Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Quotation Request.pdf.scr

Overview

General Information

Sample Name:Quotation Request.pdf.scr (renamed file extension from scr to exe)
Analysis ID:501145
MD5:95d884c21021e67ea7e9e204a0488fa3
SHA1:38786584d7caf1b36e7b72bf85099a82589c48a6
SHA256:b7e4d5626ef15e8584e644e1bfaade75c1faaa54549bde7560f44bd3550281de
Tags:exenanocore
Infos:

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Quotation Request.pdf.exe (PID: 4556 cmdline: 'C:\Users\user\Desktop\Quotation Request.pdf.exe' MD5: 95D884C21021E67EA7E9E204A0488FA3)
    • schtasks.exe (PID: 2812 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 408 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "ed2d5ce0-ca4d-4264-be01-91a018d5", "Domain1": "harold.accesscam.org", "Domain2": "harold.2waky.com", "Port": 6051, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.271987580.0000000002D97000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xbc275:$x1: NanoCore.ClientPluginHost
      • 0xeea95:$x1: NanoCore.ClientPluginHost
      • 0xbc2b2:$x2: IClientNetworkHost
      • 0xeead2:$x2: IClientNetworkHost
      • 0xbfde5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0xf2605:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xbbfdd:$a: NanoCore
        • 0xbbfed:$a: NanoCore
        • 0xbc221:$a: NanoCore
        • 0xbc235:$a: NanoCore
        • 0xbc275:$a: NanoCore
        • 0xee7fd:$a: NanoCore
        • 0xee80d:$a: NanoCore
        • 0xeea41:$a: NanoCore
        • 0xeea55:$a: NanoCore
        • 0xeea95:$a: NanoCore
        • 0xbc03c:$b: ClientPlugin
        • 0xbc23e:$b: ClientPlugin
        • 0xbc27e:$b: ClientPlugin
        • 0xee85c:$b: ClientPlugin
        • 0xeea5e:$b: ClientPlugin
        • 0xeea9e:$b: ClientPlugin
        • 0xbc163:$c: ProjectData
        • 0xee983:$c: ProjectData
        • 0x1efe33:$c: ProjectData
        • 0x265653:$c: ProjectData
        • 0xbcb6a:$d: DESCrypto
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe38d:$x1: NanoCore.ClientPluginHost
        • 0xe3ca:$x2: IClientNetworkHost
        • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe105:$x1: NanoCore Client.exe
        • 0xe38d:$x2: NanoCore.ClientPluginHost
        • 0xf9c6:$s1: PluginCommand
        • 0xf9ba:$s2: FileCommand
        • 0x1086b:$s3: PipeExists
        • 0x16622:$s4: PipeCreated
        • 0xe3b7:$s5: IClientLoggingHost
        0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
          • 0xe0f5:$a: NanoCore
          • 0xe105:$a: NanoCore
          • 0xe339:$a: NanoCore
          • 0xe34d:$a: NanoCore
          • 0xe38d:$a: NanoCore
          • 0xe154:$b: ClientPlugin
          • 0xe356:$b: ClientPlugin
          • 0xe396:$b: ClientPlugin
          • 0xe27b:$c: ProjectData
          • 0xec82:$d: DESCrypto
          • 0x1664e:$e: KeepAlive
          • 0x1463c:$g: LogClientMessage
          • 0x10837:$i: get_Connected
          • 0xefb8:$j: #=q
          • 0xefe8:$j: #=q
          • 0xf004:$j: #=q
          • 0xf034:$j: #=q
          • 0xf050:$j: #=q
          • 0xf06c:$j: #=q
          • 0xf09c:$j: #=q
          • 0xf0b8:$j: #=q
          0.2.Quotation Request.pdf.exe.2d69644.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 3 entries

            Sigma Overview

            AV Detection:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            E-Banking Fraud:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            System Summary:

            barindex
            Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
            Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quotation Request.pdf.exe' , ParentImage: C:\Users\user\Desktop\Quotation Request.pdf.exe, ParentProcessId: 4556, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quotation Request.pdf.exe' , ParentImage: C:\Users\user\Desktop\Quotation Request.pdf.exe, ParentProcessId: 4556, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408

            Stealing of Sensitive Information:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Remote Access Functionality:

            barindex
            Sigma detected: NanoCoreShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 408, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "ed2d5ce0-ca4d-4264-be01-91a018d5", "Domain1": "harold.accesscam.org", "Domain2": "harold.2waky.com", "Port": 6051, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: Quotation Request.pdf.exeReversingLabs: Detection: 11%
            Multi AV Scanner detection for domain / URLShow sources
            Source: harold.2waky.comVirustotal: Detection: 14%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\eqNjYDmhJoX.exeReversingLabs: Detection: 11%
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORY
            Source: Quotation Request.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Quotation Request.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000007.00000003.290185349.0000000001113000.00000004.00000001.sdmp

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: harold.accesscam.org
            Source: Malware configuration extractorURLs: harold.2waky.com
            Source: Joe Sandbox ViewASN Name: DATAWIRE-ASCH DATAWIRE-ASCH
            Source: Joe Sandbox ViewIP Address: 185.19.85.137 185.19.85.137
            Source: global trafficTCP traffic: 192.168.2.7:49756 -> 185.19.85.137:6051
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmp, Quotation Request.pdf.exe, 00000000.00000003.247763670.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Quotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Quotation Request.pdf.exe, 00000000.00000003.256449463.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Quotation Request.pdf.exe, 00000000.00000003.257539567.00000000051B2000.00000004.00000001.sdmp, Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: Quotation Request.pdf.exe, 00000000.00000002.277117226.00000000051A0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma2
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsk
            Source: Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
            Source: Quotation Request.pdf.exe, 00000000.00000002.277117226.00000000051A0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
            Source: Quotation Request.pdf.exe, 00000000.00000003.247585302.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Quotation Request.pdf.exe, 00000000.00000003.247318440.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com-
            Source: Quotation Request.pdf.exe, 00000000.00000003.247585302.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
            Source: Quotation Request.pdf.exe, 00000000.00000003.247222256.00000000051DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
            Source: Quotation Request.pdf.exe, 00000000.00000003.250040575.00000000051A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Quotation Request.pdf.exe, 00000000.00000003.250899369.00000000051A4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/ru
            Source: Quotation Request.pdf.exe, 00000000.00000003.250040575.00000000051A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnZ
            Source: Quotation Request.pdf.exe, 00000000.00000003.250354410.00000000051B1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
            Source: Quotation Request.pdf.exe, 00000000.00000003.249579657.00000000051A3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-cM
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Quotation Request.pdf.exe, 00000000.00000002.277117226.00000000051A0000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmB
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Quotation Request.pdf.exe, 00000000.00000003.252824955.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//C
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
            Source: Quotation Request.pdf.exe, 00000000.00000003.253477597.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0C
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0Pq
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/2
            Source: Quotation Request.pdf.exe, 00000000.00000003.253130198.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
            Source: Quotation Request.pdf.exe, 00000000.00000003.253477597.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U
            Source: Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
            Source: Quotation Request.pdf.exe, 00000000.00000003.253477597.00000000051A6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Quotation Request.pdf.exe, 00000000.00000003.253855605.00000000051B2000.00000004.00000001.sdmp, Quotation Request.pdf.exe, 00000000.00000003.253868234.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Quotation Request.pdf.exe, 00000000.00000003.252541339.00000000051BB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
            Source: Quotation Request.pdf.exe, 00000000.00000003.252432324.00000000051BB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnta;
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Quotation Request.pdf.exe, 00000000.00000003.255729424.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
            Source: Quotation Request.pdf.exe, 00000000.00000003.255729424.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de9;
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Quotation Request.pdf.exe, 00000000.00000003.255729424.00000000051BF000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deax;
            Source: Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: Quotation Request.pdf.exe, 00000000.00000003.251414571.00000000051AE000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn5
            Source: unknownDNS traffic detected: queries for: harold.accesscam.org

            E-Banking Fraud:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
            Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: Quotation Request.pdf.exe
            Source: initial sampleStatic PE information: Filename: Quotation Request.pdf.exe
            Source: Quotation Request.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
            Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_006443510_2_00644351
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_00FB2E090_2_00FB2E09
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D86AB0_2_028D86AB
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D01100_2_028D0110
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D2E880_2_028D2E88
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D2E770_2_028D2E77
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D30D00_2_028D30D0
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_028D01030_2_028D0103
            Source: Quotation Request.pdf.exeBinary or memory string: OriginalFilename vs Quotation Request.pdf.exe
            Source: Quotation Request.pdf.exe, 00000000.00000000.245539233.0000000000642000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStaticIndexRangePartition.exe4 vs Quotation Request.pdf.exe
            Source: Quotation Request.pdf.exe, 00000000.00000002.280644583.00000000070A0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs Quotation Request.pdf.exe
            Source: Quotation Request.pdf.exeBinary or memory string: OriginalFilenameStaticIndexRangePartition.exe4 vs Quotation Request.pdf.exe
            Source: Quotation Request.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: eqNjYDmhJoX.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Quotation Request.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: eqNjYDmhJoX.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Quotation Request.pdf.exeReversingLabs: Detection: 11%
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile read: C:\Users\user\Desktop\Quotation Request.pdf.exeJump to behavior
            Source: Quotation Request.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Quotation Request.pdf.exe 'C:\Users\user\Desktop\Quotation Request.pdf.exe'
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp'
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile created: C:\Users\user\AppData\Roaming\eqNjYDmhJoX.exeJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpAC55.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/9@25/2
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ed2d5ce0-ca4d-4264-be01-91a018d59d09}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5048:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: Quotation Request.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Quotation Request.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: RegSvcs.exe, 00000007.00000003.290185349.0000000001113000.00000004.00000001.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Quotation Request.pdf.exe, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: eqNjYDmhJoX.exe.0.dr, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.Quotation Request.pdf.exe.640000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Quotation Request.pdf.exe.640000.0.unpack, WinMixer/frmMain.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_00FB61F1 push ebx; retf 0_2_00FB61F2
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_00FB61F4 push ebx; retf 0_2_00FB61F6
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeCode function: 0_2_00FB73D4 pushad ; iretd 0_2_00FB73E9
            Source: initial sampleStatic PE information: section name: .text entropy: 7.85672483308
            Source: initial sampleStatic PE information: section name: .text entropy: 7.85672483308
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeFile created: C:\Users\user\AppData\Roaming\eqNjYDmhJoX.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe:Zone.Identifier read attributes | deleteJump to behavior
            Uses an obfuscated file name to hide its real file extension (double extension)Show sources
            Source: Possible double extension: pdf.exeStatic PE information: Quotation Request.pdf.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.2d69644.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.271987580.0000000002D97000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Quotation Request.pdf.exe PID: 4556, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Quotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: Quotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exe TID: 4356Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 703Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWindow / User API: foregroundWindowGot 638Jump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Quotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: Quotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: Quotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: Quotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000Jump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 420000Jump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 422000Jump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: ACF008Jump to behavior
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeJump to behavior
            Source: RegSvcs.exe, 00000007.00000003.290185349.0000000001113000.00000004.00000001.sdmpBinary or memory string: Program Manager
            Source: RegSvcs.exe, 00000007.00000003.327061567.0000000001113000.00000004.00000001.sdmpBinary or memory string: Program ManagerP8
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Quotation Request.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

            Stealing of Sensitive Information:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected Nanocore RATShow sources
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Quotation Request.pdf.exe.3e0d0e8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection212Masquerading11OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection212NTDSVirtualization/Sandbox Evasion21Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information12Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery12Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Quotation Request.pdf.exe11%ReversingLabsByteCode-MSIL.Trojan.APost

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\eqNjYDmhJoX.exe11%ReversingLabsByteCode-MSIL.Trojan.APost

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            harold.2waky.com15%VirustotalBrowse
            windowsupdate.s.llnwi.net0%VirustotalBrowse
            harold.accesscam.org5%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htmB0%Avira URL Cloudsafe
            http://www.tiro.comslnta;0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cn50%Avira URL Cloudsafe
            http://www.fonts.com-0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/20%Avira URL Cloudsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/90%URL Reputationsafe
            http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp//C0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
            harold.accesscam.org0%Avira URL Cloudsafe
            http://www.founder.com.cn/cna0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0Pq0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.founder.com.cn/cnZ0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.fontbureau.comalsk0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/U0%Avira URL Cloudsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.fonts.comx0%URL Reputationsafe
            http://www.founder.com.cn/cnr-cM0%Avira URL Cloudsafe
            http://www.fontbureau.com=0%Avira URL Cloudsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0C0%Avira URL Cloudsafe
            http://www.urwpp.deax;0%Avira URL Cloudsafe
            http://www.tiro.comlic0%URL Reputationsafe
            http://www.founder.com.cn/cn/ru0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.fontbureau.come.com0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.urwpp.de9;0%Avira URL Cloudsafe
            http://www.fontbureau.coma20%Avira URL Cloudsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/q0%URL Reputationsafe
            http://www.fontbureau.comt0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            harold.2waky.com0%Avira URL Cloudsafe
            http://www.fontbureau.comalic0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            harold.2waky.com
            		185.19.85.137
            		truetrueunknown
            windowsupdate.s.llnwi.net
            		178.79.242.0
            		truefalseunknown
            harold.accesscam.org
            		unknown
            		unknowntrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            harold.accesscam.orgtrue
            • Avira URL Cloud: safe
            		unknown
            harold.2waky.comtrue
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.fontbureau.com/designersGQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designers/?Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                		high
                http://www.founder.com.cn/cn/bTheQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmBQuotation Request.pdf.exe, 00000000.00000002.277117226.00000000051A0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.tiro.comslnta;Quotation Request.pdf.exe, 00000000.00000003.252432324.00000000051BB000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.zhongyicts.com.cn5Quotation Request.pdf.exe, 00000000.00000003.251414571.00000000051AE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers?Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                  		high
                  http://www.fonts.com-Quotation Request.pdf.exe, 00000000.00000003.247318440.00000000051DD000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.tiro.comQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/jp/2Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designersQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                    		high
                    http://www.goodfont.co.krQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/jp/9Quotation Request.pdf.exe, 00000000.00000003.253130198.00000000051A6000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.collada.org/2005/11/COLLADASchema9DoneQuotation Request.pdf.exe, 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/9Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://fontfabrik.comQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmp, Quotation Request.pdf.exe, 00000000.00000003.247763670.00000000051DD000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp//CQuotation Request.pdf.exe, 00000000.00000003.252824955.00000000051A6000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/Y0Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnaQuotation Request.pdf.exe, 00000000.00000003.250354410.00000000051B1000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comQuotation Request.pdf.exe, 00000000.00000003.247585302.00000000051DD000.00000004.00000001.sdmpfalse
                      		high
                      http://www.jiyu-kobo.co.jp/Y0PqQuotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sandoll.co.krQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnZQuotation Request.pdf.exe, 00000000.00000003.250040575.00000000051A3000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deDPleaseQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comalskQuotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/jp/UQuotation Request.pdf.exe, 00000000.00000003.253477597.00000000051A6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.urwpp.deQuotation Request.pdf.exe, 00000000.00000003.255729424.00000000051BF000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cnQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sakkal.comQuotation Request.pdf.exe, 00000000.00000003.253855605.00000000051B2000.00000004.00000001.sdmp, Quotation Request.pdf.exe, 00000000.00000003.253868234.00000000051BF000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fonts.comxQuotation Request.pdf.exe, 00000000.00000003.247222256.00000000051DD000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnr-cMQuotation Request.pdf.exe, 00000000.00000003.249579657.00000000051A3000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com=Quotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.0Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comQuotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comFQuotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/UQuotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/Y0CQuotation Request.pdf.exe, 00000000.00000003.253477597.00000000051A6000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.urwpp.deax;Quotation Request.pdf.exe, 00000000.00000003.255729424.00000000051BF000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.tiro.comlicQuotation Request.pdf.exe, 00000000.00000003.252541339.00000000051BB000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/ruQuotation Request.pdf.exe, 00000000.00000003.250899369.00000000051A4000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/jp/Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.come.comQuotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comXQuotation Request.pdf.exe, 00000000.00000003.247585302.00000000051DD000.00000004.00000001.sdmpfalse
                            		unknown
                            http://www.carterandcone.comlQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.de9;Quotation Request.pdf.exe, 00000000.00000003.255729424.00000000051BF000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://www.fontbureau.coma2Quotation Request.pdf.exe, 00000000.00000002.277117226.00000000051A0000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNQuotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnQuotation Request.pdf.exe, 00000000.00000003.250040575.00000000051A3000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlQuotation Request.pdf.exe, 00000000.00000003.257539567.00000000051B2000.00000004.00000001.sdmp, Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/qQuotation Request.pdf.exe, 00000000.00000003.253477597.00000000051A6000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comtQuotation Request.pdf.exe, 00000000.00000002.277117226.00000000051A0000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/oQuotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/Quotation Request.pdf.exe, 00000000.00000003.253264893.00000000051A6000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8Quotation Request.pdf.exe, 00000000.00000002.277518159.0000000006432000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comalicQuotation Request.pdf.exe, 00000000.00000003.259365151.00000000051A6000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/Quotation Request.pdf.exe, 00000000.00000003.256449463.00000000051BF000.00000004.00000001.sdmpfalse
                                    		high

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    185.19.85.137
                                    		harold.2waky.comSwitzerland
                                    		48971DATAWIRE-ASCHtrue

