instruction Fuzzy Hash: EC22BA6248E7D15FC72387704CA5682BFB09E5321471E8AEBD4C2CF4E3D258495ECBA2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02522E75, Relevance: .1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a212523b154fe19c3fc11d57341e89fcdde277f3ec927a1060587cba3c6934cb
                                                  • Instruction ID: 6d9bc8b3b5356cf2ef950dfe19defd947473971ae96bd107f71efb67bfff7ee9
                                                  • Opcode Fuzzy Hash: a212523b154fe19c3fc11d57341e89fcdde277f3ec927a1060587cba3c6934cb
                                                  • Instruction Fuzzy Hash: EE512E71E0061ACFE704EFAAF55879DBBB2FF85304F14C569D508A72A8EB711805CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02522E78, Relevance: .1, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6bf268cf0798e3f742eec9b68faa35b901efae69865dcd133351a98096257b83
                                                  • Instruction ID: ef8f392b9db7be630dc42c425eebb5915053b7460f5a6647c19b794e5f8ca803
                                                  • Opcode Fuzzy Hash: 6bf268cf0798e3f742eec9b68faa35b901efae69865dcd133351a98096257b83
                                                  • Instruction Fuzzy Hash: 16511D71E00A1ACFE704EFAAF55879DBBB2FF85304F14C569D508A72A8EB711805CB51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 025230C0, Relevance: .1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.260576329.0000000002520000.00000040.00000001.sdmp, Offset: 02520000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: adbebb91a7c9d41bed1d60a2928e1f104c901cad1d211086e64b3bf17229aead
                                                  • Instruction ID: 7621d8e555d5b37327a1a19b8a7ef973871b703664155996d59b4d72070eff72
                                                  • Opcode Fuzzy Hash: adbebb91a7c9d41bed1d60a2928e1f104c901cad1d211086e64b3bf17229aead
                                                  • Instruction Fuzzy Hash: 574101B1E016688BEB6CCF6B8D4078AFAF7AFC9200F14C5FA950DB6254DB7005868F55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%