                                    Private

                                    IP
                                    192.168.2.1

                                    General Information

                                    Joe Sandbox Version:33.0.0 White Diamond
                                    Analysis ID:501145
                                    Start date:12.10.2021
                                    Start time:15:48:13
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 8m 4s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:Quotation Request.pdf.scr (renamed file extension from scr to exe)
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:26
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@6/9@25/2
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 0.9% (good quality ratio 0.7%)
                                    • Quality average: 70.6%
                                    • Quality standard deviation: 36.8%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 128
                                    • Number of non-executed functions: 5
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    Warnings:
                                    Show All
                                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 23.203.141.148, 20.199.120.182, 20.199.120.151, 95.100.216.89, 20.82.210.154, 20.54.110.249, 40.112.88.60, 2.20.178.33, 2.20.178.24, 20.199.120.85, 131.253.33.200, 13.107.22.200, 20.50.102.62
                                    • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, vip3-wns2-par02p.wns.notify.trafficmanager.net, ris.api.iris.microsoft.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    15:49:19API Interceptor1x Sleep call for process: Quotation Request.pdf.exe modified
                                    15:49:22API Interceptor898x Sleep call for process: RegSvcs.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    185.19.85.137Proof of payment.jpg.exeGet hashmaliciousBrowse
                                      Proof of payment.jpg.exeGet hashmaliciousBrowse
                                        Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                          Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                            PROFORMA INVOICE 20210823.pdf.exeGet hashmaliciousBrowse
                                              New Proforma Invoice20210630.xlxs.exeGet hashmaliciousBrowse
                                                Proforma Invoice20210625.pdf.exeGet hashmaliciousBrowse
                                                  PcdEZG6zDS.exeGet hashmaliciousBrowse
                                                    sfTZCyMKuC.exeGet hashmaliciousBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      harold.2waky.comProof of payment.jpg.exeGet hashmaliciousBrowse
                                                      • 185.19.85.137
                                                      Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                      • 185.19.85.137
                                                      Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                      • 185.19.85.137
                                                      HxXHmM0T9f.exeGet hashmaliciousBrowse
                                                      • 23.146.242.147
                                                      Request For Quotation.jarGet hashmaliciousBrowse
                                                      • 23.146.242.147
                                                      QUOTE.exeGet hashmaliciousBrowse
                                                      • 194.5.98.5
                                                      Payment proof.jpg.exeGet hashmaliciousBrowse
                                                      • 194.5.98.5
                                                      Proof Of Payment.jpg.exeGet hashmaliciousBrowse
                                                      • 194.5.98.5
                                                      Proof of payment.pdf.exeGet hashmaliciousBrowse
                                                      • 194.5.98.5
                                                      Payment.pdf.exeGet hashmaliciousBrowse
                                                      • 91.193.75.29
                                                      Payment Confirmation.exeGet hashmaliciousBrowse
                                                      • 185.165.153.213
                                                      windowsupdate.s.llnwi.netProof of payment.jpg.exeGet hashmaliciousBrowse
                                                      • 178.79.242.128
                                                      vk5MXd2Rxm.msiGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      jjBv8SpZXm.exeGet hashmaliciousBrowse
                                                      • 178.79.242.128
                                                      COPIA DE PAGO.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      Dekont.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      New Order Inquiry No.96883,pdf.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      orde443123.exeGet hashmaliciousBrowse
                                                      • 178.79.242.128
                                                      Invoice-514777_20211011.xlsbGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      dorlla.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      photos jpg.exeGet hashmaliciousBrowse
                                                      • 178.79.242.128
                                                      2xYyRwsd4z.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      client.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      dAkJsQr7A9.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      Shipping Documents.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      preuve de paiement.exeGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      QUOTATIO.EXEGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      kR8No6snIq.exeGet hashmaliciousBrowse
                                                      • 178.79.242.128
                                                      DHL 299248 AWB 171021.exeGet hashmaliciousBrowse
                                                      • 178.79.242.128
                                                      Order_specs_sheet.pdf.jarGet hashmaliciousBrowse
                                                      • 178.79.242.0
                                                      pidHTSIGEi8DrAmaYu9K8ghN89.dllGet hashmaliciousBrowse
                                                      • 178.79.242.0

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      DATAWIRE-ASCHProof of payment.jpg.exeGet hashmaliciousBrowse
                                                      • 185.19.85.137
                                                      Proof of payment.jpg.exeGet hashmaliciousBrowse
                                                      • 185.19.85.137
                                                      MT103 10.11.pdf.exeGet hashmaliciousBrowse
                                                      • 185.19.85.136
                                                      dAkJsQr7A9.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      GIV PO 00254.xls.exeGet hashmaliciousBrowse
                                                      • 185.19.85.136
                                                      dUzAkYsvl8.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      BL & INVOICE.exeGet hashmaliciousBrowse
                                                      • 185.19.85.171
                                                      Routing Details.vbsGet hashmaliciousBrowse
                                                      • 185.19.85.170
                                                      Nueva orden #7624.xls.exeGet hashmaliciousBrowse
                                                      • 185.19.85.136
                                                      voo7b2BBq6.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      xmsGPH324z.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      dVWsghK4Aj.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                      • 185.19.85.137
                                                      ShippingDocs.exeGet hashmaliciousBrowse
                                                      • 185.19.85.171
                                                      2E9xpfvD2O.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      Proof of payment.jpg.scr.exeGet hashmaliciousBrowse
                                                      • 185.19.85.137
                                                      uF74GlbXPc.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      jFjTeUfek3.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      Q7DYDgQhKp.exeGet hashmaliciousBrowse
                                                      • 185.19.85.175
                                                      USD31000.exeGet hashmaliciousBrowse
                                                      • 185.19.85.171

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Quotation Request.pdf.exe.log
                                                      Process:C:\Users\user\Desktop\Quotation Request.pdf.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):525
                                                      Entropy (8bit):5.2874233355119316
                                                      Encrypted:false
                                                      SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
                                                      MD5:61CCF53571C9ABA6511D696CB0D32E45
                                                      SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
                                                      SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
                                                      SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                      C:\Users\user\AppData\Local\Temp\tmpAC55.tmp
                                                      Process:C:\Users\user\Desktop\Quotation Request.pdf.exe
                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1660
                                                      Entropy (8bit):5.187608923076909
                                                      Encrypted:false
                                                      SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBPtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3L
                                                      MD5:90ACD9A9C97A5C0E43DA656B494C79A0
                                                      SHA1:911E7AE189E24AC9E7DB82537F186EEE1D1F352F
                                                      SHA-256:8C19DE887CC9B2DBC4D20252D8955274AF48A62DD544096CFC0830AEEC0CA02E
                                                      SHA-512:7A193A28A1B8703D1A0B79401495AB6509A28BC2BB5E318EFAEC63CD2A01D4F50E684E9E5CADF03BA6F63BA233CC2B6C15070C76CD01D430BC0310F35E86B8DC
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):1392
                                                      Entropy (8bit):7.089541637477408
                                                      Encrypted:false
                                                      SSDEEP:24:IQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4jh+dQnybgC4l:IknjhUknjhUknjhUknjhUknjhUknjhL
                                                      MD5:5E3C10DCF7AAB1A5E4671C3AD52D9BD2
                                                      SHA1:7DE7F5ACAED711BC35E62756D1440E80262D85D1
                                                      SHA-256:B9EB9E732F6204735FFB2C9A6EC8F077E4B4F31E57E336199D22278EAD8412F9
                                                      SHA-512:00252F19A1D0098FEBC78231182FAD57A66390077C0C462C94950D7CA02D53A7B7D692B4D7E718DF2708C1F7919CCB29837A2309E3BEFD2D585FF0C049E5FEB3
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      File Type:Non-ISO extended-ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):8
                                                      Entropy (8bit):2.75
                                                      Encrypted:false
                                                      SSDEEP:3:O1o8tn:OFn
                                                      MD5:EEEF6DA74F6FA0AC71E338AD0B010144
                                                      SHA1:5C7F53209A792A7996DC66C1FB8811FD4D709661
                                                      SHA-256:7C860F32B254485BFAF2BC37A1CC9FF6A90F00CF11BA321E3DD68F0F76E23064
                                                      SHA-512:16C4352D1AF28B0CCFD9B3AE09B27E3080BEF3A0F40B7D1A35227AD2AACE06C17D6F56BDED3C8A477DB449B688512255A886005420D4DF7D892FEFA391B6C558
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview: -....H
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):40
                                                      Entropy (8bit):5.153055907333276
                                                      Encrypted:false
                                                      SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                      MD5:4E5E92E2369688041CC82EF9650EDED2
                                                      SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                      SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                      SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                      Malicious:false
                                                      Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):80
                                                      Entropy (8bit):5.153055907333276
                                                      Encrypted:false
                                                      SSDEEP:3:9bzY6oRDT6P2bfVnXygY6oRDT6P2bfVn1:RzWDT62DWDT621
                                                      MD5:4315325323A62DE913E5CCD153817BCE
                                                      SHA1:8B38155CD8ACB20BBA0C2A8AF02BFD35B15221A8
                                                      SHA-256:E0C2085D878FDF53CD7D8F0AA9F07490802C51FC3C14A52B6FEA96AD0743C838
                                                      SHA-512:B5036A6CD4852CEBCA86F588D94B9D58B63EB07B2F4DEBD38D5E1BE68B0BB62F82FA239673B6C08F432A28DD50E1D15773DC3738251BD2F9959F1255D72745EB
                                                      Malicious:false
                                                      Preview: 9iH...}Z.4..f.~a........~.~.......3.U.9iH...}Z.4..f.~a........~.~.......3.U.
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):426832
                                                      Entropy (8bit):7.999527918131335
                                                      Encrypted:true
                                                      SSDEEP:6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
                                                      MD5:653DDDCB6C89F6EC51F3DDC0053C5914
                                                      SHA1:4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
                                                      SHA-256:83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
                                                      SHA-512:27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
                                                      Malicious:false
                                                      Preview: ..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..
                                                      C:\Users\user\AppData\Roaming\eqNjYDmhJoX.exe
                                                      Process:C:\Users\user\Desktop\Quotation Request.pdf.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):650240
                                                      Entropy (8bit):7.635016130821497
                                                      Encrypted:false
                                                      SSDEEP:12288:QMySBziJmqgE0pGxgCfZk1LrWkHMlYp6/50jccyQ7w5MV:QMB5b3CfZHkKAA50VdU56
                                                      MD5:95D884C21021E67EA7E9E204A0488FA3
                                                      SHA1:38786584D7CAF1B36E7B72BF85099A82589C48A6
                                                      SHA-256:B7E4D5626EF15E8584E644E1BFAADE75C1FAAA54549BDE7560F44BD3550281DE
                                                      SHA-512:4AF1BF9C684F2AA3DEE982DCA10471FB912744385FE9567039BAF7109E51D70F85D3023544A0AC83595D73968406B8C269F5EDB59E1B9E8FCF96759549529BFD
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 11%
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*ea..............0......L.......... ........@.. .......................@............@.....................................O........H................... ....................................................... ............... ..H............text....... ...................... ..`.rsrc....H.......J..................@..@.reloc....... ......................@..B.......................H........_...P......}...`...8............................................0..4..........K......r...p...rC..p.......,.......+.........+..*.0..F..........+6...........................o.........,.ra..ps....z..X....i....-.*...0..d..........+N..+8.....(.......(...............o.........,.ra..ps....z..X....o........-...X....o..........-.*.0.............+j..+R..+:......(........(...............o.........,.ra..ps....z..X....o..........-...X....o..........-...X....o..........-.*".(.....
                                                      C:\Users\user\AppData\Roaming\eqNjYDmhJoX.exe:Zone.Identifier
                                                      Process:C:\Users\user\Desktop\Quotation Request.pdf.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:false
                                                      Preview: [ZoneTransfer]....ZoneId=0

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.635016130821497
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:Quotation Request.pdf.exe
                                                      File size:650240
                                                      MD5:95d884c21021e67ea7e9e204a0488fa3
                                                      SHA1:38786584d7caf1b36e7b72bf85099a82589c48a6
                                                      SHA256:b7e4d5626ef15e8584e644e1bfaade75c1faaa54549bde7560f44bd3550281de
                                                      SHA512:4af1bf9c684f2aa3dee982dca10471fb912744385fe9567039baf7109e51d70f85d3023544a0ac83595d73968406b8c269f5edb59e1b9e8fcf96759549529bfd
                                                      SSDEEP:12288:QMySBziJmqgE0pGxgCfZk1LrWkHMlYp6/50jccyQ7w5MV:QMB5b3CfZHkKAA50VdU56
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*ea..............0......L........... ........@.. .......................@............@................................

                                                      File Icon

                                                      Icon Hash:c4d2c4dcf4c6f230

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x48bcea
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x61652ADD [Tue Oct 12 06:27:41 2021 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v2.0.50727
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      fcom dword ptr [edx+00h]
                                                      add bl, ah
                                                      movsd
                                                      add byte ptr [eax], al
                                                      pop esp
                                                      stc
                                                      add byte ptr [eax], al
                                                      pop ecx
                                                      dec ebp
                                                      add dword ptr [eax], eax
                                                      push es
                                                      mov byte ptr [F7630001h], al
                                                      add dword ptr [eax], eax
                                                      mov dword ptr [ebp+02h], ecx
                                                      add byte ptr [ebp-5Ch], bl
                                                      add al, byte ptr [eax]

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x8bc980x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x8c0000x14804.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xa20000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x89dd80x89e00False0.922330079896data7.85672483308IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x8c0000x148040x14a00False0.164701704545data4.56196917542IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xa20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x8c1780x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 100663296, next used block 100663296
                                                      RT_ICON0x8e7200x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 218103808, next used block 218103808
                                                      RT_ICON0x8f7c80x468GLS_BINARY_LSB_FIRST
                                                      RT_ICON0x8fc300x10828dBase III DBT, version number 0, next free block index 40
                                                      RT_GROUP_ICON0xa04580x3edata
                                                      RT_VERSION0xa04980x36cdata

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyrightCopyright 2018 - 2021
                                                      Assembly Version4.0.2.0
                                                      InternalNameStaticIndexRangePartition.exe
                                                      FileVersion4.0.2.0
                                                      CompanyName
                                                      LegalTrademarks
                                                      Comments
                                                      ProductNameWin Mixer
                                                      ProductVersion4.0.2.0
                                                      FileDescriptionWin Mixer
                                                      OriginalFilenameStaticIndexRangePartition.exe

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 12, 2021 15:49:41.289885044 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:41.404021025 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:41.404167891 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:41.452271938 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:41.589623928 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:41.589725971 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:41.753128052 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:41.753298998 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:41.865112066 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:41.865251064 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.031485081 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.031625032 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.200438023 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.200591087 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.232213020 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.232316017 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.232492924 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.232562065 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.232588053 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.232641935 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.232724905 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.232784986 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.344438076 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.344537973 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.344568968 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.344619036 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.344819069 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.344873905 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.345005989 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.345074892 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.345287085 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.345350027 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.345568895 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.345622063 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.345851898 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.345910072 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.345947981 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.345999002 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.459650993 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.459820032 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.460814953 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.460951090 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.461025953 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.461039066 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.461117029 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.461168051 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.461265087 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.461343050 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.461451054 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.461532116 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.461534023 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.461606979 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.461671114 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.461946011 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.462322950 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.462431908 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.462447882 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.462536097 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.462552071 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.462608099 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.463223934 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.463304996 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.463320971 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.463387966 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.463414907 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.463540077 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.463622093 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.571662903 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.571829081 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.571918964 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.573407888 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.573836088 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.573919058 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.577158928 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.577519894 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.577578068 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.577649117 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.577799082 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.577842951 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.577856064 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.577986956 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.578105927 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.578197002 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.578228951 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.578270912 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.578319073 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.581296921 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.581341982 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.581389904 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.581423044 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.581440926 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.581532001 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.581759930 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.581800938 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.581845045 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.581906080 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.581954002 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.582065105 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.582148075 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.582180977 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.582206011 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.582350016 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.582401991 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.582591057 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.582837105 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.582904100 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.583556890 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.583731890 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.583812952 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.583883047 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.584196091 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.584248066 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.584348917 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.584822893 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.584923029 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.584986925 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.611218929 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.684766054 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.684830904 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.684922934 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.684951067 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.685059071 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.685158014 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.685410023 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.685492992 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.685585976 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.685688019 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.685697079 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.685751915 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.685755968 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.685833931 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.686280012 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.686337948 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.691364050 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.691488981 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.691529036 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.691559076 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.691751003 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.691826105 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.691828012 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.691852093 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.691857100 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.691952944 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.692015886 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.692058086 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.692168951 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.692298889 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.692400932 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.694052935 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.694123030 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.694152117 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.694175005 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.694192886 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.694242954 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.694350004 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.694405079 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.694407940 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.694469929 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.699872971 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.699918985 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.700025082 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.700165987 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.700270891 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.700289965 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.700303078 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.700370073 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.700380087 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.700428009 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.700589895 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.700627089 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.700671911 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.700699091 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.700771093 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.700881958 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.700954914 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.701018095 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.701119900 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.701179981 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.701272964 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.701328993 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.701380968 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.701483011 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.701551914 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.701639891 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.701845884 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.701867104 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.701930046 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.701951981 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.702032089 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.702159882 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.702227116 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.702322960 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.702527046 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.702553034 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.702596903 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.702630997 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.702723980 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.702779055 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.704436064 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.704466105 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.704485893 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.704504967 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.704586029 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.704668999 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.784260988 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.802194118 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.802273035 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.804240942 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.804358006 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.804435015 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.804546118 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.804548025 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.804627895 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.804692030 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.804745913 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.804791927 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.804840088 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.805022955 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.805110931 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.805169106 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.805475950 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.808939934 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.809000969 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.809083939 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.809154987 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.809182882 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.809190989 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.809216976 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.809310913 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.809356928 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.811274052 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.811299086 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.811316013 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.811327934 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.811342955 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.811346054 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.811362028 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.811367035 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.811388969 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.811408043 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.811408997 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.811422110 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.811453104 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.811469078 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.814734936 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.814886093 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.815148115 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.818814039 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.819129944 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.819210052 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.819240093 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.819360018 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.819418907 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.819478035 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.819669962 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.819725037 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.819829941 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.819925070 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.819979906 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.820455074 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.820804119 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.820883989 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.820983887 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.821038008 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.821103096 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.821146011 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.821280956 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.821358919 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.821408987 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.821494102 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.821631908 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.821696997 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.821713924 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.821775913 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.821779966 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.821846008 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.821890116 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.821974993 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.822024107 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.822103977 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.822118998 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.822230101 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.822232962 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.822349072 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.822417021 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.822447062 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.822597980 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.822681904 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.822689056 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.822766066 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.822864056 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.824368000 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.922269106 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.923257113 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.923321009 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.923460960 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.923518896 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.924659967 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.924761057 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.924860001 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.924973965 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.924977064 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.925024986 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.925081015 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.925149918 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.925615072 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.926316977 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.926410913 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.926417112 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.926552057 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.926620960 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.926656008 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.926764965 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.926826000 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.926928043 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.927268028 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.927352905 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.927778006 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.927900076 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.927961111 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.927992105 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.930165052 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.930900097 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.931101084 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.931261063 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.931327105 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.931528091 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.931569099 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.931597948 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.931624889 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.931667089 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.931736946 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.931827068 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.931901932 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.931937933 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.932005882 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.932113886 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.932152033 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.932171106 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.932205915 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.932801008 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.933027029 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.933089018 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.933140039 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.933231115 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.933291912 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.933403015 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.933813095 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.939893961 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.940006971 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.940049887 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.940109015 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.940164089 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.940287113 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.940838099 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.940918922 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.940952063 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.941102982 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.941190958 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.941219091 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.941595078 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.941728115 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.941828012 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.941909075 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.941978931 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.942007065 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.942148924 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.942219973 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.942342043 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.942403078 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.942466021 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.942555904 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.942667961 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.942733049 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.942802906 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.942941904 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.943008900 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.943065882 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.943191051 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.943257093 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.943300009 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.943428040 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.943492889 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.943540096 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.943659067 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.943725109 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.943754911 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.947881937 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.952789068 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.952843904 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.952893019 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.953067064 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.953088045 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.953171015 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.953180075 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.953289032 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.953382015 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.953424931 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.953454018 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.953536034 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.953617096 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.953670979 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.953794003 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.953895092 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.953903913 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.953963041 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.954051018 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.954188108 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.954284906 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.954344988 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.954467058 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.954636097 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.954668999 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.954745054 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.954821110 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.954854965 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.955029011 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.955108881 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.955209970 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.955611944 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.955657959 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.955723047 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.955739021 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.955749989 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.955842018 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.956526995 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.956640959 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.956768990 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:42.956790924 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:42.956835985 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.043582916 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.043632030 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.043725014 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.044018984 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.044177055 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.044253111 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.044770956 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.045139074 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.045252085 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.045420885 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.045582056 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.045666933 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.045679092 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.045761108 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.045820951 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.045922041 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.046299934 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.047375917 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.047434092 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.047517061 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.047537088 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.047646999 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.047707081 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.047753096 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.047882080 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.047941923 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.048022032 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.050945997 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.053843975 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.053911924 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.054385900 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.054456949 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.054517984 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.055845976 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.055896044 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.056042910 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.056113958 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.056283951 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.056364059 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.056531906 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.056615114 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.056852102 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.056946039 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.057040930 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.057288885 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.057662964 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.057754993 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.109455109 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.205621958 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.206137896 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.293782949 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:43.366497993 CEST605149756185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:43.366600990 CEST497566051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:47.830876112 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:47.944112062 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:47.944257975 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:47.983362913 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:48.112374067 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:48.112488031 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:48.328794956 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:48.328892946 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:48.736295938 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:48.839171886 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:48.839299917 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:48.897926092 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:48.898020983 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:48.954818010 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:49.061820030 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:49.061938047 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:49.143277884 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:49.159106970 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:49.184572935 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:49.257390976 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:49.271308899 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:49.272150993 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:49.432971001 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:49.433064938 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:49.547338009 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:49.552661896 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:49.664000988 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:49.664216995 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:49.835331917 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:49.850878954 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:50.013226032 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:50.013345003 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:50.111815929 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:50.175132990 CEST605149757185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:50.175319910 CEST497576051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:54.233958006 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:54.351574898 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:54.351728916 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:54.352864027 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:54.487227917 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:54.487641096 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:54.651346922 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:54.651443005 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:54.764817953 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:54.765000105 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:54.927273035 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:54.927608013 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:55.088541031 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:55.088798046 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:55.186387062 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:55.187238932 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:55.200120926 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:55.201775074 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:55.299432993 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:55.300729990 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:55.370155096 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:55.370325089 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:55.468795061 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:55.468931913 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:55.482960939 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:55.533798933 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:55.581749916 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:55.581994057 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:55.743139029 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:55.747387886 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:55.903635025 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:55.903757095 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:56.067200899 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:56.067367077 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:56.229942083 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:56.230642080 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:56.393630028 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:49:56.395539045 CEST605149758185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:49:56.395714998 CEST497586051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:00.532217979 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:00.643604040 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:00.643755913 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:00.699224949 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:00.828022003 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:00.828799963 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:00.989509106 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:00.989743948 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:01.101941109 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:01.102098942 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:01.264002085 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:01.264259100 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:01.429056883 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:01.430285931 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:01.518492937 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:01.519025087 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:01.542567968 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:01.542808056 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:01.630991936 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:01.674911022 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:01.704724073 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:01.707886934 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:01.823378086 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:01.824007988 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:01.935340881 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:01.935652971 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:02.097980976 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:02.098926067 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:02.260171890 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:02.260305882 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:02.422153950 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:02.422497034 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:02.585412979 CEST605149762185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:02.585813999 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:02.613373995 CEST497626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:06.969640017 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:07.081104994 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:07.081208944 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:07.089977026 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:07.225858927 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:07.258876085 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:07.371299028 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:07.371447086 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:07.533600092 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:07.533750057 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:07.695846081 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:07.695983887 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:07.780910969 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:07.807723045 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:07.807837963 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:07.922894955 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:07.923978090 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:08.036267996 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:08.036969900 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:08.148571014 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:08.148669958 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:08.310216904 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:08.310487032 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:08.471996069 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:08.472410917 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:08.634316921 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:08.634483099 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:08.796180010 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:08.796463013 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:08.988732100 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:08.988818884 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:09.171200037 CEST605149764185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:09.171389103 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:09.178205967 CEST497646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:13.288944960 CEST497866051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:13.400165081 CEST605149786185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:13.400356054 CEST497866051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:13.457777023 CEST497866051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:13.569829941 CEST605149786185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:18.217741966 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:18.328989029 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:18.329097033 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:18.333084106 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:18.464555979 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:18.464654922 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:18.627234936 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:18.628015995 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:18.739687920 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:18.739809036 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:18.892045975 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:18.892390966 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:19.056107998 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:19.056196928 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:19.152815104 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:19.152909994 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:19.193223000 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:19.293149948 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:19.293256044 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:19.458409071 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:19.458615065 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:19.570096970 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:19.571172953 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:19.682599068 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:19.738348961 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:19.894064903 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:19.894224882 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:20.056442022 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:20.056751966 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:20.215363979 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:20.215708017 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:20.381386042 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:20.395693064 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:20.458297014 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:20.555293083 CEST605149814185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:20.555771112 CEST498146051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:24.702516079 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:24.813810110 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:24.814013958 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:24.892191887 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:25.020100117 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:25.020211935 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:25.172359943 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:25.172656059 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:25.284584045 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:25.284807920 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:25.445772886 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:25.445919037 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:25.602883101 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:25.603060007 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:25.701950073 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:25.715082884 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:25.715193987 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:25.826891899 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:25.826961994 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:25.990808010 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:25.990895987 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:26.103720903 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:26.103887081 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:26.215234041 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:26.215573072 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:26.377378941 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:26.377563953 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:26.540333986 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:26.593076944 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:26.752248049 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:26.752556086 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:26.914458990 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:26.914546013 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:26.991442919 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:27.078459978 CEST605149824185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:27.078665018 CEST498246051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:32.163269043 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:32.274961948 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:32.275239944 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:32.277544975 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:32.406018019 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:32.406429052 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:32.518379927 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:32.518496037 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:32.680259943 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:32.680349112 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:32.851067066 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:32.851207018 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:32.918998003 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:32.919167042 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:32.962955952 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:32.963093996 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:33.075800896 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:33.075913906 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:33.187566996 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:33.194358110 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:33.305875063 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:33.305986881 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:33.468657970 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:33.474667072 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:33.641052008 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:33.641216040 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:33.811934948 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:33.812063932 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:33.973386049 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:33.973488092 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:34.140616894 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:34.141037941 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:34.271987915 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:34.306961060 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:34.307141066 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:34.360945940 CEST605149826185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:34.364500046 CEST498266051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:38.426649094 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:38.540278912 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:38.540520906 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:38.586451054 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:38.715688944 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:38.718133926 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:38.880449057 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:38.880701065 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:38.992521048 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:39.013770103 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:39.174113035 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:39.175702095 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:39.339920998 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:39.342703104 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:39.419334888 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:39.419553041 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:39.455102921 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:39.455271959 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:39.533153057 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:39.534765005 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:39.619800091 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:39.620204926 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:39.747987032 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:39.748367071 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:39.782690048 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:39.834472895 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:39.885416031 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:39.885559082 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:40.049437046 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:40.049530029 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:40.211453915 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:40.213454008 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:40.375072956 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:40.384018898 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:40.444730997 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:40.552573919 CEST605149827185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:40.552683115 CEST498276051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:44.646370888 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:44.757582903 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:44.757822990 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:44.758738995 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:44.888350010 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:44.888454914 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:45.051287889 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:45.053416967 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:45.165575027 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:45.165783882 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:45.326561928 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:45.326668024 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:45.487651110 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:45.487876892 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:45.575259924 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:45.575434923 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:45.601586103 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:45.647382021 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:45.687155962 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:45.687395096 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:45.849239111 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:45.849421978 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:45.961771965 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:45.961999893 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:46.075155973 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:46.075341940 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:46.237685919 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:46.264249086 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:46.430161953 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:46.430330992 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:46.592251062 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:46.592339993 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:46.761323929 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:46.761418104 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:46.923557997 CEST605149828185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:46.923902988 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:46.923964024 CEST498286051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:50.999481916 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:51.111874104 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:51.115231991 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:51.118206978 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:51.250144958 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:51.250336885 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:51.412587881 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:51.412707090 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:51.525531054 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:51.525732040 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:51.688014984 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:51.688242912 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:51.849971056 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:51.850136995 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:51.934375048 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:51.934562922 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:51.962727070 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:51.962840080 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:52.045861006 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:52.046047926 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:52.124373913 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:52.124464035 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:52.205447912 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:52.205760002 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:52.236145973 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:52.288697004 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:52.317014933 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:52.317189932 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:52.478004932 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:52.478164911 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:52.639133930 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:52.639322996 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:52.801059008 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:52.801306009 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:52.945744038 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:52.966108084 CEST605149839185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:52.966236115 CEST498396051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:57.051866055 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:57.163430929 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:57.163666964 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:57.164993048 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:57.297224998 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:57.297388077 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:57.457374096 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:57.459171057 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:57.571222067 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:57.574011087 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:57.741663933 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:57.741964102 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:57.827723026 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:57.828044891 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:57.853235006 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:57.853492022 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:57.944648027 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:57.944973946 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:58.019853115 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:58.020656109 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:58.114574909 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:58.114692926 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:58.134601116 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:58.179857016 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:58.225796938 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:58.258490086 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:58.388042927 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:58.388169050 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:58.544423103 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:58.544542074 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:58.705481052 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:58.705564976 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:58.866586924 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:58.866837978 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:59.008517981 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:50:59.028646946 CEST605149860185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:50:59.028806925 CEST498606051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:03.100693941 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:03.212361097 CEST605149862185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:03.212522030 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:03.213612080 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:03.343144894 CEST605149862185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:03.343360901 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:03.505310059 CEST605149862185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:03.505657911 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:03.618433952 CEST605149862185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:03.618680000 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:03.778745890 CEST605149862185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:03.779016018 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:03.941719055 CEST605149862185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:03.941921949 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:04.029262066 CEST605149862185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:04.053330898 CEST605149862185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:04.053559065 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:04.165234089 CEST605149862185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:04.165416002 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:04.323899984 CEST605149862185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:04.324098110 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:04.440635920 CEST605149862185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:04.440857887 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:04.552257061 CEST605149862185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:04.552901983 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:04.713283062 CEST605149862185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:04.713486910 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:04.876374006 CEST605149862185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:04.876530886 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:05.038451910 CEST605149862185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:05.038523912 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:05.055562019 CEST498626051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:09.264759064 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:09.376418114 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:09.376596928 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:10.585565090 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:10.713851929 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:10.714056969 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:10.875358105 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:10.875488043 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:10.987209082 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:10.989006996 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:11.152496099 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:11.152724028 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:11.248265982 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:11.248392105 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:11.266624928 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:11.266714096 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:11.361407042 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:11.361614943 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:11.429158926 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:11.429362059 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:11.529769897 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:11.530014038 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:11.541487932 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:11.587277889 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:11.642152071 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:11.642667055 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:11.804363966 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:11.804486036 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:11.967242956 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:11.967453957 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:12.131480932 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:12.131751060 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:12.294277906 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:12.294519901 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:12.353440046 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:12.455455065 CEST605149864185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:12.455672979 CEST498646051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:16.443309069 CEST498656051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:16.557029963 CEST605149865185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:16.557207108 CEST498656051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:16.558449984 CEST498656051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:16.684978962 CEST605149865185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:16.685513020 CEST498656051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:16.850452900 CEST605149865185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:16.850578070 CEST498656051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:16.962899923 CEST605149865185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:16.963581085 CEST498656051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:17.126188040 CEST605149865185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:17.216749907 CEST605149865185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:17.217504025 CEST498656051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:17.329108000 CEST605149865185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:17.329966068 CEST498656051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:17.441529036 CEST605149865185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:17.441673994 CEST498656051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:17.554223061 CEST605149865185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:17.603288889 CEST498656051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:21.671263933 CEST605149865185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:21.713172913 CEST498656051192.168.2.7185.19.85.137
                                                      Oct 12, 2021 15:51:22.415076017 CEST605149865185.19.85.137192.168.2.7
                                                      Oct 12, 2021 15:51:22.463239908 CEST498656051192.168.2.7185.19.85.137

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 12, 2021 15:49:25.446805954 CEST5873953192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:25.466027975 CEST53587398.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:26.437062979 CEST6033853192.168.2.78.8.4.4
                                                      Oct 12, 2021 15:49:26.613787889 CEST53603388.8.4.4192.168.2.7
                                                      Oct 12, 2021 15:49:27.565529108 CEST5976253192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:27.745409966 CEST53597628.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:32.029913902 CEST5432953192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:32.167773962 CEST53543298.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:32.403435946 CEST5805253192.168.2.78.8.4.4
                                                      Oct 12, 2021 15:49:32.578960896 CEST53580528.8.4.4192.168.2.7
                                                      Oct 12, 2021 15:49:32.804759026 CEST5400853192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:32.823015928 CEST53540088.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:36.888720989 CEST5291453192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:37.068095922 CEST53529148.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:37.148696899 CEST6456953192.168.2.78.8.4.4
                                                      Oct 12, 2021 15:49:37.166666031 CEST53645698.8.4.4192.168.2.7
                                                      Oct 12, 2021 15:49:37.173485994 CEST5281653192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:37.191988945 CEST53528168.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:41.263663054 CEST5423053192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:41.282803059 CEST53542308.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:47.804738998 CEST5491153192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:47.827729940 CEST53549118.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:49:54.211075068 CEST4995853192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:49:54.232299089 CEST53499588.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:00.510494947 CEST5931053192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:00.530226946 CEST53593108.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:06.939441919 CEST6429653192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:06.960129023 CEST53642968.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:13.268897057 CEST5268953192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:13.287166119 CEST53526898.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:18.193945885 CEST5620953192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:18.212002993 CEST53562098.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:24.683237076 CEST5854253192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:24.701410055 CEST53585428.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:32.143759966 CEST6092753192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:32.162180901 CEST53609278.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:38.403631926 CEST5785453192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:38.422909975 CEST53578548.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:44.623191118 CEST6202653192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:44.643498898 CEST53620268.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:50.973814011 CEST6282653192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:50.994389057 CEST53628268.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:50:57.031918049 CEST6204653192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:50:57.050472975 CEST53620468.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:51:03.064064026 CEST6390853192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:51:03.086414099 CEST53639088.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:51:09.126790047 CEST6021253192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:51:09.145246983 CEST53602128.8.8.8192.168.2.7
                                                      Oct 12, 2021 15:51:16.425517082 CEST5886753192.168.2.78.8.8.8
                                                      Oct 12, 2021 15:51:16.442230940 CEST53588678.8.8.8192.168.2.7

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Oct 12, 2021 15:49:25.446805954 CEST192.168.2.78.8.8.80xbf69Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:26.437062979 CEST192.168.2.78.8.4.40x6768Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:27.565529108 CEST192.168.2.78.8.8.80x1a46Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:32.029913902 CEST192.168.2.78.8.8.80x6cd3Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:32.403435946 CEST192.168.2.78.8.4.40x4e54Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:32.804759026 CEST192.168.2.78.8.8.80x90daStandard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:36.888720989 CEST192.168.2.78.8.8.80xe08aStandard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:37.148696899 CEST192.168.2.78.8.4.40x2875Standard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:37.173485994 CEST192.168.2.78.8.8.80xe73cStandard query (0)harold.accesscam.orgA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:41.263663054 CEST192.168.2.78.8.8.80x4a68Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:47.804738998 CEST192.168.2.78.8.8.80x1f17Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:54.211075068 CEST192.168.2.78.8.8.80x4f0aStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:00.510494947 CEST192.168.2.78.8.8.80xfdacStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:06.939441919 CEST192.168.2.78.8.8.80x3176Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:13.268897057 CEST192.168.2.78.8.8.80x4488Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:18.193945885 CEST192.168.2.78.8.8.80x2614Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:24.683237076 CEST192.168.2.78.8.8.80x2389Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:32.143759966 CEST192.168.2.78.8.8.80x5e9fStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:38.403631926 CEST192.168.2.78.8.8.80x1ccbStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:44.623191118 CEST192.168.2.78.8.8.80x1180Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:50.973814011 CEST192.168.2.78.8.8.80x9163Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:57.031918049 CEST192.168.2.78.8.8.80xb51cStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:51:03.064064026 CEST192.168.2.78.8.8.80x702aStandard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:51:09.126790047 CEST192.168.2.78.8.8.80x5fe9Standard query (0)harold.2waky.comA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:51:16.425517082 CEST192.168.2.78.8.8.80xe98aStandard query (0)harold.2waky.comA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Oct 12, 2021 15:49:25.466027975 CEST8.8.8.8192.168.2.70xbf69Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:26.613787889 CEST8.8.4.4192.168.2.70x6768Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:27.745409966 CEST8.8.8.8192.168.2.70x1a46Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:32.167773962 CEST8.8.8.8192.168.2.70x6cd3Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:32.578960896 CEST8.8.4.4192.168.2.70x4e54Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:32.823015928 CEST8.8.8.8192.168.2.70x90daName error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:37.068095922 CEST8.8.8.8192.168.2.70xe08aName error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:37.166666031 CEST8.8.4.4192.168.2.70x2875Name error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:37.191988945 CEST8.8.8.8192.168.2.70xe73cName error (3)harold.accesscam.orgnonenoneA (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:41.282803059 CEST8.8.8.8192.168.2.70x4a68No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:47.827729940 CEST8.8.8.8192.168.2.70x1f17No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:54.232299089 CEST8.8.8.8192.168.2.70x4f0aNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:55.974659920 CEST8.8.8.8192.168.2.70xec84No error (0)windowsupdate.s.llnwi.net178.79.242.0A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:55.974659920 CEST8.8.8.8192.168.2.70xec84No error (0)windowsupdate.s.llnwi.net178.79.242.128A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:49:57.063689947 CEST8.8.8.8192.168.2.70xdf9bNo error (0)windowsupdate.s.llnwi.net178.79.242.0A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:00.530226946 CEST8.8.8.8192.168.2.70xfdacNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:06.960129023 CEST8.8.8.8192.168.2.70x3176No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:13.287166119 CEST8.8.8.8192.168.2.70x4488No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:18.212002993 CEST8.8.8.8192.168.2.70x2614No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:24.701410055 CEST8.8.8.8192.168.2.70x2389No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:32.162180901 CEST8.8.8.8192.168.2.70x5e9fNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:38.422909975 CEST8.8.8.8192.168.2.70x1ccbNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:44.643498898 CEST8.8.8.8192.168.2.70x1180No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:50.994389057 CEST8.8.8.8192.168.2.70x9163No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:50:57.050472975 CEST8.8.8.8192.168.2.70xb51cNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:51:03.086414099 CEST8.8.8.8192.168.2.70x702aNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:51:09.145246983 CEST8.8.8.8192.168.2.70x5fe9No error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)
                                                      Oct 12, 2021 15:51:16.442230940 CEST8.8.8.8192.168.2.70xe98aNo error (0)harold.2waky.com185.19.85.137A (IP address)IN (0x0001)

                                                      Code Manipulations

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: Quotation Request.pdf.exe PID: 4556 Parent PID: 5740

                                                      General

                                                      Start time:15:49:10
                                                      Start date:12/10/2021
                                                      Path:C:\Users\user\Desktop\Quotation Request.pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\Quotation Request.pdf.exe'
                                                      Imagebase:0x640000
                                                      File size:650240 bytes
                                                      MD5 hash:95D884C21021E67EA7E9E204A0488FA3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.271877487.0000000002D61000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.271987580.0000000002D97000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.273290959.0000000003D61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Reputation:low

                                                      Chronological Activities

                                                      Analysis Process: schtasks.exe PID: 2812 Parent PID: 4556

                                                      General

                                                      Start time:15:49:20
                                                      Start date:12/10/2021
                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eqNjYDmhJoX' /XML 'C:\Users\user\AppData\Local\Temp\tmpAC55.tmp'
                                                      Imagebase:0xd70000
                                                      File size:185856 bytes
                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Chronological Activities

                                                      Analysis Process: conhost.exe PID: 5048 Parent PID: 2812

                                                      General

                                                      Start time:15:49:21
                                                      Start date:12/10/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff774ee0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Chronological Activities

                                                      Analysis Process: RegSvcs.exe PID: 408 Parent PID: 4556

                                                      General

                                                      Start time:15:49:21
                                                      Start date:12/10/2021
                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                      Imagebase:0x870000
                                                      File size:32768 bytes
                                                      MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:moderate

                                                      Chronological Activities

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >

                                                        Analysis Process: Quotation Request.pdf.exe PID: 4556 Parent PID: 5740 Quotation Request.pdf.exeCOMMON

                                                        Executed Functions

                                                        Function 028D0110, Relevance: 2.5, Strings: 1, Instructions: 1293COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \Tzp
                                                        • API String ID: 0-1325336874
                                                        • Opcode ID: 4dacb601eae69e981127cd0188b67970fa1abdb4e3dd5bb315c84a7f830761a2
                                                        • Instruction ID: d9b8438077430a7e8ebef2e4226e7ef7c30683655982b9b0ba430f1a373888b8
                                                        • Opcode Fuzzy Hash: 4dacb601eae69e981127cd0188b67970fa1abdb4e3dd5bb315c84a7f830761a2
                                                        • Instruction Fuzzy Hash: D0D2CB34A01219DFDB64DB64C894ED9B7B2FF4A300F5181E9E509AB361DB31AE85CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D0103, Relevance: 2.5, Strings: 1, Instructions: 1222COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: \Tzp
                                                        • API String ID: 0-1325336874
                                                        • Opcode ID: 708339a4f241f1f36f0718e614194fb9eb584750e204ac41d15511d2450e009b
                                                        • Instruction ID: c6620f0f3db723c9aaa7856ca9a8e4b5bc383f98d23070fb5ffde25c111b6be5
                                                        • Opcode Fuzzy Hash: 708339a4f241f1f36f0718e614194fb9eb584750e204ac41d15511d2450e009b
                                                        • Instruction Fuzzy Hash: 46C2BA34A01219DFDB64DB24C894ED9B7B2FF8A300F5181E9D509AB361DB31AE85CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D86AB, Relevance: .2, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4373fa9e6fae56978f7df4d083a75275379a68ae970b614338e0d274e457b81c
                                                        • Instruction ID: 84c2df41456e95d0d0280839f7d88351a4a0671f028ee3857cfbdeb4d738d1bc
                                                        • Opcode Fuzzy Hash: 4373fa9e6fae56978f7df4d083a75275379a68ae970b614338e0d274e457b81c
                                                        • Instruction Fuzzy Hash: 08912378D04208AFCB00CFAAD444AADBBF2BF49319F14816AD454EB398D7349947CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D222E, Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: /$c
                                                        • API String ID: 0-3909290379
                                                        • Opcode ID: d20038b064af615bfff4f69a3bd459a68fe23c048988dcc424ece4968f2ff8da
                                                        • Instruction ID: 176d81cf3c00242a9d446b64c820c679d673d2e47c2af61c4ca3a3374c7c1b83
                                                        • Opcode Fuzzy Hash: d20038b064af615bfff4f69a3bd459a68fe23c048988dcc424ece4968f2ff8da
                                                        • Instruction Fuzzy Hash: 9F510B78E04259CFCB04CFA8C4849ADFBF1BF0A314F28959AE854EB256D7309986CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DAB1D, Relevance: 2.6, Strings: 2, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #$(
                                                        • API String ID: 0-18311415
                                                        • Opcode ID: ec9d6077d20792674b1bb44e73a4d9ef0eefd048f6bce6e7298732387f8d817a
                                                        • Instruction ID: 1784a983b84acbb2ec575f477a2c3079f6ecd574b6ef0687efcd84c1a28f7807
                                                        • Opcode Fuzzy Hash: ec9d6077d20792674b1bb44e73a4d9ef0eefd048f6bce6e7298732387f8d817a
                                                        • Instruction Fuzzy Hash: 7451CBB8E0522C8FDB68DF28C985BDCBBB1AB49305F1080E9D549E7280DB709E84CF55
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05150F42, Relevance: 1.6, APIs: 1, Instructions: 114fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0515101D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: fb07fd91851a2a91d3cdcc3244bf6eab00aef64e823c8019a9660f0c9d8d5f11
                                                        • Instruction ID: 2e0059c9aa65da615bec74650de7aa9973fd46f77820035d23af46c7032acc68
                                                        • Opcode Fuzzy Hash: fb07fd91851a2a91d3cdcc3244bf6eab00aef64e823c8019a9660f0c9d8d5f11
                                                        • Instruction Fuzzy Hash: 3C416D715093C0AFE7238B65CC44B62BFB8EF07220F0984DAE9C4CB163D225A809D771
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05150AAA, Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTokenInformation.KERNELBASE(?,00000E2C,68AE2B49,00000000,00000000,00000000,00000000), ref: 05150B54
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationToken
                                                        • String ID:
                                                        • API String ID: 4114910276-0
                                                        • Opcode ID: e7bd8bba8595adf4fcc042b9bc537a4f780860583bbd00cd4f55be83e2537889
                                                        • Instruction ID: f5558919eda53af8cb111e7bc163442e7a4273fd5a7ce58beba464d64d5a5f36
                                                        • Opcode Fuzzy Hash: e7bd8bba8595adf4fcc042b9bc537a4f780860583bbd00cd4f55be83e2537889
                                                        • Instruction Fuzzy Hash: EC31A471505780AFEB228F65DC85FA7BFA8EF06314F08849FE945DB152D334A548C7A1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 051504BE, Relevance: 1.6, APIs: 1, Instructions: 89fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CopyFileW.KERNELBASE(?,?,?), ref: 0515054A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: CopyFile
                                                        • String ID:
                                                        • API String ID: 1304948518-0
                                                        • Opcode ID: 788bbb753a6cb242f3ce54e7ac7cda7c88e96b8a55fead363c825ff33d88a9c9
                                                        • Instruction ID: 4f81f8899df8207f3d5c72f10239e3221e2d18bbd0c252ca8f10a3ae4e068526
                                                        • Opcode Fuzzy Hash: 788bbb753a6cb242f3ce54e7ac7cda7c88e96b8a55fead363c825ff33d88a9c9
                                                        • Instruction Fuzzy Hash: 60314E6150D3C09FD7138B659C65BA2BFB8AF07224F1D84DBEC85CB1A3D2299849C762
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05150676, Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 05150713
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: OpenPolicy
                                                        • String ID:
                                                        • API String ID: 2030686058-0
                                                        • Opcode ID: 5c5053950a161e62ee9a43db209310536d35d770469031958b44131f2dfdaf18
                                                        • Instruction ID: 9ab02bfdb06604cd159459f1427d35d25368483dea6662ba40d2966443a94731
                                                        • Opcode Fuzzy Hash: 5c5053950a161e62ee9a43db209310536d35d770469031958b44131f2dfdaf18
                                                        • Instruction Fuzzy Hash: 88219172504740AFE721DF65DC89F66FFA8EF45710F0884AAED84DB152D334A948CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05150E5E, Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLongPathNameW.KERNELBASE(?,?,?), ref: 05150F02
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: LongNamePath
                                                        • String ID:
                                                        • API String ID: 82841172-0
                                                        • Opcode ID: f51a3ec99e76715b88eba784d7f0a0be22550691b4a0feb6a4582b21e04365a8
                                                        • Instruction ID: f77c10937d714f0f2c780a6ecd28da3e51b8e74492f194867b6d41e6113f30c1
                                                        • Opcode Fuzzy Hash: f51a3ec99e76715b88eba784d7f0a0be22550691b4a0feb6a4582b21e04365a8
                                                        • Instruction Fuzzy Hash: 81315A7540E3C09FDB138B648855A92BFB4AF47320B0E84DBD8848F1A3D2256909CB72
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05151074, Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileType.KERNELBASE(?,00000E2C,68AE2B49,00000000,00000000,00000000,00000000), ref: 05151109
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID:
                                                        • API String ID: 3081899298-0
                                                        • Opcode ID: 2ee18fc4c60870c43d72b52783dc6e93dbfa157c4ac2e94bf983e3937ae84cce
                                                        • Instruction ID: 146ce839a642fca7576fafd57fd6471042e0461bf3d4b5c55f3f2a304c1256dd
                                                        • Opcode Fuzzy Hash: 2ee18fc4c60870c43d72b52783dc6e93dbfa157c4ac2e94bf983e3937ae84cce
                                                        • Instruction Fuzzy Hash: 0A210A754497806FE7138B25DC81FA2BFACEF47720F1884DAED848B193D2645909C771
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05150F9E, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0515101D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 77316daa91f9015428da6dce947441e25706cbc8417eae37ce45fb4390d243e5
                                                        • Instruction ID: 5a6677c66679fc3c4c7f6cb4bbadddd1acaffce7818a67d89a8db820f5b86feb
                                                        • Opcode Fuzzy Hash: 77316daa91f9015428da6dce947441e25706cbc8417eae37ce45fb4390d243e5
                                                        • Instruction Fuzzy Hash: 2A218975500240AFEB21CF65DD84B66FBE8FF08320F18886EED898B251D375E408CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05151144, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteFile.KERNELBASE(?,00000E2C,68AE2B49,00000000,00000000,00000000,00000000), ref: 051511D5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: FileWrite
                                                        • String ID:
                                                        • API String ID: 3934441357-0
                                                        • Opcode ID: 44fefc23d5dc3481bcbdf3752ed70f608ca2990e047e9f830e5463cac25fac46
                                                        • Instruction ID: 23c51db7c0ac78b70013cb6ce770860460ede9b03800cc2bbde298d0220a0b85
                                                        • Opcode Fuzzy Hash: 44fefc23d5dc3481bcbdf3752ed70f608ca2990e047e9f830e5463cac25fac46
                                                        • Instruction Fuzzy Hash: 09218E72449380AFD7228F65DC45F66BFB8EF46314F08849AE9849B153C235A409CB72
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 051506A2, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LsaOpenPolicy.ADVAPI32(?,00000E2C), ref: 05150713
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: OpenPolicy
                                                        • String ID:
                                                        • API String ID: 2030686058-0
                                                        • Opcode ID: 32fc28027c39538f89f4cc9fccdbaccd2fd05b84b14ec068c7f521279806794a
                                                        • Instruction ID: 912b8b96c2dba23b3fba95319a47d28ab94da1a8db500e99d4b54f1d5eb2de3a
                                                        • Opcode Fuzzy Hash: 32fc28027c39538f89f4cc9fccdbaccd2fd05b84b14ec068c7f521279806794a
                                                        • Instruction Fuzzy Hash: E921C372500604AFEB20DF69DC89F6AFBE8EF48720F14846AED95DB241D374A5048F71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05150AEA, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTokenInformation.KERNELBASE(?,00000E2C,68AE2B49,00000000,00000000,00000000,00000000), ref: 05150B54
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: InformationToken
                                                        • String ID:
                                                        • API String ID: 4114910276-0
                                                        • Opcode ID: e577f64260a43920e1cf538377a313b4b6f774ddb034905600024d7b36509bd3
                                                        • Instruction ID: acfba24a30ef0027820a976c5a57b9b73a49a296ce990d1b13f4805d7267647f
                                                        • Opcode Fuzzy Hash: e577f64260a43920e1cf538377a313b4b6f774ddb034905600024d7b36509bd3
                                                        • Instruction Fuzzy Hash: 53119071500204AFEB21CF6ADC85FAAFBECEF08321F04886AED45DB251D674A4448B71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05151383, Relevance: 1.6, APIs: 1, Instructions: 68fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileW.KERNELBASE(?), ref: 051513F0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: 6419d14bfd2c1075ef903defcb0c860567e6263de8fc6b367cbe0af04db9de39
                                                        • Instruction ID: 55824907845116b1655c951b056ad25284315ae77ab4b37378be54fa2abc3e6a
                                                        • Opcode Fuzzy Hash: 6419d14bfd2c1075ef903defcb0c860567e6263de8fc6b367cbe0af04db9de39
                                                        • Instruction Fuzzy Hash: 082181755093C09FD7138B25DC95B56BFB8AF06220F0980EBED85CF293D278A948C762
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 051514D5, Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 05151549
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 9a9f2db0dbc36bd309fd85e948c9eb0b7e7eac423bf4d261c6016c151500885d
                                                        • Instruction ID: 011d879c51c1c0adf2dfdffbd2199743ae6a1cf02863c80f3aa78c7aff96fa56
                                                        • Opcode Fuzzy Hash: 9a9f2db0dbc36bd309fd85e948c9eb0b7e7eac423bf4d261c6016c151500885d
                                                        • Instruction Fuzzy Hash: A1216D714093C0AFDB238F25DC44A51BFB4EF07220F0984DAED858B163D235A858DB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 051505C5, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFileAttributesW.KERNELBASE(?,?), ref: 05150627
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: 79749bf50d0478ad9e0963eee64570524d9f46885ef96e61f32003b87af775da
                                                        • Instruction ID: 3b9164cc8e63fdd004d35aa147936d4789eb5351648f32c35a2b20835ab1459c
                                                        • Opcode Fuzzy Hash: 79749bf50d0478ad9e0963eee64570524d9f46885ef96e61f32003b87af775da
                                                        • Instruction Fuzzy Hash: 7B11D0765083849FDB11CF25DC89B56FFE8EF46320F0884AAEC45CB252D275A848CB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05151176, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteFile.KERNELBASE(?,00000E2C,68AE2B49,00000000,00000000,00000000,00000000), ref: 051511D5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: FileWrite
                                                        • String ID:
                                                        • API String ID: 3934441357-0
                                                        • Opcode ID: 89bf38861f0cdb0a3fe61017ace3730b506fae63260d8582cfbd5b428a065b1c
                                                        • Instruction ID: a05d95a521f8323f52be8dca94f157b20025c230c1be7bca34d38cf5a0c9d120
                                                        • Opcode Fuzzy Hash: 89bf38861f0cdb0a3fe61017ace3730b506fae63260d8582cfbd5b428a065b1c
                                                        • Instruction Fuzzy Hash: 0E11B271540600AFEB21CF55DC84F66FBE8EF08720F14846AED859B251D374A404CBB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 051517C3, Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 0515182D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 28c4f4e40cd85d95a0bb22f61f67e8e7a0f4c9c9be67115a07151391ed5071b5
                                                        • Instruction ID: a33c800a28d39c555799726df13bd0464f47658626d003878fbea6ac5e38ff33
                                                        • Opcode Fuzzy Hash: 28c4f4e40cd85d95a0bb22f61f67e8e7a0f4c9c9be67115a07151391ed5071b5
                                                        • Instruction Fuzzy Hash: 6D11BE71449780AFDB228F15DC85B62FFB4EF06220F0884AEED858B163C275A418CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05150502, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CopyFileW.KERNELBASE(?,?,?), ref: 0515054A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: CopyFile
                                                        • String ID:
                                                        • API String ID: 1304948518-0
                                                        • Opcode ID: f5b11d074e3f410ef33f7f145edc71a28a0b15e86b8cc75987a81b33bbba7710
                                                        • Instruction ID: 13138ca58d19e6cd1ced7c7b2b38cb67879d8823e7fb4450d80cf73605c60506
                                                        • Opcode Fuzzy Hash: f5b11d074e3f410ef33f7f145edc71a28a0b15e86b8cc75987a81b33bbba7710
                                                        • Instruction Fuzzy Hash: 29115E75614241DFDB20CF69EC89B66FBD8EF08720F08846AED59CB241D774E444CA71
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 051510B6, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileType.KERNELBASE(?,00000E2C,68AE2B49,00000000,00000000,00000000,00000000), ref: 05151109
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: FileType
                                                        • String ID:
                                                        • API String ID: 3081899298-0
                                                        • Opcode ID: 1a683b2d62df254e0381711f7f4067061b112b692157edc157725f1e375f8374
                                                        • Instruction ID: 0321a3e0baccdf857bdbdd17ffb852a9e8049ea18505ca7e8011f2261fe6936b
                                                        • Opcode Fuzzy Hash: 1a683b2d62df254e0381711f7f4067061b112b692157edc157725f1e375f8374
                                                        • Instruction Fuzzy Hash: E101D271540600AFEB21CF2ADC85FA6FB98EF08721F14C4AAED849B241D374A544CAB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 051505EA, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFileAttributesW.KERNELBASE(?,?), ref: 05150627
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: 97c489fe095c3d0715f19bf00a4ca0f4666dbcb5d8004f3e164244c5906372df
                                                        • Instruction ID: 47cc92ebb842f9e6025e099c950176126990a6faf2cb2ce86579c9339787af24
                                                        • Opcode Fuzzy Hash: 97c489fe095c3d0715f19bf00a4ca0f4666dbcb5d8004f3e164244c5906372df
                                                        • Instruction Fuzzy Hash: 7E019275904244DFDB20CF6AEC89B66FBD4EF48720F0884AAEC49CB252D375D408CE62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 051513B6, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileW.KERNELBASE(?), ref: 051513F0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: DeleteFile
                                                        • String ID:
                                                        • API String ID: 4033686569-0
                                                        • Opcode ID: 43871eb0635655db4ce335182c1633cf97ac8d9350675d5ac7422d31ed898120
                                                        • Instruction ID: 89c7fd30d42a6f29d065312d19ddfdc3c8a0bcf06c555897430fe8c6708efc38
                                                        • Opcode Fuzzy Hash: 43871eb0635655db4ce335182c1633cf97ac8d9350675d5ac7422d31ed898120
                                                        • Instruction Fuzzy Hash: BA015E71A44240DFDB61CF6AE885B66FB98EF04630F0884AADD99CF642D374E844CA61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 051517F2, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 0515182D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: a261ca60bf06459a01579a9d7454b0dab8f884e04b2a63d46ff574ce2396879a
                                                        • Instruction ID: e6c036897aa45aa4833311a80c4ddc41815511820448e4aaa9ff1ae38c9173e4
                                                        • Opcode Fuzzy Hash: a261ca60bf06459a01579a9d7454b0dab8f884e04b2a63d46ff574ce2396879a
                                                        • Instruction Fuzzy Hash: 7201B135900700DFDB318F16D884B65FBA1EF04320F08C4AEED954B661D371A458CB61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 05150ECA, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLongPathNameW.KERNELBASE(?,?,?), ref: 05150F02
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: LongNamePath
                                                        • String ID:
                                                        • API String ID: 82841172-0
                                                        • Opcode ID: d3677a202a2fdb7515d73acb88de1dcf4f4ca923b255c1b497dd489e710369c7
                                                        • Instruction ID: 666ca2005ddd609a0c97a3ebe3f5dc7f6ad7bce8387e813e20442cca07c7a70f
                                                        • Opcode Fuzzy Hash: d3677a202a2fdb7515d73acb88de1dcf4f4ca923b255c1b497dd489e710369c7
                                                        • Instruction Fuzzy Hash: 96017C75804240DFDB20CF95E888B65FBA4EF08330F18C4AAED598B252D379A548CF72
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0515150E, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 05151549
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.276951349.0000000005150000.00000040.00000001.sdmp, Offset: 05150000, based on PE: false
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 5c694c8a51ac19d4706397b115a821e47b61354db16acecbd4bd377b32ca7776
                                                        • Instruction ID: 0d2f96a63d982b58c74966f6e610c37e694ec7a3749ad43cd63b4253bbd698a9
                                                        • Opcode Fuzzy Hash: 5c694c8a51ac19d4706397b115a821e47b61354db16acecbd4bd377b32ca7776
                                                        • Instruction Fuzzy Hash: 0B018F35940740EFDB31CF45E885B65FBA0FF09720F08C49ADD864B226D375A458CBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DACE2, Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: *
                                                        • API String ID: 0-163128923
                                                        • Opcode ID: d47ada2a90fa3bb335e7b38ccd32ab424ad7d67c906738a98fe982c0b3c2bf09
                                                        • Instruction ID: 7c1fa32c94aeac7c41ccc2381c3c382e2974b1020d6b064e88308e4a07a73d38
                                                        • Opcode Fuzzy Hash: d47ada2a90fa3bb335e7b38ccd32ab424ad7d67c906738a98fe982c0b3c2bf09
                                                        • Instruction Fuzzy Hash: 0251ABB9905228CFDB64DF24C988BDCBBB1AB09315F5041EAD40DA72A0DB345AC4CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D92D1, Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: !
                                                        • API String ID: 0-2657877971
                                                        • Opcode ID: 06b8f8084db0f9274e414bc972d73693d18c4ac468c24797023757a5975a70f8
                                                        • Instruction ID: 3c8b294e00f416facd345c64f4d0dc05ac8b4bceaf44ccc3ace79ecd7b33dc14
                                                        • Opcode Fuzzy Hash: 06b8f8084db0f9274e414bc972d73693d18c4ac468c24797023757a5975a70f8
                                                        • Instruction Fuzzy Hash: A831FA7CC0821CDFDB18DFA5D488BAEBBB1BB05309F04A559D459A3290CBB44588DF15
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DB400, Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: -
                                                        • API String ID: 0-2547889144
                                                        • Opcode ID: d6d86e2bb1eba270a0550501855cf8765b1a1ee6c283261a8a3d7052a075dc7a
                                                        • Instruction ID: 3d3d1bf190d98495d6e41308ff7097e45259e486d8c0b34e648d563baeaa2ffe
                                                        • Opcode Fuzzy Hash: d6d86e2bb1eba270a0550501855cf8765b1a1ee6c283261a8a3d7052a075dc7a
                                                        • Instruction Fuzzy Hash: 1141FF7990126CCFCB64DF28C888BEDBBB1AB49315F1080E9D40CAB291C7319A89CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DAE80, Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: 387a90df4acd21f1679961954198a92f7b375656de258cfadbc14c1c81900e59
                                                        • Instruction ID: f7275a420f925f71209577df596ffe900bd2c8598ca25ecfc0437dba3f298999
                                                        • Opcode Fuzzy Hash: 387a90df4acd21f1679961954198a92f7b375656de258cfadbc14c1c81900e59
                                                        • Instruction Fuzzy Hash: E011F0BAA0022C8FCB14CF64C884BEDBBB4AB09309F1444E6D909E7281D7749A89CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DB2CE, Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID: !
                                                        • API String ID: 0-2657877971
                                                        • Opcode ID: c77009f199807e97b124d51158dc5ce17f6ede80154af4db8f15be622da20c14
                                                        • Instruction ID: 8a8a68fe1810b69c10badd2ebefb7e13596a87c5e750bb3bef8f6776475cedd7
                                                        • Opcode Fuzzy Hash: c77009f199807e97b124d51158dc5ce17f6ede80154af4db8f15be622da20c14
                                                        • Instruction Fuzzy Hash: B501287A90422CCFDB25CF64C844BDDBBB5FB05318F1441D9C419A7281C3359A89CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02A1025D, Relevance: .5, Instructions: 506COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271862482.0000000002A10000.00000040.00000040.sdmp, Offset: 02A10000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 767721af4bf707fb6f5fa42298812cff5631c2858247f57e811016609a7e80c3
                                                        • Instruction ID: 1e23e8b6e5a440aef2d1e6e98f3ae2837fc3cd6107fba3427914040dadecded2
                                                        • Opcode Fuzzy Hash: 767721af4bf707fb6f5fa42298812cff5631c2858247f57e811016609a7e80c3
                                                        • Instruction Fuzzy Hash: C831F46254E3D14FD7138B749C646A0BFB0AF47225B0E80EBD484CF1A3D26D594ACB72
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D99EB, Relevance: .2, Instructions: 229COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b14ac063846fcba5846b236049f2dd36f482e7e6a06319317f0fbaa257b4624e
                                                        • Instruction ID: 58324756ccb05ace57c1e9a33d89014b32d88184d6349ba112a92fedc0428bfe
                                                        • Opcode Fuzzy Hash: b14ac063846fcba5846b236049f2dd36f482e7e6a06319317f0fbaa257b4624e
                                                        • Instruction Fuzzy Hash: 8B91D438E41318DFDB10DBA4C895BADBB71FB89704F208119E509BB395CBB16984CF24
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DA5F0, Relevance: .2, Instructions: 221COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f2de08921abea9925127b8330a220c43ed9284a0b2a7c7b3645e370896fa4dab
                                                        • Instruction ID: aa08402acf0cfd8c4312f3823eb3ca5d67dd4afd3a1fdd1bf528523b23606d02
                                                        • Opcode Fuzzy Hash: f2de08921abea9925127b8330a220c43ed9284a0b2a7c7b3645e370896fa4dab
                                                        • Instruction Fuzzy Hash: 6591C0BCD04218CFDB14DFA9D9487AEBBB0EF49304F20816AD419E7281D7784A49CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DA600, Relevance: .2, Instructions: 213COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7040f46b7700aabcd9724da82883f5a0de7a0e2086c748959c8462d990d13565
                                                        • Instruction ID: c7b21b12afcc996a67eab984f33abeb9fd566eb148deaed8f017f0813e386acf
                                                        • Opcode Fuzzy Hash: 7040f46b7700aabcd9724da82883f5a0de7a0e2086c748959c8462d990d13565
                                                        • Instruction Fuzzy Hash: F9919EBCD05218CFDB18DFAAD9487AEBBB1EF48304F20912AD419E7281D7785A49CF51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D1EFA, Relevance: .2, Instructions: 178COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d1e6fe8f95b58a1d4e5a037d9e75cb9775663c92b0b99accdd3694866c0f26b2
                                                        • Instruction ID: 6be5278b50634ae5a93fbd7d5fbd8c7ac9c8a55c53cdbbd6076733b1807b963c
                                                        • Opcode Fuzzy Hash: d1e6fe8f95b58a1d4e5a037d9e75cb9775663c92b0b99accdd3694866c0f26b2
                                                        • Instruction Fuzzy Hash: 02717278E04229CFDF10CFA8C884BADBBB6BF49304F1094A9E909E7255D7349985CF10
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D9E63, Relevance: .2, Instructions: 176COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 527d53e8009362b2a9297aaaaa102cc15dfda6dbbb2f5fea58cb450b72717b7d
                                                        • Instruction ID: 958c2b85272128fc3653c30287b8538b5dda345b879ef3c63c492d7ab72479b3
                                                        • Opcode Fuzzy Hash: 527d53e8009362b2a9297aaaaa102cc15dfda6dbbb2f5fea58cb450b72717b7d
                                                        • Instruction Fuzzy Hash: 9E71BE78D04208DFDB14EFA9D884AADBBB2FF89304F208129D909A7395DB355945CF15
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D9151, Relevance: .1, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: faf67b3baca9f6d1d9c445c902d5ed6bf7329994cb0d34d7f16ebe5038a11577
                                                        • Instruction ID: b2b8b4c11854988b6fcfaf64bbc86df7922c309ce2e4b754043f20fff2ff7582
                                                        • Opcode Fuzzy Hash: faf67b3baca9f6d1d9c445c902d5ed6bf7329994cb0d34d7f16ebe5038a11577
                                                        • Instruction Fuzzy Hash: 6951F578C0522CDFDB18EFA5D4887EDBBB1BB09309F04A1A9D459E3290C7784A88DF15
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D19E4, Relevance: .1, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: eb8363334ff497622c040334532f04c18fde28bee8c6aad54d8695c59bf03c7e
                                                        • Instruction ID: 80133b182e0e309b42bd4484e8ce3b54c311580e7975014b866f8ca29d82f7e0
                                                        • Opcode Fuzzy Hash: eb8363334ff497622c040334532f04c18fde28bee8c6aad54d8695c59bf03c7e
                                                        • Instruction Fuzzy Hash: A3519278E05218DFDB14DFA8D988AADBBB2FF49310F209469E409EB350E7359985CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D23F8, Relevance: .1, Instructions: 123COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a3573277a738c409f66b877b3330fcb693fda1e84e8cdf6c699eadb9635e37bb
                                                        • Instruction ID: 24f7681fa458bd86af58992b21998d01947abf24089727e93f064b26560128ba
                                                        • Opcode Fuzzy Hash: a3573277a738c409f66b877b3330fcb693fda1e84e8cdf6c699eadb9635e37bb
                                                        • Instruction Fuzzy Hash: 85412738A04258DFDB10DF68D8407ADBBB6FF89300F1084AAD809E7296DB745D49CB65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D93EF, Relevance: .1, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e4716e0a22d7c2c2ed37f09445a9c07dc5a54defe0637ee830b48f824d4dc197
                                                        • Instruction ID: 94538e896c51d82e29d8427a6a0013dfdd54139c0682cf4700f6f06f2ec972a7
                                                        • Opcode Fuzzy Hash: e4716e0a22d7c2c2ed37f09445a9c07dc5a54defe0637ee830b48f824d4dc197
                                                        • Instruction Fuzzy Hash: A241F678C1921CDFDB18DFA5D488BEEBBB1BB06309F04A159D419A32A0CBB84588DF15
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D96CF, Relevance: .1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 731f59410f7a9f58dd4040226d711bf898f30feb5fcbc70f0e90912751718c7f
                                                        • Instruction ID: 06c944480f7c825239ddc9c0d5a852ab584586f9ae459d22c17e20afbafce113
                                                        • Opcode Fuzzy Hash: 731f59410f7a9f58dd4040226d711bf898f30feb5fcbc70f0e90912751718c7f
                                                        • Instruction Fuzzy Hash: A7310778E05218DBCB04DFA9E8846EEBBB2FF89304F109929D01AF7250DB705849CF55
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D8FC9, Relevance: .1, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5c5eea09b0d5376aff39bdebf8250c67aa3174ccb91916eef3aeab58e8866da4
                                                        • Instruction ID: 5ba3f1718458650e2d23f0279bd9b8b82b20902dd9f2f2810c1898f6b0306135
                                                        • Opcode Fuzzy Hash: 5c5eea09b0d5376aff39bdebf8250c67aa3174ccb91916eef3aeab58e8866da4
                                                        • Instruction Fuzzy Hash: 1D41097CC1921CDFDB18DFA5D488BEDBBB1BB06309F04A599D419A32A0CB784588DF15
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA944, Relevance: .1, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c8d3f2d8a03901ce3bc36b99c2973288d4c189dc0f5b6d1d0b43ac0d2bd14a20
                                                        • Instruction ID: 6de424906ade1b8f497d5d997f041940f1d2b6d0528b7468b4032906dde16030
                                                        • Opcode Fuzzy Hash: c8d3f2d8a03901ce3bc36b99c2973288d4c189dc0f5b6d1d0b43ac0d2bd14a20
                                                        • Instruction Fuzzy Hash: 04217FB6508340AFD311CF15EC81E57FBE8EB89620F14C86EFD4997211D275A804CBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA81A, Relevance: .1, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 89ade609340e131656181a5c22917ce7dd226bb7b4dc46aee935619d666aa9c0
                                                        • Instruction ID: 658845c62ae588169f84af1952370e9bbde4af82e7eb07a18ddd03c7a99793be
                                                        • Opcode Fuzzy Hash: 89ade609340e131656181a5c22917ce7dd226bb7b4dc46aee935619d666aa9c0
                                                        • Instruction Fuzzy Hash: 95217C76509340AFD711CF16EC85A56FFE8EB89620F18C86FFD8897211D275A804CBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA5C0, Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e907d4eec5d0e95a96fc1754956170029f1f2601609824a347684f20071bd8f0
                                                        • Instruction ID: baa3b7b7e64f74a8fc5212e3021b069f40414bd27191fd8a1edba87f9742eb47
                                                        • Opcode Fuzzy Hash: e907d4eec5d0e95a96fc1754956170029f1f2601609824a347684f20071bd8f0
                                                        • Instruction Fuzzy Hash: 6C21E276509340AFD711CF15EC81A57FFA8EB85630F18C8AFFD489B212D276A504CBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D92F0, Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1edce1d4c0b00531b02cbb07d8c480a6fb10feb3c9e69a1106313f6b7fa52eef
                                                        • Instruction ID: 7a281d6600b9ae3342e733cecc8c5ef439c5884db2c2d5b844de8a3463a0d3a4
                                                        • Opcode Fuzzy Hash: 1edce1d4c0b00531b02cbb07d8c480a6fb10feb3c9e69a1106313f6b7fa52eef
                                                        • Instruction Fuzzy Hash: 8B31D778C0821CDFDB18DFA5D488BEDBBB1BB05309F04A45AD459B32A0CBB84688DF15
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA3AA, Relevance: .1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d37354d1e6ba70299f69bb6d05ba3c9cf53143510a9ea29362d205d1185a9ce1
                                                        • Instruction ID: f9d17f97b6d00ebd67d28ba839a86e91464a17997a6c0270462ab0a31808a694
                                                        • Opcode Fuzzy Hash: d37354d1e6ba70299f69bb6d05ba3c9cf53143510a9ea29362d205d1185a9ce1
                                                        • Instruction Fuzzy Hash: 3A21C776508340AFD7118F15EC85E56FFA8EB85630F18C89FFD499B212D236A404CBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA700, Relevance: .1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4ced827dc64686e2edd8e1cdf8b0af051d3aea8a621b26cd61776ed12ad68f12
                                                        • Instruction ID: 850967de238bfc92868d90c7fa6cdb3e01645fa6af60b970cf97dc8ca69a395f
                                                        • Opcode Fuzzy Hash: 4ced827dc64686e2edd8e1cdf8b0af051d3aea8a621b26cd61776ed12ad68f12
                                                        • Instruction Fuzzy Hash: 8D213DB6544300BFD210CF0AEC41E6BFBE8EB88770F14C92EFD4997210D275A9149BA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBAAC8, Relevance: .1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 38c30f3d372b46d701236189cd15b947918f5cfcea30a92b28363ca8801a1d68
                                                        • Instruction ID: 5b89bb5b22572ca8aa755934b083d92a0d28b796048da3076f8f2f57cbc4a469
                                                        • Opcode Fuzzy Hash: 38c30f3d372b46d701236189cd15b947918f5cfcea30a92b28363ca8801a1d68
                                                        • Instruction Fuzzy Hash: 2F314CB550E3C19FD312CF259850956BFF4EF8A620F0988DEE8C4DB252D2759908CB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D9020, Relevance: .1, Instructions: 81COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2ab553f9fda65141434485ae70c3943452ba603bba6c57fbce8e7112c36873fd
                                                        • Instruction ID: 895c2f032be84a0c6a86cf62a2d9644123a1fe87c0a2d6551907eedf4b5e133e
                                                        • Opcode Fuzzy Hash: 2ab553f9fda65141434485ae70c3943452ba603bba6c57fbce8e7112c36873fd
                                                        • Instruction Fuzzy Hash: B231D478C1821CDFDB18DFA5D488BEEBBB0BB05309F04A599D459A32A0CBB84588DF15
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA191, Relevance: .1, Instructions: 79COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a291f715b538dc8ab77a856349806609e86e443a9ab4790832ca11d67be40eec
                                                        • Instruction ID: 4d781481970e9564fd189e8633cf1d6d8f00ef5c8de0eee1805c0d0d4dcadcd1
                                                        • Opcode Fuzzy Hash: a291f715b538dc8ab77a856349806609e86e443a9ab4790832ca11d67be40eec
                                                        • Instruction Fuzzy Hash: EC212976508340AFD7118F0AAC41E62FFA8EB85630F08C49FFD489B212D275A404CFA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA96E, Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a8b324cab80b9808366045450d96489ef27b8b4d89a0a3ad7cc3bb73b35fc038
                                                        • Instruction ID: 9ba3435e1afff5abe7f51274225227b1c64c99d0b27b8e8e133574c6e03f7a4b
                                                        • Opcode Fuzzy Hash: a8b324cab80b9808366045450d96489ef27b8b4d89a0a3ad7cc3bb73b35fc038
                                                        • Instruction Fuzzy Hash: 9A211AB6544300AFD250CF0AEC41A5BFBE8EB88630F14C92EFD4997311D275E9149BA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA842, Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ec69fa373575c1ed151255bca7ba1344a936a723b2cce3d72be5858ca0e69f57
                                                        • Instruction ID: 69a3cbbb1c503bd90ebf3ec014f8a9e8d9160106726196d7e62afc083ba09838
                                                        • Opcode Fuzzy Hash: ec69fa373575c1ed151255bca7ba1344a936a723b2cce3d72be5858ca0e69f57
                                                        • Instruction Fuzzy Hash: CD212FB6544300AFD250CF0AEC41A57FBE8EB88730F14C92EFD4997311D275A9149BA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA716, Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f4708e2b75ec794988ee195ec05353a9e08536d5c89f4e2c604e9113df6d3805
                                                        • Instruction ID: 87ea47187c14ea5641f8eed8dea859d62d947a8c2d52058db1d04781ac09e48c
                                                        • Opcode Fuzzy Hash: f4708e2b75ec794988ee195ec05353a9e08536d5c89f4e2c604e9113df6d3805
                                                        • Instruction Fuzzy Hash: B5212CB6544300AFD250CF0AEC45E6BFBE8EB88630F14C92EFD4997311D275A9149FA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D0006, Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ab3b8ec4eb44b3426befe30f9f90ebf7d4677ebaebb5d5004330ae3952ebc5da
                                                        • Instruction ID: 7ec4d1520e3ea233e5c9a0b31c35ca40fa965eb5378eba74d538578578fd4a81
                                                        • Opcode Fuzzy Hash: ab3b8ec4eb44b3426befe30f9f90ebf7d4677ebaebb5d5004330ae3952ebc5da
                                                        • Instruction Fuzzy Hash: 9521162004E3C59FC7139BB498766AA7FB0AF43250B1A45DBC485CF0A3D6681E59DB26
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA5EA, Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 38696c801ff2cf0624b1f99bee93e5fbd005157a4c51a6f6f57eff56265988fe
                                                        • Instruction ID: 5b70928df7cd1fd986f069351584c6356f22a93176455b8b71def67935504da1
                                                        • Opcode Fuzzy Hash: 38696c801ff2cf0624b1f99bee93e5fbd005157a4c51a6f6f57eff56265988fe
                                                        • Instruction Fuzzy Hash: 92119376544204BFD6108F0AEC41E67FBA8EB88630F18C96AFD095B311D276B9149BA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA3D2, Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d66f60089abdffa9a0416ad424334e4b1bd02898ff2f4aca943f95bdf247ca03
                                                        • Instruction ID: d2188729c6f46281f3562f91834df1f9ede39c9c939f37004a4500018d334155
                                                        • Opcode Fuzzy Hash: d66f60089abdffa9a0416ad424334e4b1bd02898ff2f4aca943f95bdf247ca03
                                                        • Instruction Fuzzy Hash: A5119676544200BFD6108F06EC41E67FBD8EB88770F18C96AFD0957311D276B5149BA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA640, Relevance: .1, Instructions: 65COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1f1c574103d373a752fdc1ef55db21de9bd2c8e232122c7bf25aa68ac0039fab
                                                        • Instruction ID: de0556bdbe67824be64006af8169c695a2e3c6cb120fac55dfd25a57c320832d
                                                        • Opcode Fuzzy Hash: 1f1c574103d373a752fdc1ef55db21de9bd2c8e232122c7bf25aa68ac0039fab
                                                        • Instruction Fuzzy Hash: 46215EB550D3806FD312CF15DC51956FFF4EF8A620F0989DEF8889B252D235A908CBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA1BA, Relevance: .1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dbc80b1718e2016fafeb0e6b49008577d3dba0705351dcc9ba5161a07a146fd3
                                                        • Instruction ID: 52e7b48f40bc19ee096cf5f15eda0003bce0ecad9f73e478f9d60903bad49961
                                                        • Opcode Fuzzy Hash: dbc80b1718e2016fafeb0e6b49008577d3dba0705351dcc9ba5161a07a146fd3
                                                        • Instruction Fuzzy Hash: 1811C676640204BFD6108E0AEC45E66FB9CEB84730F18C86BFD095B311D276B9149FB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02A1072C, Relevance: .1, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271862482.0000000002A10000.00000040.00000040.sdmp, Offset: 02A10000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: eab658ce63f981c95e4158b81ae3898dfa64c8fd0a688dcd11aedd92c02e3bd4
                                                        • Instruction ID: ca6eba15b87a1f36164bb278c17d1239771415d710c9406034e629522f42c2bc
                                                        • Opcode Fuzzy Hash: eab658ce63f981c95e4158b81ae3898dfa64c8fd0a688dcd11aedd92c02e3bd4
                                                        • Instruction Fuzzy Hash: 5B218B351096C0CFC713CB20C890B65BFB1AF4B318F2985EAD8848B663C73A9846DB52
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02A1075C, Relevance: .1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271862482.0000000002A10000.00000040.00000040.sdmp, Offset: 02A10000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3942c981e51f629f2f45d1fa6082a097f4ec1d5003551897c3b2fc4f79925447
                                                        • Instruction ID: 60be7e0e5d3a6b70a0e605c8791969777539fe00b6e4adaa08327cb37aa56ef8
                                                        • Opcode Fuzzy Hash: 3942c981e51f629f2f45d1fa6082a097f4ec1d5003551897c3b2fc4f79925447
                                                        • Instruction Fuzzy Hash: 5011E434208644DFD715CB14D980B26FBA5EF88B28F28C5ADEC490B642CB7BD843CE91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D8E63, Relevance: .1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 18fe170eb632b856849fcf22d4c71c7c730a398baf4fdabec95d3a355ff5cca4
                                                        • Instruction ID: 1faab3202a61d3747e090283407beccce2ff94ea8ad51035009a12538465e27b
                                                        • Opcode Fuzzy Hash: 18fe170eb632b856849fcf22d4c71c7c730a398baf4fdabec95d3a355ff5cca4
                                                        • Instruction Fuzzy Hash: CF21E878D04249DFCB04DFA9C595AEEBBB1FF48310F1081A9D805AB351DB34AA46DF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02A10700, Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271862482.0000000002A10000.00000040.00000040.sdmp, Offset: 02A10000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3cf6a23797cdbc37f498109daa55d7de5bbbc02c8dbfaf74dd52b88c4a574851
                                                        • Instruction ID: 0c70f941078ee54aa7b7210c951d1eaf75ec15b68ba9ec4cb326b4ba08d93c04
                                                        • Opcode Fuzzy Hash: 3cf6a23797cdbc37f498109daa55d7de5bbbc02c8dbfaf74dd52b88c4a574851
                                                        • Instruction Fuzzy Hash: A5218C351097C4DFC7038B10C890B25BFA1EF46724F2986EAD8858B6A3C73A9856CB52
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBAB09, Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 62fdd526721ef460c55824c360d32a575d3a31d7be42572b976eb83072b9822f
                                                        • Instruction ID: f5c0a08d6f04a6244182671b0397d9831683929dbde4ad5e07df6c533d27e595
                                                        • Opcode Fuzzy Hash: 62fdd526721ef460c55824c360d32a575d3a31d7be42572b976eb83072b9822f
                                                        • Instruction Fuzzy Hash: E411D7B5908301AFD350CF19D881A5BFBE4FB88660F04892EF998D7311D335E9048FA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D23A5, Relevance: .1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 97a66c5200d9fac8ec6fbea76eb0e4005abd27b9556631c5a99965d4948f7558
                                                        • Instruction ID: 0517c5eb217702602c1300009aeb23293796e77fc342fd81b00c12a97863f5a8
                                                        • Opcode Fuzzy Hash: 97a66c5200d9fac8ec6fbea76eb0e4005abd27b9556631c5a99965d4948f7558
                                                        • Instruction Fuzzy Hash: 9D113C7CE0824C8FCB04CFA5C4846ADFBB4FB59318F189599DC99AB25BD730954ACB41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA118, Relevance: .0, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 17e3d0be4a025c8af34e479e21bc7375a04f4837883ca7edee7862c485218dad
                                                        • Instruction ID: a8ef53070f0862289add9d09268474c512c216134ee576a0345df3e4e83dfb1f
                                                        • Opcode Fuzzy Hash: 17e3d0be4a025c8af34e479e21bc7375a04f4837883ca7edee7862c485218dad
                                                        • Instruction Fuzzy Hash: 7101D47540D3C02FE3124B256C55A92FF78EF43620F0884CBED849F253D22A6909DBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02A105CF, Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271862482.0000000002A10000.00000040.00000040.sdmp, Offset: 02A10000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 40cd80b105e6e88ba44bc5d0253249bda44088f992e36b5354b4c60128d6ec52
                                                        • Instruction ID: f2767d2681272c613344ae9fe25e548084480392993f3792714046dbf6a97dde
                                                        • Opcode Fuzzy Hash: 40cd80b105e6e88ba44bc5d0253249bda44088f992e36b5354b4c60128d6ec52
                                                        • Instruction Fuzzy Hash: 9701D6B65497806FC7118F16EC40893FFA8DF8663070984AFFC898B212D125B948CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DA598, Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5ecdaca84ad4e9e9b343576ae370b4e696d1fc91e8219cc0edb2b7c139b18f9f
                                                        • Instruction ID: e9d11856cd9b65858b663a48ee82022d07d8cdf38c9587820df802489a8ec1c8
                                                        • Opcode Fuzzy Hash: 5ecdaca84ad4e9e9b343576ae370b4e696d1fc91e8219cc0edb2b7c139b18f9f
                                                        • Instruction Fuzzy Hash: 3B018F7894A20CDFCB04EBA4E895AAD7F74EB86314F3042EDC80AA3351C7711919DF54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D17B8, Relevance: .0, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 41e1bf6d0bf5d61db99eaf08ed03ebc10a2c831ce0b151fd96dc3b5e672d920b
                                                        • Instruction ID: 34e9578a91de68f6f9e9a65a1c369884fc4985b618ad5e4ebf8edcb17349c329
                                                        • Opcode Fuzzy Hash: 41e1bf6d0bf5d61db99eaf08ed03ebc10a2c831ce0b151fd96dc3b5e672d920b
                                                        • Instruction Fuzzy Hash: 3701D0B4D552099FCB04DFA9C585AAEBFF0EF4A304F1481AAD808A7361D7305A49CF96
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DBBA0, Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e38a1400105df51d9df4021dd467a52de230a6106f33f87726d201f3758aafca
                                                        • Instruction ID: c8f5ade089be8c58488c796ad0efd22560de4f263261182672e7ee53a5c3a328
                                                        • Opcode Fuzzy Hash: e38a1400105df51d9df4021dd467a52de230a6106f33f87726d201f3758aafca
                                                        • Instruction Fuzzy Hash: 2DF0373890920CEFCB01CFA4D5509ACBBB5EB4A218F2182DAD859E3355C6316A65DB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DA3E0, Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d65a25d81da1f0ed140313f705c8546e2dbf859a90226fbdaf8c9011b522fadc
                                                        • Instruction ID: 52d4af53cb8be09df7ebd74e822c95e7048f7ea0b4fcca2f57889a08bf189a94
                                                        • Opcode Fuzzy Hash: d65a25d81da1f0ed140313f705c8546e2dbf859a90226fbdaf8c9011b522fadc
                                                        • Instruction Fuzzy Hash: 75F0C87C94B2488EC705EB64E4546AD7F759B02304F3086F9C808D3251D7702908CF56
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D272D, Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8436c860e5cbae61a843a42d52e503a990f11f2ce6343b3118496d49e36d53cd
                                                        • Instruction ID: 5c2a9e10a4f1102736c98ec8a282c79653c7b35d9c0074127d9da13b197895d4
                                                        • Opcode Fuzzy Hash: 8436c860e5cbae61a843a42d52e503a990f11f2ce6343b3118496d49e36d53cd
                                                        • Instruction Fuzzy Hash: 0D11D378A04218CFDB60DF24D994B9CBBF1FB09310F1085A9D409E7359D770AA85CF21
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DA520, Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f758405cb23ff1244eb39d39a4af87517d37811a4ee460403ebcce5168964350
                                                        • Instruction ID: e71510431361d3b10b7393d6f4a7569bf4d7aafbea33c50fe7a0a7443ff24af7
                                                        • Opcode Fuzzy Hash: f758405cb23ff1244eb39d39a4af87517d37811a4ee460403ebcce5168964350
                                                        • Instruction Fuzzy Hash: A3F0903894A24CDFCB0ACFA4D8859ADBB71EF46300B20C1EADC0997291C7359A15DB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D17C8, Relevance: .0, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fee5933cecdacd4086226eb6f25ccc19f25f3de7035e9b7d7cbe788d1ddc3974
                                                        • Instruction ID: 729b7579197a69be292defdd866fbc579f98ab0390c16cf9d8379c14f868cd74
                                                        • Opcode Fuzzy Hash: fee5933cecdacd4086226eb6f25ccc19f25f3de7035e9b7d7cbe788d1ddc3974
                                                        • Instruction Fuzzy Hash: 1001C9B4D00209DFCB44DFA9C5459AEBBF1FF49304F1081A9D808A7360DB305A44DF95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DB00C, Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 215b5edd58190a4e923921f0420a3a6dbe8f6d82cfa5af3b7d018da23f799d96
                                                        • Instruction ID: 9057aa18505115538fd541e957c43806ef29c76b5ab5a106bfb13e6f54cabdf4
                                                        • Opcode Fuzzy Hash: 215b5edd58190a4e923921f0420a3a6dbe8f6d82cfa5af3b7d018da23f799d96
                                                        • Instruction Fuzzy Hash: 0901A47990526C8FCB64DF24C9957ECBBB5AB49310F1081E9D50AE72A5DB305E80CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DB723, Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9bbc610d948b14d3036388ed1e84079bab99f198f24da54ac7d412fef4ab6653
                                                        • Instruction ID: 5c35af392ed84eb20e122f926af814d7e8bdeba62d9cbc72e6b91db8902aa07b
                                                        • Opcode Fuzzy Hash: 9bbc610d948b14d3036388ed1e84079bab99f198f24da54ac7d412fef4ab6653
                                                        • Instruction Fuzzy Hash: AC019D799052688FCB68DF24C9957ECBBB5BB49324F1441EAD90AB72A4DB305E84CF10
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02A10818, Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271862482.0000000002A10000.00000040.00000040.sdmp, Offset: 02A10000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
                                                        • Instruction ID: 42b7597b32bc38dd3377ebec6bd16e6c1b4ecf63fc5b6998f57551770fb9842d
                                                        • Opcode Fuzzy Hash: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
                                                        • Instruction Fuzzy Hash: 74F0FB39108644DFC306CF40D980B15FBA6EB89718F24C6A9E9491B652C7379813DA81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DA457, Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 280723c18877d3bb583ec69c7b14720f5c2658ad982367f520f93587eed408b1
                                                        • Instruction ID: 32f299dfbc26c0065737787be3136ec3ff9c07cafd81b5dccfaea69bcb1e32dc
                                                        • Opcode Fuzzy Hash: 280723c18877d3bb583ec69c7b14720f5c2658ad982367f520f93587eed408b1
                                                        • Instruction Fuzzy Hash: 49F0A02C54A10ACACB15DF64D1897BEB7B4EB06204F208595D80D93221D3701A1ADB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D1958, Relevance: .0, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 26e1a2863a657ed05e87205a6fe5a4315fb2bf1380903bb8ae8960d7c8ca5c66
                                                        • Instruction ID: af9dd15f0f9fe72715808dd85f66e32874220a2dc424f5f9d38fd4ac6330e11e
                                                        • Opcode Fuzzy Hash: 26e1a2863a657ed05e87205a6fe5a4315fb2bf1380903bb8ae8960d7c8ca5c66
                                                        • Instruction Fuzzy Hash: D2F08C34809348EFCB16AFA4D88959EFF30AF07310F1082AAD8455B3A2D3350A48DB56
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DBC80, Relevance: .0, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ed8e85ea104da9ac8c758964fd476b77003551c37f1aefa1b2999980cf00d53f
                                                        • Instruction ID: 10841ad321aa0de16a2d27c405389a99bae3a69acc3aac4a25b982472e8d30fc
                                                        • Opcode Fuzzy Hash: ed8e85ea104da9ac8c758964fd476b77003551c37f1aefa1b2999980cf00d53f
                                                        • Instruction Fuzzy Hash: 5FF01C389092489FDB02DFA9D89059CBFB0EF49204F2482EAD809D7392DB31590BCF45
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02A105AF, Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271862482.0000000002A10000.00000040.00000040.sdmp, Offset: 02A10000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d93aa1faa3b3c052ac7143ae52e6af12218af95c8d4224aafefb1a0d49f9208a
                                                        • Instruction ID: 2c21c09ffd8203ab0c87527e043eaa59eefb17750831c27dd452e036c6af83de
                                                        • Opcode Fuzzy Hash: d93aa1faa3b3c052ac7143ae52e6af12218af95c8d4224aafefb1a0d49f9208a
                                                        • Instruction Fuzzy Hash: 1AE0D8765492501FD790CF2ABC864A5FF90E981271B1C84FFDC8C8A212D126A54DCBA6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02A105F6, Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271862482.0000000002A10000.00000040.00000040.sdmp, Offset: 02A10000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e80ceadbbbbc5cb1a13d4ca04880fd13d70c5f934c4e4309b0cf3c97c85ed855
                                                        • Instruction ID: 81b31fdda8b5d7e3bd48823774619ce56855ea6f8c7a60d426133a805313c610
                                                        • Opcode Fuzzy Hash: e80ceadbbbbc5cb1a13d4ca04880fd13d70c5f934c4e4309b0cf3c97c85ed855
                                                        • Instruction Fuzzy Hash: 00E092766406004FD750CF0AEC85456F7D8EB88630718C47FEC0D8B710E135B544CEA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D00B8, Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 14846ba3ea40b7b63e4541541a2b9b1a1ef038235f17478679818eecb9ff44d9
                                                        • Instruction ID: e5b355fdc64fa6f6b15a4037a96811a78670ce4b4391542676225089db0d8a0c
                                                        • Opcode Fuzzy Hash: 14846ba3ea40b7b63e4541541a2b9b1a1ef038235f17478679818eecb9ff44d9
                                                        • Instruction Fuzzy Hash: 49E06D34901408EBC708EF56D552BA9B3B0EF46304F1451A69409A7261DB301F00DBA9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DB2F0, Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 45002991acf15c2430547f92695f81342397279e5da2d64e149b52f37fb88a2e
                                                        • Instruction ID: 0ed797dc869c2be3d52324f1db80d0356d753fdd016037756f872079211ed3f8
                                                        • Opcode Fuzzy Hash: 45002991acf15c2430547f92695f81342397279e5da2d64e149b52f37fb88a2e
                                                        • Instruction Fuzzy Hash: A3F0E73990412CDFDB64DF64C844BEDBBB1EB49304F5480D9D009A3291CB359B85DF11
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D8558, Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 92107db8692cac27b97f05d490a7d1dc1a235fce806b0f5edb61cd141d385332
                                                        • Instruction ID: 488d80975b9131ce35770f4a48eff83e4afe9e9e3a458e4fa1e2b9b170e3428f
                                                        • Opcode Fuzzy Hash: 92107db8692cac27b97f05d490a7d1dc1a235fce806b0f5edb61cd141d385332
                                                        • Instruction Fuzzy Hash: B9E09A388693489FCB02DF749C4219CBFB0EF42204F1042EAD846E72A2D7348A59CB92
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA8FB, Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8d3098ff34c107829bf86e990237cec68828c5163c43a57c4a3e96dcc96dd1b1
                                                        • Instruction ID: 03632da5eafb073fae8ce1f0bf62bd0c754f76d49c55fc821efe4b1288320ecf
                                                        • Opcode Fuzzy Hash: 8d3098ff34c107829bf86e990237cec68828c5163c43a57c4a3e96dcc96dd1b1
                                                        • Instruction Fuzzy Hash: F2E0D8765412006BD2608F06AC86F12FB5CEB54A30F14C46BFD085B301E175B5048AF1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA57B, Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e52b94e91bd11648f4d3374403b272071aebd413fa45f73e747a2139d55ccfd6
                                                        • Instruction ID: a11b1a0cc2d06871bd0fde5488924562e588561cf818192282fdf1023a899516
                                                        • Opcode Fuzzy Hash: e52b94e91bd11648f4d3374403b272071aebd413fa45f73e747a2139d55ccfd6
                                                        • Instruction Fuzzy Hash: BBE0D8755413046BD2608E06AC86B12FB5CEB44A30F54C46BFD085B301E179B5048AE1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBAB6B, Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d34eafc1943d1615bfa72c55c5dbd5db5b4bac591a955394406fa0a3541397b3
                                                        • Instruction ID: c2bc1c242b3870e4e69dfd1e74e9054e8918388f5d3efd7042afbfc3851316e5
                                                        • Opcode Fuzzy Hash: d34eafc1943d1615bfa72c55c5dbd5db5b4bac591a955394406fa0a3541397b3
                                                        • Instruction Fuzzy Hash: 2EE0D8765407006BD2608E06AC86F13FB9CEB44A30F14C46BFD095B301E175B5148AE5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA363, Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 17bed8f87bba12cf324e14348a4e7286f508fd9649ccc48edaacb1478a45d070
                                                        • Instruction ID: 3cf2315b72b9d3fe4f67476c3c1e5cdf4467b6c8ea598fe2367d77ba65d1b44c
                                                        • Opcode Fuzzy Hash: 17bed8f87bba12cf324e14348a4e7286f508fd9649ccc48edaacb1478a45d070
                                                        • Instruction Fuzzy Hash: 3DE020B55403006BD2609F0AEC86F13FB5CEB44A30F54C46BFD085B302E175B5048EE5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA7CF, Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 04ebc74f1199a9309388cbbb8e27798b8f615907d666a2ae1ace8cef85a3fe14
                                                        • Instruction ID: 1816fa1b35c7c1b5785ab0e27543ca3b12f1c0430a3b8ad0ae72979a66fb7933
                                                        • Opcode Fuzzy Hash: 04ebc74f1199a9309388cbbb8e27798b8f615907d666a2ae1ace8cef85a3fe14
                                                        • Instruction Fuzzy Hash: ACE0D8765402006BD2609F06EC86F23FB5CEB44A30F14C46BFD085B301E175B5048AE5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA14C, Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 91df0929885089247328ab3fdaaaee9d467859407400f086e0270c1ba6c6b389
                                                        • Instruction ID: 5f9bbb3cf719c4fc37be4f23d141216155b30033c9f625bc67c17588ee9d75da
                                                        • Opcode Fuzzy Hash: 91df0929885089247328ab3fdaaaee9d467859407400f086e0270c1ba6c6b389
                                                        • Instruction Fuzzy Hash: F8E020755403006BD2608F06EC86F12FB5CEB44A30F54C46BFD085B301E175B504CEE1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FBA6A3, Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 32a70583094daa2ba9721f616d89de59fa4711ede3b85d685c23f7bc8be121ec
                                                        • Instruction ID: 4fe0d3552bdc42fc65fb1cf90605a99d2e4296399994fb2722fa8eb483c02682
                                                        • Opcode Fuzzy Hash: 32a70583094daa2ba9721f616d89de59fa4711ede3b85d685c23f7bc8be121ec
                                                        • Instruction Fuzzy Hash: 8DE0D8765402006BD2608F06AC86F26FB5CEB44A30F14C46BFD085B301E175B5048AE5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D8663, Relevance: .0, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 07aad5742507aa91d76f9ddd998cfbb917727f48de66a3c221d381acf8ee58c7
                                                        • Instruction ID: 088ae0d2d38b46b6618feb5612f52ae1c932a11ca367beb4f469cd582b4b13fb
                                                        • Opcode Fuzzy Hash: 07aad5742507aa91d76f9ddd998cfbb917727f48de66a3c221d381acf8ee58c7
                                                        • Instruction Fuzzy Hash: E6F0A03880D248AFCB02DFA4D44519CBF70EF06210F1482EAC848A7392D3300516DF52
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D9E1F, Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e5f5b1b1558aa55fda137542895905929be17c1840547b6bf7b1c71d63a8a026
                                                        • Instruction ID: f9f56dd5ccf1bccd88a4a943e9c986c6bf0e9e2176ab76903aa17586e2f235c0
                                                        • Opcode Fuzzy Hash: e5f5b1b1558aa55fda137542895905929be17c1840547b6bf7b1c71d63a8a026
                                                        • Instruction Fuzzy Hash: 7DE0DF34949208CBCB02EF74D98ABEDBF70FF02305F2082AAC40963292C7701589CE99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DBC2F, Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0a8057abe6aadb48df0b66717503cc204c91b41c4289e1b6530e13c918ef5672
                                                        • Instruction ID: c562bcec72322ee8b011ea121f01cc679a8690f82f3730fa66b76453c21b576a
                                                        • Opcode Fuzzy Hash: 0a8057abe6aadb48df0b66717503cc204c91b41c4289e1b6530e13c918ef5672
                                                        • Instruction Fuzzy Hash: 73F05E3490D2889FCB01DBA4D5A05ACBFB0EF8A214F1886FAD88497392C7355A16DB11
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D2E39, Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4e1125ebe7d5a06f58712cbeffb084474c93175973e07d83167807d6ff3dd57b
                                                        • Instruction ID: 237e5325d831fa3218ee1eae530797b1c085d7f4b11bf4071dfe1d32f848736d
                                                        • Opcode Fuzzy Hash: 4e1125ebe7d5a06f58712cbeffb084474c93175973e07d83167807d6ff3dd57b
                                                        • Instruction Fuzzy Hash: 85E0927485A2889FCB06DBB8D89519CBF70EF07204F1405E9D849973A3D3301559CB01
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DB5F8, Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b4e8ab6a4ecfc6665ae697632166e2a6dc49f8d14cd14b63d67b3e893f4d0f52
                                                        • Instruction ID: ba895ea15536d20aabfe8eeb05bf80e2cc1de77a6dcafb4f6a60777e33cd7506
                                                        • Opcode Fuzzy Hash: b4e8ab6a4ecfc6665ae697632166e2a6dc49f8d14cd14b63d67b3e893f4d0f52
                                                        • Instruction Fuzzy Hash: ACF0AF79900228AFCB64CFA4D884BDCBBB4EB48314F1480DAE519E3291DB319A85DF10
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DAF1A, Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 14c9db734a62ad7071b631d306e17c8def6bd81e5deeaa20fadef3abaaf6427d
                                                        • Instruction ID: 5df0d58606ebcd3c17485d59512e197220f743ff0b568d5b0196b0a8ba40b483
                                                        • Opcode Fuzzy Hash: 14c9db734a62ad7071b631d306e17c8def6bd81e5deeaa20fadef3abaaf6427d
                                                        • Instruction Fuzzy Hash: F1F0D479E04218DFDB29CFA5C980BECBBB1FB48304F20849AE518B7281D3319A85CF11
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D0070, Relevance: .0, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1defe769c28d587269b47c16d3b3401bc50a8b85d8fd4af57351c95652b9fca9
                                                        • Instruction ID: 0bf0364a3f2862ee939e94421255678d0663151006e76bbbc61f17143f508678
                                                        • Opcode Fuzzy Hash: 1defe769c28d587269b47c16d3b3401bc50a8b85d8fd4af57351c95652b9fca9
                                                        • Instruction Fuzzy Hash: 55E07D7054220CEFC708FBB5EA1767F7374CB02301F10086C900563280CE346E10EA69
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D9937, Relevance: .0, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 71f7d128591fb86e1f63c96ff275a6cd61a15d42c0ba01a21e2286012b83f48a
                                                        • Instruction ID: 983d7df49787bdf5427a36e61403fa84dd0e69ddea983be37359a55ecc46a823
                                                        • Opcode Fuzzy Hash: 71f7d128591fb86e1f63c96ff275a6cd61a15d42c0ba01a21e2286012b83f48a
                                                        • Instruction Fuzzy Hash: D1E08C3484F388AFCB029B7898516AE7B78AF03202F1412DBD409E72A2CB700909DB56
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DAA30, Relevance: .0, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 67d65d3f0bdf0dfb6ab04fa53e9d109054a44f8175ac2d81b545590ee77ada2a
                                                        • Instruction ID: e35b6cbb163ae841e8700b68d827e3f1613a507dcdf32be2c3bb568671dc79ff
                                                        • Opcode Fuzzy Hash: 67d65d3f0bdf0dfb6ab04fa53e9d109054a44f8175ac2d81b545590ee77ada2a
                                                        • Instruction Fuzzy Hash: 0DE0DF3855E38ACFC316DF64C4485AA7F31AF0B218F2423C5C4489B2E2C7311945DB9A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D9DA0, Relevance: .0, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dc54fcb4df9f5d5b448aa8a0d30a457adab54198a5b8e4110a8b10c94fbc3163
                                                        • Instruction ID: 4451bf10b18626b9bc17dbd5471f0cc2f603ed1d284a6e36c34828564bafb3c9
                                                        • Opcode Fuzzy Hash: dc54fcb4df9f5d5b448aa8a0d30a457adab54198a5b8e4110a8b10c94fbc3163
                                                        • Instruction Fuzzy Hash: 43E0863494920CDBC718FFA5D9497BDBBB8FB45308F6442E9C80C566A1CB312A94DB94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DBB13, Relevance: .0, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2ad14e63ec32f1c10bc1628dd38088de5c877f70dc2a71d2042a93372fcdf582
                                                        • Instruction ID: 0425bf6180f86ae8059af5a124bed47359a3f7afb8336b32d3356aa2dd76cffb
                                                        • Opcode Fuzzy Hash: 2ad14e63ec32f1c10bc1628dd38088de5c877f70dc2a71d2042a93372fcdf582
                                                        • Instruction Fuzzy Hash: 9FF03938808148AFCB01DFA8D4909ACBFB0EB89314F2481AAD84592342C7325A16DF44
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DA558, Relevance: .0, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6ad4adcc1f5a4f2ecd88ffc2a645983b4ddacfda3e8b04f644875d040091fa6d
                                                        • Instruction ID: 3cb273da6e030666cdac2757316c1dadff02a2189dffc8ed5ac5257c9d129374
                                                        • Opcode Fuzzy Hash: 6ad4adcc1f5a4f2ecd88ffc2a645983b4ddacfda3e8b04f644875d040091fa6d
                                                        • Instruction Fuzzy Hash: FFE04F7894F2889FCB06DBB4A99959DBF30EB47315F2082DAC44AA7292C7700918DB56
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D00C8, Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3d7cde656ed6d5367258d057ef6c408cec9fce8b0e105e0219415fb2224a7156
                                                        • Instruction ID: d2c6593c9c97cab2442e623e914dd5dc7da769f9dd941ecac60f77b852452979
                                                        • Opcode Fuzzy Hash: 3d7cde656ed6d5367258d057ef6c408cec9fce8b0e105e0219415fb2224a7156
                                                        • Instruction Fuzzy Hash: 18E0EC70D0110CEBC708EFAAD941BAEB7B5DF46304F5051AA9408B3360DA306E14DAA9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D2601, Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4c4e822ad3940a45a5e47ae36442aa39555612457a245da52dc402717d8e78a5
                                                        • Instruction ID: 6c5aec8d075ba44bdff0cd2ce84bd1ad2502cbfdccb00b8354e2b72803ad20fd
                                                        • Opcode Fuzzy Hash: 4c4e822ad3940a45a5e47ae36442aa39555612457a245da52dc402717d8e78a5
                                                        • Instruction Fuzzy Hash: D5F0D47491121CDBDB609F94E884B9CBBB1BB44301F00459ADA0AE2298DB749A898F64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DBC40, Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fd616c084930bdf315e2650ff16826d87bbfb23419680d7b290a8517a3408eab
                                                        • Instruction ID: 2a510ec3e2ca91ee29fa629ec7037dc3698fad1c8cad6a4f6c3ad84fb541c1f2
                                                        • Opcode Fuzzy Hash: fd616c084930bdf315e2650ff16826d87bbfb23419680d7b290a8517a3408eab
                                                        • Instruction Fuzzy Hash: 4BE0E578904208ABCB04DF99D5509ACBBB4EB89314F20C1AAD84893381DB31AA56EB94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DBB18, Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fd616c084930bdf315e2650ff16826d87bbfb23419680d7b290a8517a3408eab
                                                        • Instruction ID: 65dcfe724c1a6cf0d3624d0fc87f5166362ae213abe9d325cf1116f7db28ab37
                                                        • Opcode Fuzzy Hash: fd616c084930bdf315e2650ff16826d87bbfb23419680d7b290a8517a3408eab
                                                        • Instruction Fuzzy Hash: FAE0E578904208EBCB05DF98D4409ACBBB4EB88314F20C1AAD84893341D731AA55DB94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D1968, Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dda06ae88791ef3b396ad6150a01b69086baff8bece87c8ed46d10e94820e754
                                                        • Instruction ID: 977511681bd6a83b8ffa9f3dd2f41405d9ded4f24561908799fe39a98de4cd0c
                                                        • Opcode Fuzzy Hash: dda06ae88791ef3b396ad6150a01b69086baff8bece87c8ed46d10e94820e754
                                                        • Instruction Fuzzy Hash: B4E0463480020CEBCB18EFA4E885AADFB35AB46311F10816ADC08233A0CB315A54EF99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D9D68, Relevance: .0, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 145958f1f102b33ceae950c2951dc98af4f9d252717daa798de44f6603343737
                                                        • Instruction ID: 81643b043c26b491778550ddd8ffe668647dcf0ef10932b1c08e1292b616205b
                                                        • Opcode Fuzzy Hash: 145958f1f102b33ceae950c2951dc98af4f9d252717daa798de44f6603343737
                                                        • Instruction Fuzzy Hash: E2E0C22401E34A8EC3039F74A8546B9BFB4DF47214F2586D6E404CB2A2D3746A49CB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D9698, Relevance: .0, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 839d4fa6d9101dfb164690f64f366608d7f4f61276b43b0a9ef243b3da117bbf
                                                        • Instruction ID: 731e8d14b9b8eb3be04ca75feb7d43769432434927589ca9dfe9768abb912c2c
                                                        • Opcode Fuzzy Hash: 839d4fa6d9101dfb164690f64f366608d7f4f61276b43b0a9ef243b3da117bbf
                                                        • Instruction Fuzzy Hash: 77E08C7894F2888ECB02ABB4BC55AA97F38DB42204F2042AEC44A931A2D7700908CB11
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DBC90, Relevance: .0, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7c074c9dba9027d2423ac79b0348ebf4c661ea387d2604a67e96e36354329212
                                                        • Instruction ID: 800f7d986e0d1e1a9fd45745906f35c85c782e25de06a5a8e6e6d9be18cc7fb2
                                                        • Opcode Fuzzy Hash: 7c074c9dba9027d2423ac79b0348ebf4c661ea387d2604a67e96e36354329212
                                                        • Instruction Fuzzy Hash: A9E09A78D04208EBC704DF99D5515ACBBB4FB88318F2085A9D81897341DB316A56DB45
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D8670, Relevance: .0, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 03d8148430cb818f2a2715d6d106941744400b967cd79e1e4bd0680bcd0c503f
                                                        • Instruction ID: fea35916e2e5af9f66ff51678893084f6d174be52818c1854a955ea72e93865a
                                                        • Opcode Fuzzy Hash: 03d8148430cb818f2a2715d6d106941744400b967cd79e1e4bd0680bcd0c503f
                                                        • Instruction Fuzzy Hash: 37E0E678D0520CEBC704DF94E44559DBB74FB44315F2081A5DC18A3381D7701A55DF55
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D9E30, Relevance: .0, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 760885d05fab68163788c22fbbfb5e86bf92f9f4d85afd8e10ec837c8cbca195
                                                        • Instruction ID: 4665e14d91803755b7acfde16d2fa823c361bc062b5649f6fc1869e141bf76bb
                                                        • Opcode Fuzzy Hash: 760885d05fab68163788c22fbbfb5e86bf92f9f4d85afd8e10ec837c8cbca195
                                                        • Instruction Fuzzy Hash: 99D05B74C0920CDBC704EFB4E9455AD7B74E746315F204295C50963350C7706954DE95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DAA40, Relevance: .0, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cd7caf09ee11782061b4c5d0da3364b5c438af27273cb11e9f73092b156bbb81
                                                        • Instruction ID: 66c96e43aa353ab3d483ce4d34b769614f77e29dd14f1919bb1138080a01aeec
                                                        • Opcode Fuzzy Hash: cd7caf09ee11782061b4c5d0da3364b5c438af27273cb11e9f73092b156bbb81
                                                        • Instruction Fuzzy Hash: 3DD05B3490920CDBC704EFA4E9495AD7B75E746315F305395C40963350C7711954EE99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D9DB0, Relevance: .0, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 245d9c80632c8a873e5f2199bc7d19374059fb01933d00fc1598afcf7e873194
                                                        • Instruction ID: f332ab4f4c1087ea70f413aa70ad3f7dbc0277fe8836db5cf0c26eb985001275
                                                        • Opcode Fuzzy Hash: 245d9c80632c8a873e5f2199bc7d19374059fb01933d00fc1598afcf7e873194
                                                        • Instruction Fuzzy Hash: 6AD05E3884920CDBC705FFA4E9445ADBBB8EB46305F6042A9C808A3394CB317A54DB95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DA568, Relevance: .0, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b9d7f70021f78fc3da192c2a915a1acb687b0381e72673883e29741b81ac3842
                                                        • Instruction ID: 464ac502c15581e6d64781c1e2987df207dfec8297512b1f7d5b5ba8351f1807
                                                        • Opcode Fuzzy Hash: b9d7f70021f78fc3da192c2a915a1acb687b0381e72673883e29741b81ac3842
                                                        • Instruction Fuzzy Hash: 2AD05B7490920CDBC704EFF4E94556DBF78E746315F304299C41963351C7701A54DA55
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D2E48, Relevance: .0, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9e6ae56c3c5a0607daa441a8cba48a4607d78a737b126a291f5ac9c993d10e7d
                                                        • Instruction ID: f362d5629fa6da19a13a4700220920483a54ae6cd77bc60b221bdccdc4ec6d9d
                                                        • Opcode Fuzzy Hash: 9e6ae56c3c5a0607daa441a8cba48a4607d78a737b126a291f5ac9c993d10e7d
                                                        • Instruction Fuzzy Hash: F9D05E7891520CEBCB00EFB8E9496ACBBB8FB05605F6001A9CC08A3387DB302A54DB55
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D8568, Relevance: .0, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aaac8aaddb1047ca21d0cc7a82267273f8c7c852c1779e3ed399a114cda6e66f
                                                        • Instruction ID: 49e43de5a0516a6a2925b32ce7c134e21adaca9d99d687ca424d56bea6f07e76
                                                        • Opcode Fuzzy Hash: aaac8aaddb1047ca21d0cc7a82267273f8c7c852c1779e3ed399a114cda6e66f
                                                        • Instruction Fuzzy Hash: CBD05E78C5520CEBC700EFA8E8456ACBF78FB05215F6041AAC849A3380EB306A65CB95
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D96A8, Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5270e64bff4c44078cf4978884bd15a96d2e949439eabc821c48d0601f859e3b
                                                        • Instruction ID: 92d8b1704538613c381cf1902d5550828359f4bfb6216a5eedd3630cab89840b
                                                        • Opcode Fuzzy Hash: 5270e64bff4c44078cf4978884bd15a96d2e949439eabc821c48d0601f859e3b
                                                        • Instruction Fuzzy Hash: EED0227840A20CDBCB00FFA4FC04B6ABB3CEB06209F2002A8D40C93262DB702900DF68
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DA530, Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5c669ce99e98499ed5e6f329c11a77d835aacd7cbd0c88070295b2ef69f07663
                                                        • Instruction ID: db11ff1665b4082d6986b043914a2f255d7562ae564a341348b9293812a78a8a
                                                        • Opcode Fuzzy Hash: 5c669ce99e98499ed5e6f329c11a77d835aacd7cbd0c88070295b2ef69f07663
                                                        • Instruction Fuzzy Hash: 11D0127444A20CDFC708EBE4E986A7A777CE742A14F301599C50993251DBB12D18D9A9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D9948, Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2314fdadfe6c01d4862c8fdb5a1c6af1369ac7d910b1d5597fbb32f00ac15083
                                                        • Instruction ID: 7baf438afc87354cf77e53d82c1bb8b4ac455caa70d53c3b1a107466aa01e5c2
                                                        • Opcode Fuzzy Hash: 2314fdadfe6c01d4862c8fdb5a1c6af1369ac7d910b1d5597fbb32f00ac15083
                                                        • Instruction Fuzzy Hash: 7CD0223440E20CEBC700EBA8E844BAA776CEB03616F201298C80CA3250CB702904EA58
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DA468, Relevance: .0, Instructions: 15COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fdb739c47c0261467909b45b131731cd5ccf8092d8864e61b83eefa5249cb514
                                                        • Instruction ID: e69f95adfc5cb8f11261f02e8c828b18093650cfa2b956e9330645159b6d24d7
                                                        • Opcode Fuzzy Hash: fdb739c47c0261467909b45b131731cd5ccf8092d8864e61b83eefa5249cb514
                                                        • Instruction Fuzzy Hash: 83D0C96944A20C9AC604EA98EA4866A77ACD706214F2049A5D84992251DA713A18DAA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D9D78, Relevance: .0, Instructions: 15COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 354ed7a6d2ba5e2d074ab0ac03be8db30b5639063978e8129acc27ca2087665f
                                                        • Instruction ID: ade8b6564bf90980d91b20f2c30b1ae5fa27056a8e75754063da9e02f6ba3949
                                                        • Opcode Fuzzy Hash: 354ed7a6d2ba5e2d074ab0ac03be8db30b5639063978e8129acc27ca2087665f
                                                        • Instruction Fuzzy Hash: E4D0127845920CDBC700EBA8D94477D77ACD747224F204A95D808D3252DB717A14DAA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028DBBA3, Relevance: .0, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f6289149b22899a3cc562fa8a1614676f54edf21d142a6c47e72bfd3f4703b20
                                                        • Instruction ID: dadfd6976573b9c3133865c617fc70c3ed11dd95ac2ff44fbbe5c485ac925133
                                                        • Opcode Fuzzy Hash: f6289149b22899a3cc562fa8a1614676f54edf21d142a6c47e72bfd3f4703b20
                                                        • Instruction Fuzzy Hash: 00D0A7795081C45FC302CB6484A147CBFF0CE17114B0884CBDC84CB203D5329917C711
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D2A53, Relevance: .0, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05bb4061d9d33fd957759b02cebc6251d5b01c5a3493aa54ec56517fb2a87f58
                                                        • Instruction ID: 2d9544613ce34bb2f35afab46fae2a95d4241eb53635d5ce0a9ea4f89fba54bf
                                                        • Opcode Fuzzy Hash: 05bb4061d9d33fd957759b02cebc6251d5b01c5a3493aa54ec56517fb2a87f58
                                                        • Instruction Fuzzy Hash: A5D05E38D1410CCBEB20CF18E440B8C7BB5FB09300F00989AC417E328DC774AA168F60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 00644351, Relevance: 2.9, Instructions: 2884COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.270004069.0000000000642000.00000002.00020000.sdmp, Offset: 00640000, based on PE: true
                                                        • Associated: 00000000.00000002.269996231.0000000000640000.00000002.00020000.sdmp Download File
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 92e99133a0dd72c26d4426534e279951bb50ea2a041c6fc42289569704164af1
                                                        • Instruction ID: 9d4f34841a0b2c1cdc1f40260e62c4158f5c11ae1667540e4b9d0d05e294c71d
                                                        • Opcode Fuzzy Hash: 92e99133a0dd72c26d4426534e279951bb50ea2a041c6fc42289569704164af1
                                                        • Instruction Fuzzy Hash: 5133FB6144F7D15FC7138B786CB16E27FB2AE5321431E45C7E4C08F0A3E2185AAAD7A6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00FB2E09, Relevance: .4, Instructions: 443COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271197106.0000000000FB2000.00000040.00000001.sdmp, Offset: 00FB2000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f4e89055051087c8176e2129ace03f1d3b5df1b0b2d703b734af7f6287c69e88
                                                        • Instruction ID: 58bf85b45bb837848c7d459ce4adcca134d1fa0db91ed899543bde2491042873
                                                        • Opcode Fuzzy Hash: f4e89055051087c8176e2129ace03f1d3b5df1b0b2d703b734af7f6287c69e88
                                                        • Instruction Fuzzy Hash: 7C91C69684E7C15FDB13477998696923F709E67228B4F41EBC0C1CF4B7E1980A0AE732
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D2E77, Relevance: .1, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9c91752e92b7739f35f891e5cf5cbe161c6e163578cbf18a4209defa9083da38
                                                        • Instruction ID: c0d5cc7a3362679849562ca2e193fc0da0a8e3b87acc08ec0e4c40ee564b5e67
                                                        • Opcode Fuzzy Hash: 9c91752e92b7739f35f891e5cf5cbe161c6e163578cbf18a4209defa9083da38
                                                        • Instruction Fuzzy Hash: 92511B70A043099FDB04EF6AE891B9DBFB6FFC8304F14C169D118AB269DB7058469F61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D2E88, Relevance: .1, Instructions: 136COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 356c01af1feb12e82230609f39423a697b42d1d2b1c256b4cc2d4399137dea5f
                                                        • Instruction ID: 309575c93f975f23a80ff8c649d417eb3db8c6342d5f0f11ffb7f3b05a338017
                                                        • Opcode Fuzzy Hash: 356c01af1feb12e82230609f39423a697b42d1d2b1c256b4cc2d4399137dea5f
                                                        • Instruction Fuzzy Hash: 0A511970A0430D9FDB04EF6AE881B9DBFB6FBC4304F14C16AD118A7269DB7058069F61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 028D30D0, Relevance: .1, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.271751909.00000000028D0000.00000040.00000001.sdmp, Offset: 028D0000, based on PE: false
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 304963d69cb01d0eb49e2764c148050fd85cd951384d26bd2bcd9210c3b597e3
                                                        • Instruction ID: d8101a2a6a0d887d671d6bf9597f0a971ee9359548d483a96fad266f38c63199
                                                        • Opcode Fuzzy Hash: 304963d69cb01d0eb49e2764c148050fd85cd951384d26bd2bcd9210c3b597e3
                                                        • Instruction Fuzzy Hash: A8412FB5E016588BEB5CCF6B8D4078EFAF7AFC9200F14C5FA850DAA214DB3419868F55
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%